In this task we are facing a web application which use OTP authentication method. We have to get a valid pair of token and password in order to retrive the flag. We are given the source and it turns out that the webapp suffer from a sql injection here:

"SELECT ###CENSORED### FROM otp WHERE ###CENSORED### = '$token' AND ###CENSORED### < $time",

This was a really nice challenge since we basically have to select from the otp table one column without specifying the name (we couldn’t use the sqlite_master table because of the small filter that will make the script die if our input contains the word ‘sqlite’). What we basically did was to use subquery to assign alias to the column name selected from otp and then select the alias outside the subquery like this:

token=' and 1=0 union select pwd from (select 1 token,2 pwd,3 expire from otp where 1=0 union select * from otp)-- -&pass=

This will show us the password for one token. Now obtaining the flag is a cake, just code a little script that will do the work for us:

http://pastebin.com/rGWC2hZb

the flag is: ADCTF_all_Y0ur_5CH3ma_ar3_83L0N9_t0_u5

solved originally by nurfed. Razor4x