# zer0pts CTF 2021 Baby SQLi Write Up

### (Web) Baby SQLi [170 pts]

Baby SQLi challenge is bypass of waf and using shell command.

First, You can using .system/.shell/.sh command and execute shell command in SQLite3

As above, you can see in sqlite3 executes a shell command using the .sh command.

Looking at the source code, you can line jump using the \n character because using the communicate() in subporcess.Popen() in sqlite3_query().

And looking at the source code in login logic, you can see that username/password value is input, the length is verified, and it is put in query statement and at this point, you can see that the username value is escaped. but, you don’t worry because treats escape characters as simple string is sqlite3.

In other words, It doensn’t matter if it escaped as above.

So, you can use shell command by doing line jumps as above and using the .sh command.

If you write the exploit code as above, close SELECT statemnt and in the line immediately underneath execute .sh command.

Final, I pass the shell using e option about nc and read index.html and saw the flag.