Open in app

Sign in

Write

Sign in

Challenge Name: bypass the world

Mohamed Samir
3 min readOct 6, 2024

--

I Don’t Care if the world is against you, but I believe that you can bypass the world

This is our target:

It’s a login form with two inputs field, user name and password and submit button and down there this is a sentence which said : Wanna Source …!

So, Let’s check this out and see :)

I clicked on Wanna Source Phrase and this code appeared :

$name = preg_replace('/\//', '', $name);
$pass = preg_replace('/\//', '', $pass);
  • The preg_replace function in this code is used to strip out any forward slashes (/) from the $name and $pass variables. It does this by using a regular expression '/\//', which looks for any slashes in the input and replaces them with an empty string, effectively removing them. While this might be an attempt to prevent SQL injection by cleaning the input of certain characters, it's not a strong or complete solution for ensuring security. Relying solely on removing specific characters leaves the system vulnerable to more sophisticated attacks.

I thought the idea of this challenge would be hard but lemme tell u How could we bypass this preg_replace function..

I know sumthin called escape characters so we need to escape the back slash cause if we didn’t escape it, our payload is gonna work after the execution like an empty string like we did nuthin, so let’s use this escape chars \’ , simple it’s a back slash with single quotation and the sql query is gonna be like :

“SELECT * FROM users where name=’’ AND password=’randompass”

I’ve got this error here: that

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘123234’’ at line 1
wrong user or password

So I successfully bypassed the username input field, now let’s try to bypass the password field using a simple sqli payload like : ‘OR 1=1#

So the query will be: “SELECT * FROM users where name=’’ AND password=OR 1=1# ”

The closing ' after $name breaks out of the username string.

The part OR '1'='1' always evaluates as true.

The # symbol comments out the rest of the query, so the rest of the SQL (like the closing quote for password) is ignored.

So let’s inject this query and take our flaaaagggg!!

U wanna see the falg huhh? kneel then..I said kneeeel.

hahaah I’m kidding bro, this is the falg:

FLAG: FLAG{Y0u_Ar3_S0_C00L_T0d4y}

If you wanna go far, go together and If u wanna go fast, go alone

Ctf Writeup
Ctf
Cybersecurity
Cyber Talents
Writeup

--

--

Mohamed Samir
Mohamed Samir

Written by Mohamed Samir

8 Followers
0 Following

second-year Computer Science | Web PenTester | Offensive | Software Tester Trainee at @CLS Learning Solutions | CTF Player at THM | Top 4% on tryhackme

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams