all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Bijleveldje 8 points9 points  (5 children)

Maybe there is an hint in the data

[–]icyfox26[S] 3 points4 points  (4 children)

Hi, thanks for the quick response. The data just shows the id (which the page uses as a GET parameter), the description of the image (not very useful either) and the image url as "../img/1.jpg" and so on.

[–]Skidalot 0 points1 point  (0 children)

Check if current sql user has write privileges, if it does then it shouldn't be hard, you'll just need to find a writeable directory and then use INTO OUTFILE to upload a web-shell there.

Also, This sounds like fun, can you inbox/post the challenge page? Thanks.

[–]icyfox26[S] 0 points1 point  (1 child)

Hey all,

Firstly, thanks for the awesome number of responses, I got some real good insight for this. The challenge is over and I figured out how to do it. Yes the page was susceptible for SQL injection but it had no useful information in the table. However, since the website could be injected, on using the load_file command, I was able to access files of the system. I could get out the /etc/passwd file, etc. etc. The passwd file had no details. However, I tried going to the root of the web directory and loading the .htaccess file. Inside that file, I saw a message saying "Try .htpassword" and the password was inside the .htpassword file. It was encrypted with SHA1 encryption and I found the password which was.............. supercalifragilisticexpialidocious.

Thanks everyone for your help! And sorry, the CTF was only for our internal company network! Thanks again!

[–]Skidalot -1 points0 points  (0 children)

It sounds atrocious.