Web Gauntlet

Last updated 2 years ago

Web Gauntlet

Web Gauntlet is a series of challenges on pico ctf that focuses on bypassing SQL Injection filters but not in an advanced way

Level 1

First we see a login form and we are required to login as an admin :

If we looked at the filter , we see that these characters are filtered :

Round1: or

Nice, so we have a very simple authentication bypass that can be bypassed in many ways , The very basic thing that we can use and instead of or as follow :

admin' and 1=1-- -;

Level 2

The same login form again but the filter now has more charatcers which are :

Round2: or and like = --

Before we solve it let's imagine the executed query first :

SELECT * FROM user WHERE username = 'admin' AND password = ''

So if our username was : admin'; this would close the query and terminates it right ? to be at the end :

SELECT * FROM users WHERE username = 'admin'; bla bla

Level 3

Updated Filter :

Round3: or and = like > < --

Since it didn't filter for ' nor ; it wi be the same solution as the previous one .

Level 4

Updated Filter :

Round4: or and = like > < -- admin

So it now filters for the word admin and we need to login as admin , This can be done by using string concatenation so if it fiters for admin we can combine adm and in together which are not filtered to get the word admin :

adm'||'in';

Level 5

Updated Filter :

Round5: or and = like > < -- union admin

The same filter but it only included union which we didn't use any way so it will be the same solution .

Level 6

Updated Filter :

Filters: or and true false union like = > < ; -- /* */ admin

It now filters for the ; character which was important to terminate our query. Now we will include the password field to gain access as admin .

For the username part we can use : adm'||'in so it will be concatenated as admin .

For the password part we can think for mutiple solutions but i prefered to use the globe keyword as follow : ' globe'*

This evaluates our query to : SELECT * FROM users where username = 'adm'||'in' AND password = ''globe '*'

And this basically means to get us a user with username of admin with any password .

Last updated 2 years ago

Web Gauntlet is a series of challenges on pico ctf that focuses on bypassing SQL Injection filters but not in an advanced way

Level 1

First we see a login form and we are required to login as an admin :

If we looked at the filter , we see that these characters are filtered :

Round1: or

Nice, so we have a very simple authentication bypass that can be bypassed in many ways , The very basic thing that we can use and instead of or as follow :

admin' and 1=1-- -;

Level 2

The same login form again but the filter now has more charatcers which are :

Round2: or and like = --

Before we solve it let's imagine the executed query first :

SELECT * FROM user WHERE username = 'admin' AND password = ''

So if our username was : admin'; this would close the query and terminates it right ? to be at the end :

SELECT * FROM users WHERE username = 'admin'; bla bla

Level 3

Updated Filter :

Round3: or and = like > < --

Since it didn't filter for ' nor ; it wi be the same solution as the previous one .

Level 4

Updated Filter :

Round4: or and = like > < -- admin

adm'||'in';

Level 5

Updated Filter :

Round5: or and = like > < -- union admin

The same filter but it only included union which we didn't use any way so it will be the same solution .

Level 6

Updated Filter :

Filters: or and true false union like = > < ; -- /* */ admin

It now filters for the ; character which was important to terminate our query. Now we will include the password field to gain access as admin .

For the username part we can use : adm'||'in so it will be concatenated as admin .

For the password part we can think for mutiple solutions but i prefered to use the globe keyword as follow : ' globe'*

This evaluates our query to : SELECT * FROM users where username = 'adm'||'in' AND password = ''globe '*'

And this basically means to get us a user with username of admin with any password .