Web - SQLi

• Try to login

Straight forward challenge which I use burp suite intruder to inject list of sql payload at username parameter and got the flag.

Flag: CURTIN_CTF{5H0pT1m3}

---

• Try logging in... again

Same as previous challenge use the same payload, which this time it will filter certain character. Still managed to get the flag.

Flag: CURTIN_CTF{welc0m3aG@1n}

---

• Database Discovery Quest

From search product page, try to inject this payload ' UNION SELECT 1,2,3,4,5;--. It return the exact amount of columns available. After able to determine the number of columns, try to retrieve the database and it will show the flag using this payload ' UNION SELECT null,schema_name,null,null,null FROM information_schema.schemata;--.

Flag: CURTIN_CTF{d8_@_Ba$3}

---

• Table Name Treasure Hunt

Since previous challenge we discover suspicious database sqlitraining, I try to list all the table available in the database using this payload ' UNION SElECT null,table_name,null,null,null FROM information_schema.tables WHERE table_schema = 'sqlitraining';--. It show the flag that divided into 2 part.

Flag: CURTIN_CTF{#1y!n#2Y@ng}

---

• Fiver Fever

The challenge ask to pick 5th person (alice) on the table users and hash the hashed password to make it as flag. Listed all the users using this ‘ UNION SELECT * FROM users;-- and make it into flag format.

Flag: CURTIN_CTF{ab57c73efc0563ea1a25df5fb6c7590a}

---

• Slow Down...

For this challenge, the link will go directly to the profile page which ask to do time-based blind sql injection. Looking at the url I assume that user parameter are vulnerable.

Burp suite intruder will make it easier for me to inject list payload of time-based sqli and got the flag with the following payload '&&SLEEP(5)&&'1.

Flag: CURTIN_CTF{5l0wpOk3}

---

• Unveiling the Dark Wizard's Secrets

Since the challenge ask to find user Tom, I try to list all user in search product page but did not manage to get it. Then, from the profile page I stumble upon hint to solve this challenge.

Following the hint of challenge 7, give me some interesting column in sqlitraining database fname. List all the name using ' UNION SELECT null,fname,password,null,null FROM users;-- and finally find what we are looking for, which is hashed password of Tom and put it into flag format.

Flag: CURTIN_CTF{872fc8ed4cae593dc5e62f00157b7db6}