BBBBBBBBOOOOOOOOOOOTTTTTTTTTTTTTAAAAAAAAAAKKKKKKKKKK!!!!!!!!!!!!

now it would actually be hard if you didn't give away the part that requires thinking, which is to use UNION and ORDER BY

thats really good practice but its med level , some hints for starters : 1- check first what is url looks like before and after send data so you can know about filtering . 2- union is 1st step for any sqli, so read more about it . 3- after that you can see clearly how you can write your injection queries without blocking filters . 4- now , what you looking for is two things mainly : () - tables () - coulmns , after all that => you will find the REAL flag .

I'm confused. I tried the commands shown in the comments but nothing returned. Has this challenge changed since the comments were posted?

i used sqlmap , used the opportunity to learn about sqlmap

Should be considered an easy injection question, solvable without using any tool with just manual trial and error in a cpl minutes. Now it would actually be hard if you didn't give away the part that requires thinking, which is to use UNION and ORDER BY

I swear i knew sql for sqli like 2 months ago and i just forgot most of it ☠️

Needs basic understanding of union and order in sql injection perspective.

A beautiful concept explained here, as it focuses on SQLi using UNION.

Is it by design that https://web.ctflearn.com/web8/fade.js is missing and returns 404 when browser tries to load it?

Hello,

I have a doubt.

when given an id, it returns 3 text values (name,breed and color). When I try the payload (id=1+union+select+'a','b','c','d') why is it returning nothing.

because since when an id is given it is returning text values the result from the union operation should be text values or union query will fail.

but when I use the below payload it is working fine. id=1+union+select+1,2,3,4

the above query should cause error and should not give any results. But the app is returning 1,2,3 values on to the website.

What is happening here? Could anyone explain me?

Thanks

inplace of 1 in id=1+union+select+1,2,3,4 I have used 'a'. SO the query now is

id=1+union+select+'a',2,3,4. <---- This is returning 0 results.

But when I use below query it is returning table names.

id=1+union+select+table_name,2,3,4 from information_schema.tables <---- returns table names

No idea why. Could someone please explain?

THanks

If you're struggling, the concepts on this blog are explained very nicely-

Exploiting SQL Injection: a Hands-on Example

You're the best!

hmmm I just started doing all the techniques in the article but it's not working for me nearly in the same way

you're great, bro

Found this very difficult, took me lots of research to solve. Site mentioned in comments was helpful. In the end got much better at understanding sql stuff and am ready to break the interweb.

Very awesome and one of the CTF in this website!!

Hello,

I have a doubt.

when given an id, it returns 3 text values (name,breed and color). When I try the payload (id=1+union+select+'a','b','c','d') why is it returning nothing.

because since when an id is given it is returning text values the result from the union operation should be text values or union query will fail.

but when I use the below payload it is working fine. id=1+union+select+1,2,3,4

the above query should cause error and should not give any results. But the app is returning 1,2,3 values on to the website.

What is happening here? Could anyone explain me?

Thanks

quick update:- inplace of 1 in id=1+union+select+1,2,3,4 I have used 'a'. SO the query now is

id=1+union+select+'a',2,3,4. <---- This is returning 0 results.

But when I use below query it is returning table names.

id=1+union+select+table_name,2,3,4 from information_schema.tables <---- returns table names

No idea why. Could someone please explain?

THanks

Because the sever use mysql_real_escape_string, which will change the quotation marks. You need to encode string to hex, i.e. id=1+union+select+0x61,0x62,0x63,0x64.

I don't know if you solved it yet but you inspired me, thanks.