Gain access to nicholas’s account

Difficulty: Hard

[Wiretapped communication from: The galley.]

Brandon: Welp, that’s another failed batch of cookies.
Gabriel: We must be doing something wrong.
Brandon: Aren’t cookies supposed to be flat? Why are these all balls of dough?
Gabriel:
Brandon:
Gabriel: …Oh. You know what it is?
Brandon: What?
Gabriel: The gravity.
Brandon: ….ooooooooh.

UnicornBox uses token-based authentication. The database stores a table that maps session tokens to users:

CREATE TABLE IF NOT EXISTS sessions (
    username TEXT,
    token TEXT,
    -- Additional fields not shown.
);

Whenever an HTTP request is received, the server checks for a session_token value in the cookie. If the cookie contains a token, the server selects the username corresponding to that token from the sessions table.

Your task: Gain access to nicholas’s account.

Tips

  • Cookie values may contain anything other than semicolons, which are used as delimiters in cookie syntax.

  • This solution has been tested on Chrome and Firefox. If you’re running into issues on other browsers, we recommend switching over to Chrome or Firefox!

  • Consider looking into the UNION keyword to return the result of two queries without usage of a semicolon.

  • It is possible to select constants in SQL rather than selecting column names. For example, SELECT 1, 'foo', 'evan' will return a single row with 3 columns, with values of 1, 'foo' and 'evan'. You may find this useful if you can guess the format of the rows being selected in one of the server’s SQL queries.