First we're met with a signin form:
Let's try some default creds, admin
and admin
.
Below, the query run on the database is shown; this seems like a clear example of SQL injection.
Ultimately, we want to try and log in as a user. To do this, we can try to inject our own SQL.
We know the payload looks like the following:
We want to trick this into always returning a user, and to do this we'll inject a clause that's always true, such as 1=1
.
That will make the query equal to the following:
So here, it'll compare the username
to admin
, and if it's not the same the check will still pass because 1=1
. However, there's a small issue with the password
still being wrong. To bypass this check, we'll make everything after our injection a comment so that the databse ignores it:
That would make the query be:
As you can see, the username
will always be correct due to the 1=1
and the password check is commented out! Let's try it.
We still have to input a password because some javascript checks to make sure it's there, but we can fill that with any rubbish. And we get the flag!
HTB{SQL_1nj3ct1ng_my_w4y_0utta_h3r3}