Challenge 1: The Copilot's Query
Team Hack
Goal: Extract the
admin_password from the system_config table.
The AI assistant generated this "secure" query by trying to filter single quotes. Can you bypass its naive protection using UNION?
Copy
<?php
// --- SIMULATED INPUT ---
$userId = "1";
// -----------------------
$db = new PDO('sqlite::memory:');
$db->exec("CREATE TABLE users (id INT, username TEXT, role TEXT)");
$db->exec("CREATE TABLE system_config (config_name TEXT, config_value TEXT)");
$db->exec("INSERT INTO users VALUES (1, 'alice', 'user')");
$db->exec("INSERT INTO system_config VALUES ('admin_password', 'FLAG{AI_HALLUCINATED_SECURITY}')");
// AI SUGGESTION: "I'll remove quotes to prevent SQL injection!"
$userId = str_replace("'", "", $userId);
// VULNERABLE CODE
$query = "SELECT username FROM users WHERE id = " . $userId;
echo "Executing: $query\n\n";
$result = $db->query($query);
if ($result) {
foreach ($result as $row) {
echo "Result: " . $row['username'] . "\n";
}
}
Team Fix
Goal: Replace the AI's "hand-rolled" filter with a professional solution.
The AI's str_replace attempt is useless against numeric-based SQL injection. Use real Prepared Statements.
Tip: Use $db->prepare() and bind parameters correctly.