RingZer0Team CTF SQLi challenges — Part 2

Greg
9 min readDec 14, 2017

Continuing on in my series of write ups of the RingZer0Team challenges it is time for my next instalment on SQL injection. I have previously written about Using CTF’s to learn and keep sharp , Javascript RingZer0Team CTF challenges and RingZer0Team SQLi Part 1.

SQLi

In this post I outline more of the SQL challenges I have completed and the rabbit holes it took me into along the way as the challenges get increasingly difficult.

For those that have found this as my first story I have set myself the challenge of writing up the details of each challenge that I solve as a reminder to myself, as a reference and as a resource to help others on their CTF journeys.

Quote of the day

https://ringzer0team.com/challenges/37?q=5

This time the SQL injection challenge is not a login form but a numeric input that returns a quote of the day. On this challenge using substrings or a union spring to mind if it works.

I started by enumerating the messages that the quote of the day returns by submitting different integers and trying out negative values to see what effect that they have. I then started by check if you can do simple addition via the query and get the quote you expect, this indicates that the SQL is being interpreted as part of the evaluation on the web server.

https://ringzer0team.com/challenges/37?q=0+2 
#Returns the same quote as
https://ringzer0team.com/challenges/37?q=2

Passing in a single quote yields an error for the id lookup and reflects back the input in an encoded format.

https://ringzer0team.com/challenges/37?q=2#Response:No result found for id “2’”

Since I knew that the addition was working for the integers I wanted to find out what else was allowed through the filtering that had been put in place. I carried out checks to see if we can run a query that returns a numeric value with comments between. Passing in comments did not work either:

/challenges/37?q=1/**/+1Returned result#No result found for id ‘1/**/1’

--

--

Greg

Security addict, 17+ years in industry making systems more secure and finding those that aren’t