In this post I outline more of the SQL challenges I have completed and the rabbit holes it took me into along the way as the challenges get increasingly difficult.
For those that have found this as my first story I have set myself the challenge of writing up the details of each challenge that I solve as a reminder to myself, as a reference and as a resource to help others on their CTF journeys.
Quote of the day
This time the SQL injection challenge is not a login form but a numeric input that returns a quote of the day. On this challenge using substrings or a union spring to mind if it works.
I started by enumerating the messages that the quote of the day returns by submitting different integers and trying out negative values to see what effect that they have. I then started by check if you can do simple addition via the query and get the quote you expect, this indicates that the SQL is being interpreted as part of the evaluation on the web server.
#Returns the same quote as
Passing in a single quote yields an error for the id lookup and reflects back the input in an encoded format.
https://ringzer0team.com/challenges/37?q=2’#Response:No result found for id “2’”
Since I knew that the addition was working for the integers I wanted to find out what else was allowed through the filtering that had been put in place. I carried out checks to see if we can run a query that returns a numeric value with comments between. Passing in comments did not work either:
/challenges/37?q=1/**/+1Returned result#No result found for id ‘1/**/1’