RingZer0Team CTF SQLi challenges — Part 3

Greg
3 min readMar 1, 2021

Continuing on in my series of write ups of the RingZer0Team challenges it is time for my next instalment on SQL injection. I have previously written about Using CTF’s to learn and keep sharp , Javascript RingZer0Team CTF challenges and RingZer0Team SQLi Part 1.

SQLi

In this post I outline more of the SQL challenges I have completed and the rabbit holes it took me into along the way as the challenges get increasingly difficult.

For those that have found this as my first story I have set myself the challenge of writing up the details of each challenge that I solve as a reminder to myself, as a reference and as a resource to help others on their CTF journeys.

No more hacking for me!

https://ringzer0team.com/challenges/74/

In this challenge it returns a quote text or an error for no result found. The injectable parameter is id. The hint provided “I Think the last urldecode is too much, find ways to bypass every condition, htmlentities can help.

http://php.net/manual/en/function.htmlentities.php

The PHP htmlentities function is used to encode submitted characters to HTML equivalents. This means that HTML can be safely rendered.

, so as well as finding a way to bypass SQL I also needed to find characters that bypass HTML encoding. The hint also suggests urldecode function is also in use.

Examining the source code provides a similar hint:

<! — l33t dev comment: →

<! — No more hacking attempt we implemented the MOST secure filter →

<! — urldecode(addslashes(str_replace(“‘“, “”, urldecode(htmlspecialchars($_GET[‘id’], ENT_QUOTES))))) →

Based upon the SQL is something along the lines of

SELECT * FROM <table> WHERE ‘htmlentities($_GET[‘id’])’

There is going to be some extra logic to return no result found aswell.

Characters that are filtered by htmentities

Character

Replacement

&(ampersand)

&amp;

--

--

Greg

Security addict, 17+ years in industry making systems more secure and finding those that aren’t