$$ RED29 $$

IP Address: 172.25.200.200

Port: 9041

Want to run this Docker container locally?

docker run -d -p 9041:80 --restart always --name flag-red29 joshbeck2024/ctf-advanced-sql-injection-training-flag-red29

This webpage hosts a simple landing page that is vulnerable to cheap, easy SQL injection.

In the form field type:

' or 1=1-- -

Terminating the SQL with a single quote ' and including or 1=1-- - will return a complete list of usernames/passwords present in the database/table configured on the application.

• There are two users present

While tools like SQLMap could automate and expedite the extraction process by dumping all databases and tables from the MySQL server, the objective of this challenge is to guide you through manually enumerating this information. (Good news! SQLMap has you covered 99 percent of the time. It’s good to look at what it is doing under the hood from time to time for sure, which is the point this time.)

Once an injection field is discovered within a web application like this, you’ll want to first figure out how many columns are present within the table that is being queried. We can do this in a couple of different ways.

‘Order By’ Statement:

• If we pass in an ORDER BY directive, the application will return a valid response if the number of columns we specify does not exceed the number of columns in the table being queried by the application.
• Specifying a column count higher than what exists triggers an application error, signaling we've exceeded the table's column limit.

Try this query first:

' ORDER BY 1-- -

You’ll see that the application returns a result indicating the username is invalid. (This webpage is working as expected. No actual application error. In Burp Suite we’d see a Response Code of 200 OK!)