Gain access to nicholas
’s account
Difficulty: Hard
UnicornBox uses token-based authentication. The database stores a table that maps session tokens to users:
CREATE TABLE IF NOT EXISTS sessions (
username TEXT,
token TEXT,
-- Additional fields not shown.
);
Whenever an HTTP request is received, the server checks for a session_token
value in the cookie. If the cookie contains a token, the server selects the
username corresponding to that token from the sessions
table.
Your task: Gain access to nicholas
’s account.
Tips
-
Cookie values may contain anything other than semicolons, which are used as delimiters in cookie syntax.
-
This solution has been tested on Chrome and Firefox. If you’re running into issues on other browsers, we recommend switching over to Chrome or Fiefox!
-
Consider looking into the
UNION
keyword to return the result of two queries without usage of a semicolon. -
It is possible to select constants in SQL rather than selecting column names. For example,
SELECT 1, 'foo', 'evan'
will return a single row with 3 columns, with values of1
,'foo'
and'evan'
. You may find this useful if you can guess the format of the rows being selected in one of the server’s SQL queries.