- Category: Web
- 200 points
- Solved by JCTF Team
We visit that attached website and get an SQLite management interface.
We have a "Test" database:
We also have dynamic functions, such as the
md5rev function is very intresting because it is a
PHP function, and we can run it as an sql query:
Looks like it's working, now let's start exploiting it.
We will create our own function that will pass the parameter it gets to the PHP
Let's try to
ls our way to the flag :)
It works! The flag is in the root directory: