Irish-Name-Repo 2 picoCTF 2019 Solution

Published: April 2, 2026

Description

There is a new [Irish-Name-Repo](http://link) website. Can you log in as admin?

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
This is the second challenge in the Irish-Name-Repo series - start with Irish-Name-Repo 1 if you haven't already. Unlike IR-1, this level adds a server-side SQLi filter that blocks the obvious OR 1=1 payloads, and it has a hidden debug=1 form field that echoes the built query so you can see what to bypass. The SQL Injection for CTF guide covers comment-based bypasses and other authentication-bypass techniques. (The ROT13 encoding twist is the IR-3 mechanic, not this one.) Use the SQL Injection Payload Generator to generate and copy bypass payloads without typing them by hand. Ready for more? Try Irish-Name-Repo 3 next.
  1. Step 1
    Identify the login form and turn on debug
    Observation
    I noticed the challenge description said 'log in as admin' and mentioned a new version of the Irish-Name-Repo site, which suggested there was a login form with SQL injection as the attack surface, and the presence of a hidden debug parameter hinted that enabling it would reveal useful server-side information.
    Navigate to the challenge URL. There is a login form asking for username and password, and a hidden debug parameter. Set debug=1 (edit the form in dev tools or add it to the POST body) so the server echoes the exact SQL query it builds. IR-2 also filters the obvious OR-based payloads, which is why a comment-based bypass is used below rather than ' OR 1=1.
    What didn't work first

    Tried: Attempting ' OR 1=1-- or OR-based payloads immediately without enabling debug mode.

    Without debug=1 you only see a generic error or failed login message with no query echo, so you cannot tell whether the filter is catching your payload or if the syntax is wrong. Enabling debug first reveals the exact query the server builds, which makes it obvious what needs to be bypassed.

    Tried: Looking for the debug parameter in the page's visible HTML source using View Source instead of DevTools.

    View Source shows the raw HTML sent by the server before any JavaScript runs, but hidden form fields that are added or modified by client-side scripts will not appear there. Opening the Elements panel in DevTools shows the live DOM including all hidden inputs, making it easy to find and edit the debug field.

    Learn more

    SQL injection occurs when user-supplied input is embedded directly into a SQL query without proper sanitization. A classic login query looks like: SELECT * FROM users WHERE username='INPUT' AND password='PASS'.

    If INPUT is controlled by the attacker, inserting a single quote can break out of the string literal and change the query's logic.

  2. Step 2
    Use a SQL injection bypass payload
    Observation
    I noticed the debug output showed OR-based payloads were being filtered by the server, which suggested using a comment-based bypass like admin'-- that closes the username string and discards the password check entirely without relying on OR logic.
    Enter admin'-- as the username and anything as the password. The double dash comments out the rest of the SQL query, so the password check is skipped entirely.
    What didn't work first

    Tried: Trying ' OR '1'='1 or ' OR 1=1-- as the username payload.

    IR-2 explicitly filters OR-based payloads server-side, so these return a failure response or a filtered query in the debug output. The comment-based approach (admin'--) never uses OR at all - it simply closes the username string and discards the rest of the query with a comment, slipping past the OR filter entirely.

    Tried: Omitting the trailing space after - or forgetting the double dash entirely and using # as the comment character.

    MySQL accepts # as a comment delimiter but the database here uses a different SQL dialect that requires --. Some SQL parsers also require a space after - to treat it as a comment. If the payload does not produce the expected query in the debug output, check that the comment syntax matches what the debug echo shows.

    Learn more

    The payload admin'-- transforms the query into: SELECT * FROM users WHERE username='admin'--' AND password='...'. Everything after -- is a comment in SQL, so the password condition is never evaluated.

    Alternatively, ' OR 1=1-- makes the WHERE clause always true, returning all rows and logging you in as the first user in the database (often admin).

    Modern applications prevent this with parameterized queries (prepared statements), which treat user input purely as data, never as SQL syntax.

  3. Step 3
    Retrieve the flag
    Observation
    I noticed the login succeeded and the server redirected to an authenticated page, which meant the SQL injection bypass worked and the flag would be displayed directly in the post-login page content.
    After successful login, the page displays the flag. Copy it.
    Learn more

    SQL injection has been in the OWASP Top 10 most critical web security risks for over a decade. Despite being well-understood, it remains common because developers sometimes build queries with string concatenation rather than parameterization.

Interactive tools
  • SQL Injection Payload GeneratorGenerate SQL injection payloads for auth bypass, UNION extraction, blind SQLi, NoSQL operator injection, and sqlmap commands. Supports MySQL, PostgreSQL, SQLite, and MSSQL.

Flag

Reveal flag

picoCTF{m0R3_SQL_plz_...}

IR-2 adds a SQLi filter that blocks OR-based payloads and a debug=1 param that echoes the query. Use admin'-- as the username to comment out the password check. The flag's hex suffix is instance-specific.

Key takeaway

Naive input filters that block specific SQLi keywords can usually be bypassed because SQL has many equivalent ways to express the same logic. Comment-based payloads (admin'--) sidestep OR-based filters entirely by eliminating the password clause rather than overriding it. Defense requires parameterized queries, not blocklists, because parameterization removes the structural ambiguity that injection exploits regardless of the payload shape.

Related reading

Want more picoCTF 2019 writeups?

Tools used in this challenge

What to try next