PicoCTF2021 on RJ Blog https://tntrenjin.github.io/tags/picoctf2021/ Recent content in PicoCTF2021 on RJ Blog Hugo -- 0.150.0 zh-tw Tue, 23 Sep 2025 00:00:00 +0000 [Write-Up] Web Gauntlet 2 https://tntrenjin.github.io/write-up/picoctf2021/web-gauntlet-2/ Tue, 23 Sep 2025 00:00:00 +0000 https://tntrenjin.github.io/write-up/picoctf2021/web-gauntlet-2/ <h2 id="題目資訊">題目資訊</h2> <ul> <li>來源:picoCTF2021</li> <li>分類:Web Exploitation</li> <li>難度:中</li> </ul> <h2 id="解題流程">解題流程</h2> <h3 id="探勘">探勘</h3> <p>打開網站,會看到一個帳號密碼的登入介面</p> <p><img alt="alt text" loading="lazy" src="https://tntrenjin.github.io/write-up/picoctf2021/web-gauntlet-2/image.png"></p> <p>打開 Filter 則是有以下說明:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Filters: or and true false union like = &gt; &lt; ; -- /* */ admin </span></span></code></pre></div><h3 id="嘗試破解">嘗試破解</h3> <p>由於 admin 不能打,先試試 root</p> <p>過濾器沒有過濾到 <code>IS</code> 跟 <code>NOT</code> 所以用 <code>a' IS NOT 'b</code> 強制為 true</p> <p><img alt="alt text" loading="lazy" src="https://tntrenjin.github.io/write-up/picoctf2021/web-gauntlet-2/image-1.png"></p> <p>送出後,會出現完整 SQL 指令,同時也說 <code>not admin</code></p> <p>恩&hellip;好,看來是有繞過,但一定要 admin</p> <p>那 admin 就用字串拼接的,由於提示說是 sqlite,就只能用 <code>|</code> 結合字串</p> <p>Payload:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Username: ad&#39;||&#39;min </span></span><span class="line"><span class="cl">Password: a&#39; IS NOT &#39;b </span></span></code></pre></div><p><img alt="alt text" loading="lazy" src="https://tntrenjin.github.io/write-up/picoctf2021/web-gauntlet-2/image-2.png"></p> <p>登入成功,回到 filter.php,出現 PHP 原始碼,而 FLAG 就在最底下</p>