Go to the login page, in the username field enter ( ‘ or 1=1;– ) without the brackets. This will terminate the SQL statement and bring back a positive match. This will show the first flag on the dashboard.
There’s a link to the Terms & Conditions of the website on the home page. On here it says the the visitors IP will be logged. Now we know we can’t put an injection payload into our IP address. But we can try the common header “X-Forwarded-For”, No errors will be produced and it’s a totally blind injection but if you insert the correct header payload such as “X-Forwarded-For: ‘ UNION SELECT SLEEP(10),2,3;” you will notice the page load pause for 10 seconds. Using the sleep command we can enumerate the flag table using the UNION AND like selector to extract the flag.
On register page there is an AJAX call which checks whether the supplied username is available to register with a simple true or false return. This endpoint is injectable and using the true/false output we can enumerate data from the database and get the flag “/register/user-check?username=a’ UNION SELECT 1,2,3 from flag where flag like ‘T%“
The user link for who wrote the blog posts is easily injectable from the id parameter. But upon enumerating the database from here no flag table can be found. Further into the code there is a second SQL statement which takes the results of the first one to display created posts by the user. Injecting our own payload from the first SQL Injection we can inject the second statement which does have access to the flag table ” /user?id=0 UNION SELECT ‘0 UNION SELECT 1,flag,3,4 from flag’,2,3 ” I call this SQL Inception 😉
When viewing a blog post there is a very simple SQL Injection in the id field which will return MySQL error messages. Using these error messages it will be easy to select the flag from the flag table and reflect is on the webpage ” /post?id=0 UNION SELECT 1,2,flag,4 from flag “