Wisdom 1

Challenge

Did you check my website? It offers a way to search for inspirational quotes, I hope there's nothing wrong with it, but on the off chance that you might find anything, please be kind and let me know what you found :)

http://wisdom.ctf.unitedctf.ca/

Solution

The website had 2 pages:

  1. a page that allows you to search through a list of inspirational quotes
  2. a page that takes a link for the admin to visit it

After testing the search functionality for a bit, I found a union based SQL injection:

' AND FALSE UNION SELECT 'test', 'test2' FROM quotes; -- -
image

When manually exploiting SQLi, the first thing to do is to find out which type of database is running because all databases have a slightly different syntax and table names.

With that said, all databases still have some sort of INFORMATION_SCHEMA database which stores the names of all other tables.

After testing for different tables names, I eventually found one named sqlite_master which obviously meant that this was a SQLite database.

Listing the table names was as simple as:

' AND FALSE UNION SELECT 'a', tbl_name FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%'; -- -
image

Finally, the flag was stored in the secret table:

' AND FALSE UNION SELECT 'a', * FROM my_s3cr3t_7abl3; -- -
image