Points: 60
Description:
written by Michael Zhang.
http://vulnserver-failedxyz.c9.io/
Hint:
You might want to look up SQL injection.
For this problem, the flag is the admin's password. When we deliberately enter a wrong password, we get:
Nope. SELECT * FROM users WHERE username='admin' AND password='notpassword'
Because there is no filtering in place, we can alter the query and the conditions to get a binary outcome to deduce the password. Here is the necessary algorithm:
- Loop over all of the valid characters (i.e. the alphanumeric characters as well as the underscore).
- Given a current character of the loop, create a query that tests whether the username is
adminand whether the password starts with the current password plus the current character. - Send the query to the server.
- If the query returns a success, then add the current character to the current password, and go back to step 1 to start over the loop.
- Otherwise, continue to the next character at step 2.
- If there are no more characters to loop over, then you have the full password.
We wrote this script to automate the guessing process.
Flag: i_h0pe_u_didnt_do_this_manually_lol