Magical Image Gallery (1 / 3) | Hacker 101 CTF
Home page View source Hmm.. interesting parameter id let’s check that. Hex dump of image is fetched. Testing the parameter for possible SQLi http://35.237.57.141:5001/a6d92f8421/fetch?id=2-1 Outputs id=1 (same result) So… SQL injection? Yes 😁 Manual Enumeration Query is evaluated as true if it returns page with hexdump of valid id 1 or 2. In these cases […]