PicoCTF 2014 Write-ups

Injection 4 - 150 (Web Exploitation)

Writeup by patil215

Created: 2014-11-07 21:41:03

Last modified: 2014-11-09 23:28:11


Daedalus Corp. has once again improved their login service. They're so confident, in fact, that they added a new registration feature. Can you find a way to login as 'admin'?


Can you leak out any information using SQL injection?



Use SQL's LIKE statement to guess the admin password using the registration page, letter by letter.


We see that Daedalus now has two source pages, login.php and register.php. Unfortunately, it looks like mysqli_real_escape_string is being used to escape the inputs in login.php, so we can't exploit that.

However, if we take a look at register.php, we see that username isn't escaped within the query string! We can exploit this.

If we look at the remainder of the source, we see that if a user is returned that matches the query, we get "Someone has already registered." This is how we can get the password for the admin account.

Because username isn't escaped, we can put in the string for a username of "admin" and then add another select statement for the password - but this select statement won't have the full password - instead, we will use the wildcard character, the SQL LIKE statement to guess the password. If the first part of the password matches, then we'll get "Someone has already registered" and we'll know that is part of the password.

For example, if the password is "carrot", if our SQL statements has a form of "c*" (where * is a wildcard character), if we get that someone has already registered then we know that the password starts with "c", and if we don't we know that the password starts with a different letter.

Let's make at our query:

admin' AND password LIKE "a%" --

% is the wildcard character - so any subsequent characters won't matter. That way, if we get a user returned, we know the password starts with "a".

We put this in the username register box and get "Registration has been disabled", so we know that the password doesn't start with "a". We move on to the next letter, "b", checking that, then "c", and so on. We eventually find that "y" works. Time to move on the the next letter.

admin' AND password LIKE "ya%" --

We repeat this process until we get the full password, which is "youllneverguessthispassword". Once we have that, we know we can login normally with username "admin" and the password we just got to get the flag!