Home ABCTF-2016 Inj3ction
Writeup
Cancel

Inj3ction

Challenge You can do it. Link

Hint: I’m pretty sure there isn’t even an account that is an admin.

Solution

Another SQL injection challenge, this time we are given the source:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
    include("flag.php");
    $con = mysqli_connect("localhost", "injection3", "injection3", "injection3");
    $username = $_POST["username"];
    $password = $_POST["password"];

    $query = "SELECT * FROM users WHERE username='$username'";
    $result = mysqli_query($con, $query);

    $logged_in = false;

    if(mysqli_num_rows($result) === 1) {
        $row = mysqli_fetch_array($result);
        if($row["password"] === $password){
            $logged_in = true;
            if($row["is_admin"] === true){
                echo("<h1>Wow! Your flag is: $flag </h1>");
            }
        }
    }
    if(!$logged_in){
        echo("<h1>You failed!</h1>");
    }
?>

From the hint it would seem we do not need to pass all the checks, but rather get the program to output the $flag variable for us.

Flag