Sql-Playground

这些题都要先看/challenge/sql中往数据库里写了什么，它的代码中有如何创建table的，然后怎么往table中insert数据的。

1

SELECT * FROM archive

2

SELECT secret FROM fragments WHERE flag_tag = 1337;

3

SELECT info FROM payloads WHERE flag_tag = 1337;

4

SELECT resource FROM flags WHERE flag_tag >= 1337 and flag_tag <= 313371337;

5

SELECT note FROM information WHERE flag_tag = 'yep';

6

SELECT record FROM assets WHERE substr(record,1,3) = 'pwn';

7

标准语句是这样，然后你需要切片往后读：

SELECT substr(record, 5, 1) FROM details;

一点一点跑太麻烦了，写了个脚本：

import subprocess

result = ""

for i in range(1, 80):  # 先假设 flag 长度不超过 80
    query = f"SELECT substr(record, {i}, 1) FROM details;"
    p = subprocess.run(
        ["/challenge/sql"],
        input=query + "\n",
        text=True,
        capture_output=True
    )

    out = p.stdout

    if "No results returned!" in out:
        break

    # 解析输出里的结果
    # 例如: - {'substr(record, 5, 1)': 'c'}
    for line in out.splitlines():
        if line.startswith("- "):
            val = line.split(": ", 1)[1].strip()
            if val.endswith("'}"):
                ch = val[:-2].strip("'")
                result += ch
                print(f"{i}: {ch}    => {result}")
                break

print("FINAL:", result)

8

SELECT resource FROM storage WHERE flag_tag = 1337 AND substr(resource, 1, 12) = 'pwn.college{';

9

SELECT note FROM items WHERE substr(note, 1, 12) = 'pwn.college{' LIMIT 1;

10

SELECT name FROM sqlite_master WHERE type = 'table';
	Got 1 rows.
	- {'name': 'OEwzaGbV'}

SELECT value FROM OEwzaGbV;