PicoCTF Challenge: More SQLi

August 15, 2025 PicoCTF Medium

Challenge Overview:

  • The following was the description for the challenge: SQLiLite

Deep dive

  • We first test the behavior of the website: SQLiLite
  • The response: SQLiLite
  • Right, so there is something important to note here; is that, the order of the user input is reversed, hence this makes the challenge, a bit tricky.
  • And this means we cannot use the comment query to the username; for instance: SQLiLite
    • Check where i highlighted, that is is pointless to use a comment query there.
  • After trying numerous payloads, i found the one that worked: 
    username: admin
password: ' OR 'x'='x' --
    • Response: SQLiLite
  • We are logged in, but we have to hunt for the flag; after analyzing the source code i found nothing: SQLiLite
  • After playing around with “devtools”, and a tool that always go hand in hand with web exploitation is burpsuite. SQLiLite

Burpsuite

  • In this case, the flag was in plainsight in burbsuite: SQLiLite