Write-up: Little Doggy Tables, Square CTF 2017

This is a write-up for the challenge Little Doggy Tables from Square CTF 2017.

The challenge can be found here: https://squarectf.com/challenges/little-doggy-tables

The challenge requires us to use SQL injection to extract the flag from a table in the database.

On running this command:

I got the following output:

Which means I can run SQL queries through this command.

Furthermore, the challenge details also include the source code , which looks like this:

From checking out the source code it is obvious that SQL injection is possible and that SQLite3 was used in the database.

To check if it was working, I ran:

Which gave this Output:

Internal Server Error

unrecognized token: “‘\”;”

WEBrick/1.3.1 (Ruby/2.3.4/2017-03-30) at little-doggy-tables.capturethesquare.com:443

Now that I knew SQL injection was working, I had to access the meta data. Unfortunately, the information_schema table does not exist here since it is SQLite and not MySQL. I searched for an equivalent table in SQLite and came across this question on Stack Overflow:

Which gave me enough to realize that sqlite_master is the information_schema alternative in sqlite. I changed commands mentioned in the answer to the to suit my search.

All meta data in sqlite can be accessed simple by using the command:

So I modified my payload to:

Which gave the output:

Now we know both the name of the table and the name of the required column which is  obviously secret. The SQL query now required to be executed is:

The corresponding payload would be:

The resulting output:

On refining the above output we get that the flag is :