It is a very interesting problem and exhausted our much time and energy.
There are 3 levels.All about sqli.
The first level only needs username and password.After trying for several hours with some common sqli like ‘ or ’1′=’1 and so on but all failed,I accidentally found that ” or “1″=”1 made sense.And @fqj use sqlmap to find the true username and level1_password in the database.(sqlmap also told that the database is sqlite).
The second level needs username,level1_password and level2_password.Note that you must back to level 1 and use true username and password to get to level2 again or you’ll never go ahead anymore.And seeking for more hours,I find that “%” in sqlite can match strings(including empty strings) and “_” can match single char.In this level,”%” is just the payload.And we use “_” to brutefoce the true password.
The third level needs level3_password and a confirm for level3_password.And for payload ‘ or password like ‘%’ — the site told us that password3.1 passed but password3.2 failed.In confirm blank a mistake happened but we know that the sqli took effect.That is enough,by using “_” we can bruteforce the true password(if the site told us only password 3.2 failed then it makes sense).
@H.Shao wrote the script to find the password for level2 and level3 and finally got the FLAG.There is trap in level3,because there is “_” in the level3_password and this time “_” doesnt represent any single char but just “_”.