Basic Sql Injection | Picoctf 2017 [35] My First Sql

Is equal to 1 but we don’t know what it is at the very end of this query so sometimes we’ll have to comment out the rest of the sequel code and the way we.
Do that again is dependent on the sequel that’s running.

In the background like the back end database version maybe it’s my sequel maybe it’s Microsoft sequel rendition the sequel.

Lite it’s that wrote cetera and we all have a different kind of form so again you’ll have to fuzz and fudge that until you get something that that will return a hit so if we wanted to we could simply try double quote or one equals one and then a hash tag is what you’d expect for some my.

Sequel versions I’m just gonna paste that in both the.

Username and the password field because.

We don’t know which one is vulnerable we can go ahead and try and log in.

For us so okay let’s try with or one equals one another pound symbol or a hash tag because that is what my.

Sequel uses for comments try and log in with that oh okay we.

Get an error with your request and it shows us actually the query that’s trying to run in the background you don’t normally see this this is again just for your learning capability.

In the CTF scene because CTF is being nice to us where it shows us what they’re trying to use they’re using a single quote where user equals the start of our input you see we have our single quote inject it into it so that’s why the error is happening because it’s trying to interpret this or one.

Equals one but our hash tag is being weird it’s getting in the way because we now don’t have a string that matches the rest of this password is in there as well so.

Maybe it’s not this the comments style but we do know we are using simple quotes for our string so let’s change that rather than using a hashtag the Wikipedia pages suggest some other things where you can use – – or – – to use a comment that you’d expect to see in sequel light so.

Let’s try that again I’m gonna use it in the username and password field and we log in welcome admin flag be careful what you let.

People ask in the hash that should.

Be different for each one so we logged in as admin because we got an immediate return and.

It immediate truth in our condition where one equals one or one equals one so the first thing that we return is the very first row in the table that we’re looking at likely admin are usually admin so cool immediate login we’ve got our flag if we wanted to we can script this and I’d showcase.

That another video but I don’t think it’s necessary for this one we can paste that in and we can jump up on the scoreboard 50 points super cool that’s equal injection I will however want to take a note of that as our flag because I think that’s good practice certainly writing again flag strip would.

Also be good practice for it but whatever I digress if you’d like me to we certainly can I’d use some Python requests use.

Regular expressions to pull out the flag and we’d be grooving special shout out to the people that support me on patreon – thank you guys so much I love you that.