Medium/hard
Can you find the flag via SQL injection?

Important information

Challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic unless clearly specified in the challenge information below.

Challenge Information

The form is vulnerable to SQL injection and there's a flag inside the database waiting for you. Using ONLY union based injection, can you retrieve it?

Challenge Solutions

Important: We can see you don't have a valid submission to this challenge yet. Be warned you may ruin the challenge by viewing the solution

Show Solution

Solution from noob

Note: xD so I forgot to add filters/blacklist in the 'password' parameter and many people solved it using that way, I later realized when someone shared me his solution of my challenge. so I have fixed it now, for those who did that way ;) try now!

In this challenge,the task was to evade the SQL blacklist/filters and get the flag in a single request, so the following hints on https://www.bugbountynotes.com/challenge?id=7 were given:

Observe the SQL Error to see if there are any blacklistings on some special characters

Explaination:

After some hit and trails and since errors were verbose, one could identify that whitespaces, commas(,) , and , or , / etc. were converted to empty strings with username: 'xxorxxandxx test you can see in the error only xxxxxx is present that means 'or' and 'and' keyword was removed but you can use 'oorr' which would evaluate to 'or' because and similar for 'and' etc keywords

In SQL you can use parenthesis at a lot of places instead of spaces

Explaination: In SQL you can use paranthesis or brackets at various places and avoid spaces that way it was possible to bypass whitespaces filter.

1. To Find Number of columns used in a table you can use a trick like

select ((select * from {table}))=1

this query will throw an error and reveal the number of columns in the table. But since the schema was already given(added later in the challenge) you knew the table name(flag) and column names and it was easy to know the number of columns present but without this information also, you could have used

'anandd(select*from(flag))=1#

and this will tell there are four columns in the table where # is a SQL comment and will comment out the rest of the query

Note: I used anandd because 'and' was converted to '' so 'anandd' becomes 'and'

We can join different tables in SQL

Since commas are blocked we can't use union select with more than 1 columns however there are 4 columns in the table of current query but for union clause both table should have equal no. of columns. In that case we could use SQL Joins and completely bypass commas (,).

1. Union Clause

As I already had given information(column names,table names etc..) to make challenge easier which wasn't necessary, we could have used something like this

Solution: xxx'Union(select*from(select(1))ajoin(select(2))bjoin(select(3))cjoin(select(4))d)#

Explaination:

JOIN is used to join 2 or more tables in SQL. It will combine the rows and columns of both the tables. Since more tables u combine the rows and columns will increase and all we care about is matching the number of columns to the original table so we can successfully use Union Clause. so what we do is:

Union Select * from (select 'tbl1 column') alias_table1 join (select 'tbl2 column') alias_table2 join (select 'tbl3 column') alias_table3 join (select 'tbl4 column') alias_table4

so lets divide it into parts and understand:

(select 'tbl1 column') alias_table1

This part of the query creates an alias/temporary table named 'alias_table1' with one column and its value "tbl1 column" similarly we create 3 more such "Fake" tables and their alias' and join them with "JOIN" operator. Thus joining 4 tables with 1 columns each becomes total of 4 columns which was same the number of columns in the original table and the required situation for using Union Select.

now all we had to do was to remove spaces and make it shorter for which we could have used spaces

to make query small and clean i have used a,b,c,d... etc as alias name for tables.

xxx'Union(select*from(select(1))ajoin(select(2))bjoin(select(3))cjoin(select(4))d)#

Now After using this payload we see that it shows Logged in as '2' in the response of the page. which means we could control column of table aliased as 'b'

2. Extracting flag

Simply extract flag column from flag table and we'll get the flag contents in the response. Use this query (select(flag)from(flag)) inplace of column of table 'b' since only that column was visible on the page

xxx'Union(select*from(select(1))ajoin(select(flag)from(flag))bjoin(select(3))cjoin(select(4))d)#

and boom!

Logged In! as : flag{dDhbLnVnQF1UOypEbmtjd24jQ1VpP21fckNKLHZMI112QEFrKEItMzJ9fUBfLHRjTjozWFNETUxpQFNUViglLmo1Kmp6JnldTksofTItYWN2dHlxVmJKIyU9Vy57e0F3aWFKbip0M3JxOGZ0ejo1JXtSM241UXEsdk5uW2NkLnpOW2docXZucj1LaCpXdlB6R3A7ZHQ6OFY3VC5fcSpqdjVSUll9NjpoQCU5dSo9ejUmPXolMz9kMltMejVDQW1YM0hUWkdBKjZdV1VQcCwuJVgzI0UlRiw2ODJoTVR4JiFLI3lyIUxqdXhYa3lpKUYpLzMzNUZoSyM2cnY9cEw6ZilTSEFLUD8rKT9LVGJjTnpmRC1LbnlaR1l1Mj1aaHgjU3JoNipBWllTdTIpCg==}

Challenge Creator

noob

Challenge hints

Completed By — View more

palant
Accepted on 13-11-2018

rootaccess
Accepted on 07-10-2018

sakyb777
Accepted on 30-10-2018

BugBountyNotes

Medium/hard Can you find the flag via SQL injection?

× Important information