Planet DesKel

DesKel's official page for CTF write-up, Electronic tutorial, review and etc.

13 September 2020 write-up: old-51

2 minutes to read
Link point tag
old-51 250 SQLi

Welcome back to another challenge. Today’s challenge is about SQLi with raw MD5.


Let’s check the source code.


Look like both the id and pw input fields are both being sanitized. I can say, that is partially correct. Indeed, the addslahes function to filter out the quote into (") and prevent us to perform the following attack


Guess the MD5 hashed password is the only way in. Remember, the script used a raw MD5 which is damn vulnerable. Referring to the MD5 PHP guide, the script indeed setting the raw flag as true.

One might think including ‘or’ as the raw MD5 character and actually that works but it consumes a lot of time. As proven by this article


A 19 million cracked hash with speedup. Gosh. Alternatively, there is the other way by using simple python code. I’m talking about the ’=’. For your information false = false is equal to true and it makes the pw query like this

pw = '<false value>'='<false value>'


pw = <Always true>

Then, I have drafted a python script

import hashlib

for i in range (0,2000000):
	raw = bytes(str(i))
	result = hashlib.md5(raw)
	enc = str(result.digest())
	if(enc.find('\'=\'') > 0):


The password is shorter than you think. Thrown in the admin as the id and the password to solve the challenge.


tags: - sqli

Thanks for reading. Follow my twitter for latest update

If you like this post, consider a small donation. Much appreciated. :)


© 2020 DesKel