The challenge was made by 3 auth levels where the aim is bypass them through SQLi and the annonying thing of this challenge is that no feedback is provided about your query so you have to guess the most common mistake till you find the right one..

First auth.

The first one is as easy as tricky beacuse it was a OR injection but the strings are included within double-quotes and not with singles quotes so a classic ‘ OR ‘1’=‘1 won’t work. Use instead “ OR “1”=“1.  Now that you have bypassed auth1 you have also to pickup the right password of “admin1” user blindly. In this case a regular BSQLi with substr() + ascii() will work.

Second auth.

Now that you have the password for auth1 we can move on auth2. This time the things getting a little bit harder but still remain an easy chall. The hardest part was to understand that we are playing with a LIKE query with almost everything filterd but with LIKE statemant we can make it true by using wildcards as %, this will match every char. So the POST query would be like this:

username=admin1&level1_password=MyPasswordIsNotTheFlag&level2_password=%

But same as in auth1 we have to find the password of auth2. How? I coded a script to do this: http://pastebin.com/UPDwMFDw.

Third auth.

Last auth, finally! In this auth some feedback has been provided so it was very easy to solve infact you have two password to input (apart those about auth1,auth2) and must be equal else an error will pop up. If we input a random password we’ll see error like ..query failed : password3.1 password3.2 means both have failed but if we input: ‘ or ‘1’=‘1 we’ll see error like ..query failed : password3.2 means password3.1 has been executed correctly. So basically our true/false condition on BSQLi is based on the presence of “password3.1” error. An equal code for get the password as the previous one is this: http://pastebin.com/gQvQy1c0

Now just log in and get the flag.

Razor4x