Web - 40 Points

I just created a site with a list of popular presidential candidates!


After some trying with sqlmap, we found out that there was some sort of WAF/IPS. This tampering script ( was useful to find a valid injection point. It replaces space character (‘ ‘) with a pound character (‘#’) followed by a random string and a new line (‘\n’). Take note that the minimum version required for it to work is MySQL >= 5.1.13.

./ --dbms "MySQL" --technique U --batch --tamper "" -r /tmp/ -D sctf_injection --exclude-sysdbs --sql-shell


Our injection