All right! back again with new challenge from CTFlearn website:)
Let’s start quickly with challenge informations
Challenge link https://ctflearn.com/challenge/149
From the description you’ll notice that there’s SQLi and you’ll use UNION query, the injection here is UNION based. Nice !
Open the website
You’ll find that there’s input field ID and you should enter numbers and then you’ll see information about the users, if you try to insert words you won’t get anything
Ok now we understand that the balance query will be nothing
Balance query character is ‘ or “ or ‘) or “) or nothing, this character is used to balance the query while injection
So let’s try to know number of columns
nothing → id=1 order by 1- -
nothing → id=1 order by 2- -
nothing → id=1 order by 3- -
main page, good → id=1 order by 4- -
The next step is to know what’s the vulnerable columns by
union select 1,2,3,4 —
So we now know that the vulnerable columns is 1,2 and 3, we will start to print the database info in this columns like
union select table_name,2,3 from information_schema.tables —
Nice! there’s many of tables but we’re searching about unique name so at the end of this list you’ll find interesting name
Yes! That’s we’re searching for, let’s search for a unique column
union select column_name,2,3 from information_schema.columns —
Nice! at the end of this list you’ll find …
Now we’ve table_name and column_name so try to get the data from this column
union select column_name from table_name—
Great ! We’ve the flag now.
