There’s been some weird occurrences going on at our school. Teacher’s answer questions as though they knew the answer in advance, test results being handed out before the test, and now a weird web form giving info about us. Can you find out what weird information is on it?
Find the page at http://premonition-p8l05mpz.9447.plumbing:9447
The website is a simple interface to a database. It is possible to search for students using the following fileds:
- First name
- Last name
- Test score
- DOB (Date of Birth)
Depending on the field, users must specify a value and a comparison operator among
It is pretty easy to figure out that the comparison operator is not properly sanitized. This
curl example dumps part of query string, exposing the placeholder used to handle the score value.
Whitespaces appears to be trimmed by the webserver, hence a common bypass is to separate query tokens using inline comments like
/**/. Since the DBMS employed is
SQLite, one can retrieve the whole db schema in one-shot dumping the
sql field from the
Now, it’s enough to access
s3ekr17_passwords.password to solve the challenge.
Let’s show some respect for the poor flag, really.