Bug or lack of understanding: SQL fundamentals assessment

Module 33 Section 518
Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.

Learned in the lesson to keep the SQL query working we need even amount of quotes.
Basic Auth Bypass : admin’ or ‘1’=‘1
but to get to the dashboard we have to use uneven quotes
admin’ or ‘1’=‘1’-- -
or any conditional
admin’ or TRUE-- -
What am I missing here had to look up a walkthrough, thanks


You have the concepts right, but if I am understanding you correctly you are mixed up with their examples and the security applied to them. The first subversion of authentication didn’t have the use of comments in the bypass. This means that they had to factor in the rest of the query when calculating the apostrophes.

However, using the comments to negate the rest of the query means that the query ends right at the comment and never naturally closes the value with an apostrophe. So the tester has to add their own. Also keep in mind the security they have placed on the query, meaning that the simple auth bypass won’t work for the assessment. For example:

-- Without Comments:
SELECT * FROM logins WHERE username='admin' or '1'='1' AND password = 'something';
-- Pay attention to the number of ' after the AND
-- With Comments:
SELECT * FROM logins WHERE username='admin' or '1'='1' -- ' AND password = 'something';
-- See how the rest of the query including the ' goes away!!
-- To better show it, here is a commented payload with the even amount of '
SELECT * FROM logins WHERE username='admin' or '1'='1 -- ' AND password = 'something';
-- See how it accepts the whole query, that messes with the boolean logic.

As far as completing the challenge, keep these methods in mind, and don’t forget the PayloadAllTheThings wordlist.

Doing that section manually really gives you an appreciation for tools that automate the process.
The easiest way I have found is to load up BurpSuite, capture the request, send it to the intruder, put a payload position around the value of each parameter. Then load the PayloadAllTheThings SQLi Auth Bypass list, run the attack, and look for different sized responses.

It could also be done the same way with FFuF. Actually, that might be faster because it isn’t throttled.

Sorry if I wrote too much, hope this helps.

1 Like