Quals: Saudi and Oman National Cyber Security CTF 2019

• Maria (200 points)
Description:

Maria is the only person who can view the flag

Link: http://35.222.174.178/maria/
When opening the source code of the home page for the first time access, you can see your IP is inserted in a SQL query which displayed in the HTML response:


Although you can't change your IP to an arbitrary string, the server will determine your IP by the value of the X-Forwarded-For header if it exists. So, you can insert anything into the SQL query and find out the SQL injection:


But injecting the query returns nothing!
After trying some unsuccessful blind, I turn back to use UNION SELECT and ... bingo:


The 4th column was returned back in the PHPSESSID cookie, so now you can extract some interesting information. You can also determine that it is SQLite, let's list the tables:


For more payload, let's go to:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/SQLite%20Injection.md
Because Maria is the only one who can reveal the flag, so you must find out her session to get the flag. After "searching" the database, you can construct the final payload:


Now, let's use Maria's session to get the flag!


Thank you for reading!