pwn.college: SQL Playground

ahhhh,甚至一个简单的level都比学校数据库老师教的好。):

SQL Playground

1. SQL Queries

简单的SQL语法

1
2
3
4
5
6
7
8
hacker@sql-playground~sql-queries:~/Desktop$ /challenge/sql 
sql> select name from sqlite_master where type = 'table'
Got 1 rows.
- {'name': 'information'}
hacker@sql-playground~sql-queries:~/Desktop$ /challenge/sql 
sql> select * from information
Got 1 rows.
- {'record': 'pwn.college{sL39JzNFAYS1b4urGcF1vDs5hcn.QX5kzN0EDLxYTN1YzW}'}

2. Filtering SQL

1
2
3
4
hacker@sql-playground~filtering-sql:~/Desktop$ /challenge/sql 
sql> select info from repository where info like '%pwn%'
Got 1 rows.
- {'info': 'pwn.college{UIysK2dWKY3qPB4nHgeDwWXQnHb.QXwADO0EDLxYTN1YzW}'}

3. Choosing Columns

1
2
3
4
5
6
7
8
hacker@sql-playground~choosing-columns:~/Desktop$ /challenge/sql 
sql> SELECT sql FROM sqlite_master WHERE type = 'table' AND name = 'resources';
Got 1 rows.
- {'sql': 'CREATE TABLE resources(flag_tag,datum)'}
hacker@sql-playground~choosing-columns:~/Desktop$ /challenge/sql 
sql> select datum from resources where datum like "%pwn%";
Got 1 rows.
- {'datum': 'pwn.college{k6URsZ8-uBwi_TNBBVNFI7zEreQ.QXxADO0EDLxYTN1YzW}'}

4. Exclusionary Filtering

1
2
3
4
hacker@sql-playground~exclusionary-filtering:~/Desktop$ /challenge/sql 
sql> select secret from data where secret like '%pwn.college%'
Got 1 rows.
- {'secret': 'pwn.college{AcDNrhXELmHNhramheE64AkS0AB.QXyADO0EDLxYTN1YzW}'}

5. Filtering Strings

1
2
3
4
hacker@sql-playground~filtering-strings:~/Desktop$ /challenge/sql 
sql> select record from secrets where record like '%pwn.college%'
Got 1 rows.
- {'record': 'pwn.college{ctyoxv05RHMSQR6B2ybT7siWQZs.QXzADO0EDLxYTN1YzW}'}

6. Filtering on Expressions

1
2
3
4
hacker@sql-playground~filtering-on-expressions:~/Desktop$ /challenge/sql 
sql> select detail from items where detail like '%pwn.college%'
Got 1 rows.
- {'detail': 'pwn.college{QwM7-oEhh9lTAvkfmOVVXEUbCj3.QX0ADO0EDLxYTN1YzW}'}

7. SELECTING Expressions

用substr限制5个字符的输出,然后一点点拼接出flag。

1
select substr(payload, 56, 5) from payloads where payload like '%pwn.college%'

8. Composite Conditions

记得使用cat查看/challenge/sql的源码

1
sql> select payload from entries where payload like 'pwn.college{%' and payload like '%}' and flag_tag = 1337

9. Reaching Your LIMITs

limit的应用,因为limit的特性,再结合源码。因此limit 1时,输出的就是正确的flag。

1
sql> select content from notes where content like "pwn.college{%" and content like "%}" limit 1

10. Querying Metadata

1
2
3
4
sql> select name from sqlite_master where type = 'table'
Got 1 rows.
- {'name': 'NAtlxoGT'}
sql> select text from NAtlxoGT
Pwn
#Pwn
pwn.college: SQL Playground
https://loboq1ng.github.io/2025/02/28/pwn-college-SQL-Playground/
作者
Lobo Q1ng
发布于
2025年2月28日
许可协议