### Unintended Solution
After checking the given files, I found out that `karma.db` is placed in the root directory

So, access it and search for the flag



*flag*: `BSNoida{4_v3ry_w4rm_w31c0m3_2_bs1d35_n01d4}`

### Intended Solution
Looking at `index.php`, we can see that the website takes `chall_id` http parameter and passes it's value to "SELECT * FROM ..." query statement.

if (isset($_GET['chall_id'])) {
$channel_name = $_GET['chall_id'];
$sql = "SELECT * FROM CTF WHERE id={$channel_name}";
$results = $db->query($sql);

The parameter's vaule is **unfiltered**.So, we can do *injection* attack.

But, when we send payloads which contains *alphabet*, it gives error.


Checking carefully the *given* files again, I found that there is a **regex** that is used to prevent alphabets and white spaces in `chall_id` from `config/ctf.conf` file

if ( $arg_chall_id ~ [A-Za-z_.%]){
return 500;


We have to think how to *bypass* it

After searching online, I found this useful article [PHP query string parser vulnerability](https://medium.com/@nyomanpradipta120/php-query-string-parser-vulnerability-cc6f0a8b206)

It says, in php query string parsing process, it removes or replaces some characters in the argument names with underscore.

For example: `post[id=1337` becomes `post_id=1337`

So, in this challenge, if we send `?chall[id`, the regex will see `chall[id` but the php application will see `chall_id`

We can do **injection** now!!!



From opening given `karma.db` file, we can see that there are 6 *columns*.
$ cat karma.db
id integer AUTO_INCREMENT,
title varchar(255) not NULL,
description varchar(255) not NULL,
category varchar(255) not NULL,
author varchar(255) not NULL,
points int NOT NULL

Now, we can use **UNION SELECT** payload



We can extract all the **tables** from **sqlite_master**



There is a *table* **flagsss** and a column **flag** in it

Let's see if the flag is there



Can't see the whole **flag** so I look at the source


And, there is the **flag**

*flag*: `BSNoida{4_v3ry_w4rm_w31c0m3_2_bs1d35_n01d4}`

# Another way to solve

We can use [HTTP Parameter Pollution](https://www.youtube.com/watch?v=QVZBl8yxVX0) to solve this challenge


When we send this payload, the **regex** filters the first `chall_id` but not the *last* one.

And also in **php** if there are same *http* parameters it will use only the **last** one

So, we can bypass the **regex** and do the *injection*

Original writeup (https://github.com/MikelAcker/CTF_WRITEUPS_2021/tree/main/BSides_Noida_CTF_2021_Writeup/Web/Baby%20Web).