Webhacking.kr write-up: old-61
1 minutes to read| Link | point | tag |
|---|---|---|
| old-61 | 200 | SQLi |
Hello there again, welcome to another webhacking.kr CTF challenge. Today topic is all about SQLi
Nothing interesting. How about the source code?
We are set as Guest by default. Also, there are some filters and only allowed 15 characters. Too many limitations. Of course, we can set the id value as * (select all) but it not going to work at all as the query only return 1 result with the alphabet as descending order (z to a).
This is more likely can be solved by using SQL Alias. We can give the id a temporary name and it will be the admin. The initial payload should be
?id='admin' as id
Since the quotation mark is part of the filter or addslashes function to be precise, there is another way round.
?id=0x61646d696e as id
The value is exceeding 15 characters including space. I come across with this Q&A and this Q&A, we can perform the alias without the ‘as’. Which make our payload as
?id=0x61646d696e id
The value just contains 15 characters. Let’s try it out.
Thanks for reading. Follow my twitter for latest update
If you like this post, consider a small donation. Much appreciated. :)