Tags: sqli capabilities sql mariadb
Rating:
tl;dr:
* Endpoint with an sql injection supporting stacked queries with mariadb
* use LOAD_FILE() to get source of php script where has a secret password that gives more info
* use INTO DUMPFILE to upload a custom mariadb plugin that spawns a reverse shell
* create mysql.plugins table which is missing
* install plugin
* get reverse shell
* notice that mariadb client has cap_setfcap=ep capabilities set
* upload a client side mariadb plugin that sets cap_dac_override=ep on a file of our chosing (like a copy of cat)
* read the flag stored in /flag
See [https://blog.bawolff.net/2023/10/ctf-writeup-n1ctf-2023-ezmaria.html](https://blog.bawolff.net/2023/10/ctf-writeup-n1ctf-2023-ezmaria.html) for full details and explanation
