SQL injection

Obtain flag from the current table in Sqlite DBMS.

ID Name Age Weight Secret
1 Jonathan Waters 73 32 186882219
2 Louis Coleman 25 60 N19640639
3 Felicia Thompson 69 66 L66030998

Solution

1. Enter ', send request and observe the error.

2. Enter ' or 1=1 -- and obtain the flag.

Explanation: in query SELECT * FROM capybaras WHERE name ='1' or 1=1 -- ':

  • injected quote ' closes the name value
  • or add a new check to the existing name = ''
  • 1=1 is always True
  • -- is a comment symbol in SQLite syntax. Everything after the comment symbol is meaningless to SQL parser
So we have created such query, that returns every value of a table capybaras, because WHERE is equls to True for every row of the table.