picoCTF Solutions
picoCTF 2022Web ExploitationMedium

SQLiLite picoCTF 2022 Solution

Published: July 20, 2023

Description

A login form backed by SQLite is vulnerable to classic SQL injection. The server constructs a query by directly concatenating user input into the SQL string without parameterization.

Inject SQL syntax into the username field to make the WHERE clause always true, bypassing authentication entirely.

Read the technique guide

Setup

Navigate to the challenge URL in your browser or use curl.

Submit a SQL injection payload in the username field. If you POST via curl, URL-encode the payload (' becomes %27, spaces become %20).

bash
curl -X POST 'http://saturn.picoctf.net:<PORT_FROM_INSTANCE>/login' --data-urlencode "username=' OR 1=1-- -" --data-urlencode "password=x"
bash
# Equivalent fully-encoded URL-form body:
bash
# username=%27%20OR%201%3D1--%20-&password=x

Solution

Walk me through it
New to SQL injection? SQL Injection for CTF covers authentication bypass payloads like the one used here, plus UNION extraction and sqlmap.
  1. Step 1Understand the vulnerable query
    The server builds: SELECT * FROM users WHERE username='INPUT' AND password='...' - injecting ' OR 1=1-- makes it always true.
    Learn more

    The backend SQL query looks like:

    SELECT * FROM users WHERE username='INPUT' AND password='PASS'

    When you enter ' OR 1=1-- - as the username, the query becomes:

    SELECT * FROM users WHERE username='' OR 1=1-- - ' AND password='...'

    The single quote closes the username string literal. OR 1=1 makes the WHERE clause always true (1=1 is always true). The -- - is a SQL comment that comments out the rest of the query, including the AND password check. The result: the query returns all rows, the login succeeds as the first user (often admin).

  2. Step 2Submit the injection payload
    Enter ' OR 1=1-- - as the username and anything as the password, then submit the login form.
    bash
    # In browser: Username: ' OR 1=1-- -   Password: anything
    bash
    curl -X POST 'http://saturn.picoctf.net:<PORT_FROM_INSTANCE>/login' --data-urlencode "username=' OR 1=1-- -" --data-urlencode "password=x"
    Learn more

    SQL injection is consistently ranked in the OWASP Top 10 as one of the most critical web application security risks. The root cause is always the same: user input is concatenated into a SQL query string instead of being passed as a bound parameter.

    The safe fix is to use parameterized queries (also called prepared statements):

    cursor.execute("SELECT * FROM users WHERE username=? AND password=?", (username, password))

    With parameterized queries, the input is treated as data, not as SQL syntax - special characters like single quotes are escaped automatically and cannot alter the query structure.

  3. Step 3Extract the flag from the response
    The server returns the flag in the HTTP response body or page content after successful login bypass.
    Learn more

    In SQLite, the comment syntax is -- (two dashes). MySQL also supports #. The space after -- is required in some databases (PostgreSQL) and the trailing - is sometimes added to ensure the comment parses correctly. Using -- - (dash dash space dash) is a safe choice that works in most SQL dialects.

    Other classic bypasses include: admin'-- (log in as the admin user specifically), ' OR '1'='1 (without a comment, closes both sides of the string), and '/* for C-style block comments in MySQL.

    More advanced SQL injection techniques include UNION-based injection (appending a SELECT to extract data from other tables), blind injection (inferring data from true/false responses), and time-based blind injection (using SLEEP() to infer data from response timing).

Flag

picoCTF{L0gin_S0m3hin...}

Submit ' OR 1=1-- - as the username. The SQL comment and always-true condition bypass the password check entirely.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Web Exploitation

Related reading

What to try next