HostName - KnightCTF 2022

1. GET /hackerz_arena/includes/users.php?id=-1%27%20union%20select%201,2%20,user(),4,5,6,7,8%20--+ This is the hacker requested sql injection. Here you can see user() query is used. Generally it will give you the output of you database information like username and server.

2. To find the output you need to check bellow it and found a HTTP response with 200 response code. Inspect the response and you will find a HTTP template code of that webpage. You dont need to follow the upper part as it is generated because of the webpage I am going to explain it soon. Now in the last part you will find a command after that comment we need to care about because our payload output will load in this part.

3. Here you can see ROOT@LOCALHOST. if you are familiar with linux system and its mariadb database. then you will probably know you need to interact with the database with a username and by default all the server-name is localhost. So good hint from the output we just find. Replace the Capital character with small one because its the only meaningful system recognizing keywords on linux and bam you got your answer.

Now deep explanation: There are two types of SQL inject exist in the first place. In-Band, Blind. Luckily this challange has In-Band SQL injection vulnerability. Which indicates our payload result will reflect in the same webpage we are injecting. So its called In-Band. A single band for input and output. So a little portion of the webpage is reflecting the payload output and the rest of it is constant. So I previously mentioned in point 2 that, Some first line of HTML code is garbage(non of our concern) because its the static part of that webpage which will not change. The part that reflect our payload output is separated by comment(Thanks to the developer). And this is so far for this writeups Thankyou