0xl4ugh CTF : SimpleWAF
We have access to a similar website to Micro but with a different source code.
Writeup
We are given the source code of the challenge, where we find out that there is an SQL injection through this line :
$res = $conn->query("select * from users where username='$username' and password='$password'");
But in order to exploit this SQL injection, we have to bypass this regex :
if(preg_match("/([^a-z])+/s",$input))
The regex searches for non-lowercase sequence of one or plus characters. We know that preg_match returns 1 if there is a match and 0 if there is no match. But we need to make it return 0, "false" or false while still introducing forbidden characters. Looking into the documentation, we find that preg_match returns false when it encounters an issue and one of the issue is when the function hits recursion depth.
The vulnerability lies in the + of the regex which means "one or more". When it encounters non-lowercase characters, preg_match will call for recursion in case there needs to be a backtrack and as recursion requires to store the return address, it will eventually hit smash the stack and crash.
So all we need to do is send a large number of non-lowercase characters :
import requests
data = {"username" : ";"*10_000 +"' OR '1'='1';\x00",
"password" : "admin",
"login-submit" : ""}
r = requests.post("http://20.115.83.90:1339/", data=data)
print(r.content)