RingZer0Team CTF SQLi challenges — Part 3

Greg
3 min readMar 1, 2021

Continuing on in my series of write ups of the RingZer0Team challenges it is time for my next instalment on SQL injection. I have previously written about Using CTF’s to learn and keep sharp , Javascript RingZer0Team CTF challenges and RingZer0Team SQLi Part 1.

SQLi

In this post I outline more of the SQL challenges I have completed and the rabbit holes it took me into along the way as the challenges get increasingly difficult.

For those that have found this as my first story I have set myself the challenge of writing up the details of each challenge that I solve as a reminder to myself, as a reference and as a resource to help others on their CTF journeys.

No more hacking for me!

https://ringzer0team.com/challenges/74/

In this challenge it returns a quote text or an error for no result found. The injectable parameter is id. The hint provided “I Think the last urldecode is too much, find ways to bypass every condition, htmlentities can help.

http://php.net/manual/en/function.htmlentities.php

The PHP htmlentities function is used to encode submitted characters to HTML equivalents. This means that HTML can be safely rendered.

--

--

Greg

Security addict, 17+ years in industry making systems more secure and finding those that aren’t