![7efa65ab29a9753391142843f38b13ca.png](ed089049494d460080c24e3c5f563a9a.png) Need to find the first name of 'Chan'. `2` ![200ee1e09593703e0f30b0a66e48737f.png](085963f26dbd429cbff95fff7fdaf7bf.png) It's a ping command? Command injection? ![ab62a5a5bf9d8f4cdd33782200e55151.png](45cff9da95f1427e95999ee39863f429.png) Command injection it is `test; sqlite3` `.open onboard.db` `.dump` ![41cb2f4e34609346dc62abe0f76e8c99.png](ce880522590b48a0a92541ee77ea926e.png) Instead of fishing through all of the data, let's do it an easier way `select sql from sqlite_master;` ![b64ecb4d7ce61a1609ebc40b9d8f6ed3.png](6ac44846ff2743ce8f87b959aa551f57.png) We now know that the column containing last names is named 'lname' `select * from onboard where lname = 'Chan'` ![65754a29344a590c17ebb1925d729bcb.png](c53380d9d4464b04b87538d0537d743c.png) Looks like his first name is Scott Let's go back to the start and run the 'runtoanswer' program ![8ce2f064b67e45110bc03d574aac3e4b.png](848347c495aa42b1a5d6fdc76d4a149e.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #sql #command_injection Related: