NullSafety

“Breaking things safely. Writing about it loud.”

SQL Injection Exploit
🕷️ Mr. SPAiDY's - Secret Invasion 🕷️

🕷️ Mr. SPAiDY's - Secret Invasion 🕷️


Step-by-step Walkthrough:

1. Visit the Target Page

Navigating to the challenge URL, we’re greeted with a normal web interface — nothing flashy, Let's Login

2. Get to the Login Page

After clicking around a bit, we land on a login page asking for a Username and Password. No hints, no help. Looks like a perfect spot to test for SQL injection vulnerabilities.

Login Page

💉 3. Try SQL Injection

Let’s hit it with the ol’ classic:

' OR '1'='1
Login Injection

Plugged that into both the username and password fields... 👉 And boom! Login Bypassed! We’re inside, and redirected to a mysterious dashboard.


4. Dashboard Mystery Message

On the dashboard we get this cryptic line:

“I’m part of the scene, yet remain unseen.”

There's also an image on the page. Hmmm... bet it's hiding more than just pixels.

Dashboard

5. Download & Analyze the Image

Let’s download that image and run it through ExifTool (a go-to for metadata forensics):

exiftool clue_image.jpg
ExifTool Output

And bingo 💥! Hidden in the metadata was the flag itself:

Owner Name                      : Dark_CTF{IT_IS_VERY_EASY}

🏁 Final Flag:

Dark_CTF{IT_IS_VERY_EASY}