Tags: web
Rating: 4.0
# A simple question - Web
In this challenge, we are presented with a page that asks us to answer a question. The first thing we do is check the source code and we find
``````
If we go to that file, it contains this code:
```php
";
echo "SQL query: ", htmlspecialchars($query), "\n";
echo "";
?>
query($query);
$row = $result->fetchArray();
if($answer == $CANARY) {
echo "<h1>Perfect!</h1>";
echo "
Your flag is: $FLAG
";First thing that came to mind is type juggling because of two equal signs instead of three but that doesn't work because we don't know the contents of $CANARY variable. Then we see that this is Blind SQL injection because it only echoes output to the user. Therfore I fire up sqlmap and run:
> sqlmap -r sql.req --threads=10 --level 5 --risk 3 --dbms=SQLite --dump
We know it's SQLite as backend because of this line in the code
> $con = new SQLite3($database_file);
From sqlmap, I get back that there is an answer "41AndSixSixths" in the database SQLite_masterdb.
Entering the answer on the page gives us the flag: picoCTF{qu3stions_ar3_h4rd_73139cd9}
You could also have created a Python script to bruteforce all characters and digits, and based on the response "You are so close", you could determine if that character or digit was a correct one.
