Rating:
110 Points
this challenge they gave us a link and also a source code
we first examine the source code
we see that it takes the user-agent header value and concatenate it
with a sql query so we know its a sql injection where we apply our
payload in the user-agent header but notice that it won't return the
results if the requested rows where not equal to 1.
so we use LIMIT and OFFSET to specify the row we want
LIMIT : limits the result to the number we specify
OFFSET : return the number of row we specify
you can use curl to make the request but i will just use the custom
device option in browsers
we click and we get a result but not the one we want
so we just increament the offset untill we get what we want and we
get the flag in the second try
Flag=actf{nyoom_1_4m_sp33d}
PS: I didn't know about offset so i just used a payload to get to know how many columns are there 'union select'a','a';-- and i knew it was two columns because union only works if it have the same no of columns then i used the information scheme to get the the other column name, we know from the code that the first is UA and then we get the second column which is called Name so i used another payload 'union select Name,UA where Name='ac%';-- because i know the flag starts with ac, it's a complicated solution and the offset surely is better but i thought i can share another solution with you
