Initial Findings

  • It’s a SQL injection challenge
  • We’re given a login form
  • Bad login returns: “Sorry to say, that’s invalid login info!”
  • Supposedly good login returns the flag

SQL Injection

  • Caused by a SQL statement taking user input and not sanitizing it
  • Allows malicious actors to inject their own SQL code
  • Easily tested by inserting a single or double quote

The Challenge

  • Verify SQL injection
    • Username = ‘ (single quote)
    • Password = (empty)
    • Submission returns nothing, something broke!
  • Try simplest SQL injection
    • Username = ‘or”=’
    • Password = ‘or”=’
    • Submission returns: “gigem{f4rm3r5_f4rm3r5_w3’r3_4ll_r16h7}!”

The Fix

  • Another category of challenges asks us to fix the insecure challenge
  • The actual insecure line, in all its PHP glory
$user = $_POST[‘username’];
$pass = $_POST[‘password’];
$sql = “SELECT * FROM login WHERE User=’$user’ AND Password=’$pass'”;
  • Super simple to fix, only two functions
$user = mysqli_real_escape_string($conn, $_POST[‘username’]);
$pass = mysqli_real_escape_string($conn, $_POST[‘password’]);
  • Submitting our repaired code gives us the flag
    • gigem{the_best_damn_sql_anywhere}