Planet DesKel

DesKel's official page for CTF write-up, Electronic tutorial, review and etc.

13 September 2020 write-up: old-61

1 minutes to read
Link point tag
old-61 200 SQLi

Hello there again, welcome to another CTF challenge. Today topic is all about SQLi


Nothing interesting. How about the source code?


We are set as Guest by default. Also, there are some filters and only allowed 15 characters. Too many limitations. Of course, we can set the id value as * (select all) but it not going to work at all as the query only return 1 result with the alphabet as descending order (z to a).

not work

This is more likely can be solved by using SQL Alias. We can give the id a temporary name and it will be the admin. The initial payload should be

?id='admin' as id

Since the quotation mark is part of the filter or addslashes function to be precise, there is another way round.

?id=0x61646d696e as id

The value is exceeding 15 characters including space. I come across with this Q&A and this Q&A, we can perform the alias without the ‘as’. Which make our payload as

?id=0x61646d696e id

The value just contains 15 characters. Let’s try it out.


tags: - sqli

Thanks for reading. Follow my twitter for latest update

If you like this post, consider a small donation. Much appreciated. :)


© 2020 DesKel