Playing capture the flag - coding challenges - sql injection 1
I recently have been playing some capture the flag games, I found a site called ringzer0 who host many different types of coding challenges.
It mentions on their site:
RingZer0 Team Online CTF
RingZer0 Team's online CTF offers you tons of challenges designed to test and improve your hacking skills through hacking challenges. Register and get a flag for every challenge.
I really wanted to test out some of the skills I have learned from completing some of the portswigger web security academy, built by Portswigger.
I read on the ringzer0 site, that the aim of the game is to collect the flag, which is a key which can be found by bypassing or figuring out the challenge.
First challenge - Most basic SQLi pattern.
Being the first challenge in the set, I thought it was going to be really straightforward, and the best place to really start.
I tried logging in, just so I could see the functionality, and as expected there was a message saying incorrect username / password. Now it was time to play with the functionality. I loaded up burp suite and captured the login call and played it.
I then started modifying the request to see if I could break it, which would signify that I somehow affected the outcome of the request, so I sent the request from the interceptor to the repeater, and then modified the parameters, my thinking being that maybe in the backend the system would be running a sql query something like:
SELECT username, password FROM users WHERE username=@username AND password=@password
So I changed the repeater query to terminate out of the query by adding a
' into the username, this is a sql injection challenge afterall.
Something strange happened, instead of wrong username / password I got a message showing
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'password'' at line 1
So I did the most basic thing possible, and just added an or statement at the end of the query parameter, and commented out the rest of the query like so:
which only caused the request to hang and eventually return a 504 error. I think its because the multiline comment
So instead I tried it again and realised no, it was just the server returning that, so i tried it again and got the message
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/*' AND password = 'password'' at line 1
I think commenting out the rest of the query must be causing the issue so i try and add some logic to be applied inline
which again showed wrong username / password, so I modified it slightly to
which completed the challenge
The reason this worked must be because behind the scenes, the query must look like
SELECT username, password FROM users WHERE username='username' AND password='password';
and our modified query would have changed this to be something the below, which would have bypassed the password check.
SELECT username, password FROM users WHERE username='username' AND password='password' OR 'a' = 'a'
Written on May 18, 2019.