RingZer0Team CTF SQLi challenges — Part 1

6 min readDec 4, 2017

I have been Using CTF’s to learn and keep sharp for a while and I am continuing on in my series of write ups of the RingZer0Team challenges it is time for an installment on SQL injection. I have previously written about the Javascript RingZer0Team CTF challenges.


I have set myself the challenge of writing up the details of each challenge that I solve as a reminder to myself, as a reference and as a resource to help others on their CTF journeys. In this post I outline the first few SQL challenges I have completed and the rabbit holes it took me into along the way as the challenges get increasingly difficult.

ACL rulezzz the world

You are provided a simple drop down that submits a username variable to a vulnerable server.

Passing in a simple single quote yields a MySQL syntax error so that gives us a good starting point as to the syntax we should work with.

Using the built in functionality passing in a username returned three fields:

  • Username
  • Group
  • Description

Assuming this the SQL query will be along the lines of

SELECT Username, Group, Description FROM <tablename> WHERE Username=’<INPUTNAME>’;

If we then modify the SQL syntax to return all of the users by matching with an OR query our syntax becomes:

`SELECT Username, Group, Description FROM <tablename> WHERE Username=’adminOR ‘a’=’a

Note we do not add a trailing quote since it is already present within the SQL syntax. This evaluates the SQL to return the details for the username of admin and bypass the password.

Login portal 1


You are provided a simple username and password login form. I initially tested to see if there was any character filtering and passing = operator and comment tags — and # are filtered by the web app.

Since it is a login form it is straight forward to assume the likely SQL syntax and build a simple injection bypass.




Security addict, 17+ years in industry making systems more secure and finding those that aren’t