Webhacking.kr write-up: old-39
1 minutes to read| Link | point | tag |
|---|---|---|
| old-39 | 100 | SQLi |
Welcome and welcome back to another webhacking,kr CTF. Toda’s challenge involves with SQLi.
Alright, some unknown query. Time for the source code.
From the source code, I noticed the following
- Missing ‘ at the end of the SQL query
- \ getting filter
- ’ will be replaced to ‘’
- The query only takes the first 15 characters
Great, the query is invalid as default and our main goal is to make it valid. The result doesn’t matter. One might suggest that the SQLi payload should be like (the payload must be your username, it didn’t work with dummy value)
DesKel'
You’re so wrong because the single quote (‘) will be replaced into double quote (‘’). Fortunately, the substr function that only accepts the first 15 characters save our day. Since we have 6 characters with us, adding 8 more spaces and a quote as our payload, in the result of
DesKel '
The single quote does replaced into double quote. Due to the substr function, the second quote is filtered out.
Thanks for reading. Follow my twitter for latest update
If you like this post, consider a small donation. Much appreciated. :)