Gain access to nicholas’s account

Difficulty: Hard

UnicornBox uses token-based authentication. The database stores a table that maps session tokens to users:

CREATE TABLE IF NOT EXISTS sessions (
    username TEXT,
    token TEXT,
    -- Additional fields not shown.
);

Whenever an HTTP request is received, the server checks for a session_token value in the cookie. If the cookie contains a token, the server selects the username corresponding to that token from the sessions table.

Your task: Gain access to nicholas’s account.


Tips

  • Cookie values may contain anything other than semicolons, which are used as delimiters in cookie syntax.

  • This solution has been tested on Chrome and Firefox. If you’re running into issues on other browsers, we recommend switching over to Chrome or Fiefox!

  • Consider looking into the UNION keyword to return the result of two queries without usage of a semicolon.

  • It is possible to select constants in SQL rather than selecting column names. For example, SELECT 1, 'foo', 'evan' will return a single row with 3 columns, with values of 1, 'foo' and 'evan'. You may find this useful if you can guess the format of the rows being selected in one of the server’s SQL queries.