Web Service & API Attacks -- SQLi

I have to use SQL injection on the id parameter to find the username for the user 736373 but I can’t find the solution for this, I have tried all the standard SQL injections but I have either an error or no answer for the server.

Do you have a hint for this? I have been stuck for some time …


The payload is a very basic one, what threw me off a bit is that it doesn’t use quotation marks.
Hope that helps!


Thank you very much for your answer!

I was mainly doing in wrong because I was wrapping my parameter into quotes (?id=“”) instead of using ‘+’ for spaces.

Hi Guys, I’m still trying to find out how to get the username of the user in position 736373 via sqli, I tried all the payload in the below list, can you give me some hints?

I’m trying to figure this one out too. Did you get it? Can you give me a hint please?

Think about:

  • easy SQL injection (among the basic ones you first learn)
  • URL encoding

Combine both and you should definitely find what you are looking for.
You can use burp to ease the process.

I posted some other hints previously but I think they were removed, probably too much lol

1 Like

Does anyone have a tip? I tried editing the py and curl file, but to no avail.

You did it?

Unfortunately, no. I ended up temporarily stopping at this point to start studying for the Security+ exam. I plan on coming back to this at some point just haven’t yet. Hope you get it.

1 Like

Hey, I finded the flag!
I see the module SQL INJECTION FUNDAMENTALS again and i use the logic to find the id and always return true, see the module Subverting Query Logic

1 Like

Awesome! Glad you found the flag. Thanks for sharing. :blush:

To make it easier, the original query is roughly select * from TABLE where id = 'input' use SQL logic to find the position of 736373. What would you add to the above query to find the position of 736373?

thnks a lot!!, i find the flag

use sqlmap and don’t forget to put the --dump parameter

1 Like

Not to be over complicate
The section say with a twist of SQLi, indicating we need to use some tools, example sqlmap.
sqlmap -u 'http://traget_IP:PORT/?id=1' --dump

The question assumes one have some little knowledge for exploiting sql databases

1 Like