Flames

Challenge description:

Find Your True Love <3

Alrighty, so we have a web application to poke at, let’s see what we have.

Looks like a love calculator that takes in two names and “determines” how compatible the two are. Let’s see how it holds up against SQL injection.

With this payload, all I am attempting to do is establish the version of SQL that is being used. Not trying to exfiltrate any user data at this point.

Hm, it looks like it might not have worked. Either that or the names of our two lovebirds just got thrown into the database, so let’s check out the Famous Love Stories to see if anything happened there.

Huh, they probably just used a regex for SQL-like statements? This is a confusing challenge, albiet an easy one.

FLAG: VishwaCTF{SQL_1nj3ct10n_C4n_Qu3ry_Your_He4rt}