Web Service & API Attacks -- SQLi

I have to use SQL injection on the id parameter to find the username for the user 736373 but I can’t find the solution for this, I have tried all the standard SQL injections but I have either an error or no answer for the server.

Do you have a hint for this? I have been stuck for some time …

Thanks!

The payload is a very basic one, what threw me off a bit is that it doesn’t use quotation marks.
Hope that helps!

3 Likes

Thank you very much for your answer!

I was mainly doing in wrong because I was wrapping my parameter into quotes (?id=“”) instead of using ‘+’ for spaces.

1 Like

Hi Guys, I’m still trying to find out how to get the username of the user in position 736373 via sqli, I tried all the payload in the below list, can you give me some hints?

I’m trying to figure this one out too. Did you get it? Can you give me a hint please?

Think about:

  • easy SQL injection (among the basic ones you first learn)
  • URL encoding

Combine both and you should definitely find what you are looking for.
You can use burp to ease the process.

I posted some other hints previously but I think they were removed, probably too much lol

1 Like

Does anyone have a tip? I tried editing the py and curl file, but to no avail.

You did it?

Unfortunately, no. I ended up temporarily stopping at this point to start studying for the Security+ exam. I plan on coming back to this at some point just haven’t yet. Hope you get it.

1 Like

Hey, I finded the flag!
I see the module SQL INJECTION FUNDAMENTALS again and i use the logic to find the id and always return true, see the module Subverting Query Logic

1 Like

Awesome! Glad you found the flag. Thanks for sharing. :blush:

To make it easier, the original query is roughly select * from TABLE where id = 'input' use SQL logic to find the position of 736373. What would you add to the above query to find the position of 736373?

thnks a lot!!, i find the flag

1 Like

use sqlmap and don’t forget to put the --dump parameter

1 Like

Not to be over complicate
The section say with a twist of SQLi, indicating we need to use some tools, example sqlmap.
Done…!!!
sqlmap -u 'http://traget_IP:PORT/?id=1' --dump

The question assumes one have some little knowledge for exploiting sql databases

1 Like

here is the an answer though i suggest to keep trying as this was fun: “” or position = 736373

1 Like

I don’t think this query is technically correct. I was so stumped on this until I read ineedabetterh4ndl3’s reply. It seems this prompt is just weird to begin with.

For example:

/?id=7556+UNION+SELECT+1,2,3--+ gives [{"id":"1","username":"2","position":"3"}]

/?id=7556'+UNION+SELECT+1,2,3--+ gives Enter a valid param for HackTheB0X API

/?id='7556'+UNION+SELECT+1,2,3--+ gives [{"id":"1","username":"2","position":"3"}]

So if select * from TABLE where id = 'input' was the query then the second example shouldn’t error and instead should be outputting what the first and third examples print out.

select * from TABLE where id = '7556 UNION SELECT 1,2,3-- ' is missing a closing quote

select * from TABLE where id = '7556' UNION SELECT 1,2,3-- ' would be valid SQL

select * from TABLE where id = ''7556' UNION SELECT 1,2,3-- ' has an extra quote

So what the heck is actually going on here? Not sure if someone has been able to grab the source code from the back end but I unfortunately don’t have anymore time to spend on this module to go digging. My best guess for the back-end query is the following:

select * from TABLE where id = input

Now that I actually write this out, is this because the input is an INT? In that case quotes wouldn’t be required in the SQL query to escape the input to begin with. Testing /?id=7556+UNION+SELECT+1,2,3 seems to confirm this with an output of [{"id":"1","username":"2","position":"3"}].