Rating:
Problem:
Super duper advanced attack
(web, 100 points)
Can you find the flag?
http://0491e9f58d3c2196a6e1943adef9a9ab734ff5c9.ctf.site:20000
Hint
You don't need to search for the flag outside the DB, there is more than tables and columns in a DB.
Solution:
I'll be honest this challenge was difficult, and while you could tell the challenge had to do with SQLi, my knowledge of SQL is shoddy at best. It was also a bit more difficult as you couldn't get any error output for an incorrect query. It was clear after some searching that the flag was not in the table used for the website, or in any other table for that matter, hence the hint that came afterwards. Zi had found that the flag was stored in a session variable named "@flag", and by using the UNION command you can get the output. You would then have to comment out the rest of the query using # so that it didn't get corrupted. The final injection string used was: ' UNION SELECT 1, @flag#--. This problem was solved by zi, he provided me with this solution as I was too noob in SQLi to figure it out myself.
Something fun you can notice is on the website, notice how "flag" in "Can you find the flag?" is italicized? That's not a coincidence ;)
Flag: EKO{do_not_forget_session_variables}