Open in app

Sign in

Write

Sign in

Challenge Name: Easy access

Mohamed Samir
4 min readNov 15, 2024

--

Only superpower makes you see unlimited view.

this is our target:

Login Form:

  • Username field (input box)
  • Password field (input box)
  • Remember Me checkbox option for staying logged in on future visits
  • Login button for submitting the login credentials
  • A link labeled Forgot Your Password? for users to reset their password if needed.

okay let’s see if there is anything interesting here :)

the page source of the main page is normal, so let’s see the other links..

Okay fair enough let’s open our pretty burpsuite to get more information.

okay guys I inspected the main page and I found this comment with this credential:

let’s login with this credential..

okay only admin can see the flag as we see.

so I’ll get back and check if the login page has a SQL vulnerability or not, so Let’s try the simplest test which is adding a single quotation after the username and in the password we will put anything like if the query was like :

SELECT * FROM users WHERE username = 'admin' AND password = 'anything';

So After Injecting it, it will look like:

SELECT * FROM users WHERE username = 'admin'' AND password = 'anything';

This extra ' could cause an error, and if the page is vulnerable we are expecting to see the error so let’s try to apply this SQL test

this is the error we got:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘81dc9bdb52d04dc20036dbd8313ed055’’ at line 1

We encountered an error related to MariaDB, indicating that the SQL query is vulnerable. In the password field, there’s a script that converts the input into an MD5 hash. The hash function begins with a single quote ('), but there’s no closing quote, which means we need to add one to complete the syntax.

To exploit this, enter the following in the username field: Admin' OR '1'='1' '. For the password field, I can enter anything, as it will be ignored. The final single quote (') completes the password input, so there’s no need to comment out the password section in the query. However, if we did need to ignore the rest of the query, we could use -- to add a comment.

So, let’s try it with

Admin' OR '1'='1' '

and guess what ? we’ve got the flag bro:)

flag{!njection_3v3ry_wh3r3}

wanna the conclusion of this challenge right?

we used Admin' OR '1'='1' ' as the username, which effectively bypassed the login check by making the query always return true.

This injection worked without needing to comment out the password section because we closed the password condition with a balanced single quote.

Key Takeaways:

  • SQL Injection Detection: Look for error messages that reveal SQL-related issues, as they often indicate unfiltered input.
  • Payload Crafting: Understanding how to balance quotes and structure SQL payloads can allow you to exploit such vulnerabilities.
  • Security Awareness: This challenge highlights the importance of secure coding practices, such as using parameterized queries to prevent injection vulnerabilities.

thanks bro, see you in the next CTF Challenge !

Ctf
Cybertalents
Webpentesting
Cybersecurity
Sqli

--

--

Mohamed Samir
Mohamed Samir

Written by Mohamed Samir

8 Followers
0 Following

second-year Computer Science | Web PenTester | Offensive | Software Tester Trainee at @CLS Learning Solutions | CTF Player at THM | Top 4% on tryhackme

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams