Web Gauntlet
Web Gauntlet is a series of challenges on pico ctf that focuses on bypassing SQL Injection filters but not in an advanced way
Level 1
First we see a login form and we are required to login as an admin :
If we looked at the filter , we see that these characters are filtered :
Round1: orNice, so we have a very simple authentication bypass that can be bypassed in many ways , The very basic thing that we can use and instead of or as follow :
admin' and 1=1-- -;
Level 2
The same login form again but the filter now has more charatcers which are :
Round2: or and like = --Before we solve it let's imagine the executed query first :
SELECT * FROM user WHERE username = 'admin' AND password = ''So if our username was : admin'; this would close the query and terminates it right ? to be at the end :
SELECT * FROM users WHERE username = 'admin'; bla bla
Level 3
Updated Filter :
Round3: or and = like > < --Since it didn't filter for ' nor ; it wi be the same solution as the previous one .
Level 4
Updated Filter :
Round4: or and = like > < -- adminSo it now filters for the word admin and we need to login as admin , This can be done by using string concatenation so if it fiters for admin we can combine adm and in together which are not filtered to get the word admin :
adm'||'in';
Level 5
Updated Filter :
Round5: or and = like > < -- union adminThe same filter but it only included union which we didn't use any way so it will be the same solution .
Level 6
Updated Filter :
Filters: or and true false union like = > < ; -- /* */ adminIt now filters for the ; character which was important to terminate our query. Now we will include the password field to gain access as admin .
For the username part we can use : adm'||'in so it will be concatenated as admin .
For the password part we can think for mutiple solutions but i prefered to use the globe keyword as follow : ' globe'*
Last updated