problem description


We visit that attached website and get an SQLite management interface.

The homepage:


We have a "Test" database:


We also have dynamic functions, such as the md5rev function:

md5rev function

The md5rev function is very intresting because it is a PHP function, and we can run it as an sql query:

md5rev function result

Looks like it's working, now let's start exploiting it.

We will create our own function that will pass the parameter it gets to the PHP system function:

Function exex

Let's try to ls our way to the flag :)

Function exex ls

Function exex ls result

It works! The flag is in the root directory:

Function exec cat

Function exec cat result

Flag: BSidesTLV2021{I_L0v3_SQLit3_Us3r_D3f1n3ed_Funct10ns}