CTF ringzer0ctf — SQLi challenges — part 1

All Right! Here we’ll deep into the most interesting vulnerability for me, it’s a SQL injection ❤

CTF ringzer0ctf — SQLi challenges — part 1

All Right! Here we’ll deep into the most interesting vulnerability for me, it’s a SQL injection ❤

Let’s solve some CTF challenges about this topic from ringzer0ctf website.

Challenge 1 — Most basic SQLi pattern.

From it’s name it seems that it’s the easiest way to solve sqli challenge, you will found a login form and the first try is to inject this payload

admin’ or 1=1 #

Good, it’s worked ! You have the flag and congrats to the first point ❤

Challenge 2 — Random Login Form

Here the situation is different little because you have two forms, the first one is login form and the second is registration form. If you tried to register an account with username:admin you will have a message that this account is already exist so try to login into it with our simple trick

username: admin & password: aykalam’ or 1=1#

but unfortunately you will get an error message, you failed to login with this trick and i tried more than trick but it doesn’t work

Now we don’t have any way from creating account with username admin.

After tried more and more and searching I've found something tricky, try to register an account with this credentials

username: — — admin — — &password=anything_you_want

Note: The — character is spaces.

By adding for example 4 spaces before and after the username it will pass the validation and will be deleted into the system or the database so you will bypass the validation and register with admin username, the password any word you want

Now try to login again

FLaaaaaaaaG :) Congratulation for the points ❤

Challenge 3 — Po po po po postgresql

If you logged into this challenge you’ll get a login page which by default you’ll use the simple technique by inject ‘ (comma) in the username filed to notice the balance the query in the backend, for example the backend balance the query bu inserting ‘ or “ or ‘) or “) or nothing, and so on.

By inserting ‘ you will get some thing nice, an error message which demonstrate the balancing query method, Nice :)

From the screenshot and the error the backend balancing the query by ending the query with ‘) characters so we’ll try to inject it with our payload, but wait and see the error again

You’ll have inserting 2 ) because there’s one in the start which need to be closed so the balancing here is ‘)) not ‘)

username: admin’)) —

Good! We got it !

Challenge 4 — Login portal 1

After going into the challenge you will see another … what !! login page again !!

Fu*$^& login form again

so let’s deal with it by the default payload ‘ and there’s no error messages appear !

try to inject this payload → admin ‘ or 1=1 # and you will see this message Illegal characters detected.

Nice, so the system has validated my input and have a black list to some charachters like # and =

so we will try to find alternative for this char

from this list WAF-GitHub. you will find more than technique to bypass filtered chars

you can use > or < instead of = in this way

username: admin’ or ‘a’>’b

trying this method…

We have 2 points NOW, Good !