Web Gauntlet

Web Gauntlet is a series of challenges on pico ctf that focuses on bypassing SQL Injection filters but not in an advanced way

Level 1

First we see a login form and we are required to login as an admin :

If we looked at the filter , we see that these characters are filtered :

Nice, so we have a very simple authentication bypass that can be bypassed in many ways , The very basic thing that we can use and instead of or as follow :

EZ !!

Level 2

The same login form again but the filter now has more charatcers which are :

Before we solve it let's imagine the executed query first :

So if our username was : admin'; this would close the query and terminates it right ? to be at the end :

Level 3

Updated Filter :

Since it didn't filter for ' nor ; it wi be the same solution as the previous one .

Level 4

Updated Filter :

So it now filters for the word admin and we need to login as admin , This can be done by using string concatenation so if it fiters for admin we can combine adm and in together which are not filtered to get the word admin :

Level 5

Updated Filter :

The same filter but it only included union which we didn't use any way so it will be the same solution .

Level 6

Updated Filter :

It now filters for the ; character which was important to terminate our query. Now we will include the password field to gain access as admin .

For the username part we can use : adm'||'in so it will be concatenated as admin .

For the password part we can think for mutiple solutions but i prefered to use the globe keyword as follow : ' globe'*

This evaluates our query to : SELECT * FROM users where username = 'adm'||'in' AND password = ''globe '*'

And this basically means to get us a user with username of admin with any password .

Last updated