Tags: web python3 sqli
Rating:
To see scripts please see original writeup.
## Solution (tl;dr version)
The search field on the web page had a sql injection vulnerability.
Testing payloads on the input some blacklisted characters were found: whitespace and comma.
A boolean inferential injection was created. Using the results of a search to determine if it evaluated to true or not.
If true the search results would contain a thought.
If false the search results would be blank.
Example truth payload:
`1')/**/AND/**/1=1;#`
Example false payload:
`1')/**/AND/**/1=2;#`
Using the queries from the [perspective risk sqli cheat sheet](https://www.perspectiverisk.com/mysql-sql-injection-practical-cheat-sheet/) as a base, I modified them to avoid being filtered out (removing whitespace and rewriting the queries to not use commas).
I then made some python scripts:
```
get_db_name.py #Get a database name
get_table_names.py #Get a table name in a specified database
get_column_names.py #Get columns from a specified table.
get_values.py #Get values from a specifed column in a specified table.
```
This turned out to redirect the challenge since the flag was not in the database. There was a note in the entry in the secrets table saying the flag was moved to a txt file.
The next steps were to figure out where the file was and then read the contents of the file, still using sql. A full path to the file was needed. To accomplish this values were read from the sql global variables and the `load_file` function was used to get the file contents.
```
get_sql_variable.py #Get the value of a global variable.
get_flag_txt.py #Get the contents of the flag.txt file
```
Ultimately resulting in getting the flag.
```
$ python get_flag_txt.py
...
[83, 101, 99, 117, 114, 105, 110, 101, 116, 115, 123, 83, 101, 99, 117, 82, 51, 95, 89, 111, 117, 114, 83, 81, 76, 33, 125, 10]
Securinets{SecuR3_YourSQL!}
```