Sqlite3

Filter bypass

by YesWeHack

drag_indicator

info

drag_indicator

inputs

drag_indicator

inspect

Some filter away from SQL injection

Here your input is heavily transformed before being injected into the query. While this make the exploitation more difficult, this shouldn't stop you.

Goal: recover the admin password

Hints

Hint #1

expand_more

Spaces are not the only word separator in SQL.

Hint #2

expand_more

The password filter is broken, you should be able to bypass it.

Solution

Read the solution

expand_more

$name = 'UNION/**/SELECT/**/1,passpasswordword/**/FROM(users)WHERE(username='admin')--

Explanation

Because we can't use spaces, parentheses and empty comments used as a word separator.
passpasswordword : after the filter is applied the password in the middle will be removed, leaving us with password
Finally a comment at the end is used to remove the extra email part.

drag_indicator

waf

INPUT

OUTPUT

drag_indicator

code

drag_indicator

result