Web - SQLi
Straight forward challenge which I use burp suite intruder to inject list of sql payload at username parameter and got the flag.
Flag: CURTIN_CTF{5H0pT1m3}
Same as previous challenge use the same payload, which this time it will filter certain character. Still managed to get the flag.
Flag: CURTIN_CTF{welc0m3aG@1n}
From search product page, try to inject this payload ' UNION SELECT 1,2,3,4,5;--. It return the exact amount of columns available. After able to determine the number of columns, try to retrieve the database and it will show the flag using this payload ' UNION SELECT null,schema_name,null,null,null FROM information_schema.schemata;--.
Flag: CURTIN_CTF{d8_@_Ba$3}
Since previous challenge we discover suspicious database sqlitraining, I try to list all the table available in the database using this payload ' UNION SElECT null,table_name,null,null,null FROM information_schema.tables WHERE table_schema = 'sqlitraining';--. It show the flag that divided into 2 part.
Flag: CURTIN_CTF{#1y!n#2Y@ng}
The challenge ask to pick 5th person (alice) on the table users and hash the hashed password to make it as flag. Listed all the users using this โ UNION SELECT * FROM users;-- and make it into flag format.
Flag: CURTIN_CTF{ab57c73efc0563ea1a25df5fb6c7590a}
For this challenge, the link will go directly to the profile page which ask to do time-based blind sql injection. Looking at the url I assume that user parameter are vulnerable.
Burp suite intruder will make it easier for me to inject list payload of time-based sqli and got the flag with the following payload '&&SLEEP(5)&&'1.
Flag: CURTIN_CTF{5l0wpOk3}
Since the challenge ask to find user Tom, I try to list all user in search product page but did not manage to get it. Then, from the profile page I stumble upon hint to solve this challenge.
Following the hint of challenge 7, give me some interesting column in sqlitraining database fname. List all the name using ' UNION SELECT null,fname,password,null,null FROM users;-- and finally find what we are looking for, which is hashed password of Tom and put it into flag format.
Flag: CURTIN_CTF{872fc8ed4cae593dc5e62f00157b7db6}
Last updated
