How To: Blind SQL Injection, HSCTF 2018: Password

July 19, 2018 2 minutes

Here are some rudimentary notes on how I solved the challenge ‘Password’ for HSCTF 2018. The puzzle gave an insecure social media website with a login form, and asked that you retrieve Keith’s password.

I figured out that the login form was vulnerable to SQL injection after trying the password "or true--" logged me in as user FirstName LastName.

My favorite generic queries you can try to see if a site is vulnerable to this attack are…

"or true--"
'or true--'
"or 1=1--"
'or 1=1--'
" or ""="
' or ''='

There was no vulnerable input inside the site that would provide output. The search box, which used GET, was secure. This meant the last avaliable course of action was to attempt a blind injection on the login form.

  1. Start by finding some identifier that will log you into the account you wish to target. In this case, I guessed that FirstName was a column in the table, and Keith’s FirstName would be “Keith”. So I confirmed that I was correct when "or FirstName='keith'--" logged me into into his account successfully.
  2. "or password like '%a%' and FirstName = 'keith'" Checks to see if Keith’s password contains the letter ‘a’ anywhere. Try every potential character with this query, taking careful notes on which are in the password.
  3. This is the slowest and most tedious step. Starting with the first character that the password could contain, you try "or Password like 'a%' and FirstName = 'keith'" and then 'b%', 'c%'…. Once you are logged in, you have successfully found the first character in the password. Then try 'da%', 'db%', 'dc%'… until you have the complete password. You will know you are done once no more characters work.