I don’t think this query is technically correct. I was so stumped on this until I read ineedabetterh4ndl3’s reply. It seems this prompt is just weird to begin with.
For example:
/?id=7556+UNION+SELECT+1,2,3--+
gives [{"id":"1","username":"2","position":"3"}]
/?id=7556'+UNION+SELECT+1,2,3--+
gives Enter a valid param for HackTheB0X API
/?id='7556'+UNION+SELECT+1,2,3--+
gives [{"id":"1","username":"2","position":"3"}]
So if select * from TABLE where id = 'input'
was the query then the second example shouldn’t error and instead should be outputting what the first and third examples print out.
select * from TABLE where id = '7556 UNION SELECT 1,2,3-- '
is missing a closing quote
select * from TABLE where id = '7556' UNION SELECT 1,2,3-- '
would be valid SQL
select * from TABLE where id = ''7556' UNION SELECT 1,2,3-- '
has an extra quote
So what the heck is actually going on here? Not sure if someone has been able to grab the source code from the back end but I unfortunately don’t have anymore time to spend on this module to go digging. My best guess for the back-end query is the following:
select * from TABLE where id = input
Now that I actually write this out, is this because the input is an INT? In that case quotes wouldn’t be required in the SQL query to escape the input to begin with. Testing /?id=7556+UNION+SELECT+1,2,3
seems to confirm this with an output of [{"id":"1","username":"2","position":"3"}]
.