SQLiteManager

• Category: Web
• 200 points
• Solved by JCTF Team

Description

Solution

We visit that attached website and get an SQLite management interface.

The homepage:

We have a "Test" database:

We also have dynamic functions, such as the md5rev function:

The md5rev function is very intresting because it is a PHP function, and we can run it as an sql query:

Looks like it's working, now let's start exploiting it.

We will create our own function that will pass the parameter it gets to the PHP system function:

Let's try to ls our way to the flag :)

It works! The flag is in the root directory:

Flag: BSidesTLV2021{I_L0v3_SQLit3_Us3r_D3f1n3ed_Funct10ns}