Forum Discussion

SureshKumar's avatar
SureshKumar
Icon for Bronze I rankBronze I
7 months ago

Secure Testing: SQL Injection

6th and 7th questions in this lab is not matching with the briefing section. Answers in the briefing section is not accepted as the correct answer. something wrong with the evaluation part.

application security
help & support

10 Replies

  • NyePrior's avatar
    NyePrior
    Icon for Immerser rankImmerser
    7 months ago

    👋 SureshKumar

    Can I ask what payload(s) you're trying in the username and/or password fields of the application? I've just given it a go myself, and the lab is working as we would expect, but I'm happy to try and troubleshoot what you've tried so far :) 

  • MadelineDadamio's avatar
    MadelineDadamio
    Icon for Community Support rankCommunity Support
    5 months ago

    Hi Robert_JOHN I wanted to follow up and check in to see if you were still working on this. Our team would be happy to assist you. As mentioned earlier, could you share which payload(s) you’re using in the username and/or password fields of the application? Looking forward to hearing from you. 

  • netcat's avatar
    netcat
    Icon for Silver III rankSilver III
    7 months ago

    The only hint to give: Re-read the briefing section. The lab works fine.

  • Anonymous's avatar
    Anonymous
    4 months ago

    I figured out what I was doing wrong.. You don't type the whole payload on the username, you use the suggestions.

  • Wilburritos's avatar
    Wilburritos
    Icon for Bronze I rankBronze I
    5 days ago

    I'm going to make this as easy as possible without actually giving you the answer. The reason being is because once people see the answer they will be able to better understand the problem in the future.

    A variation of this will be used for the final 2 answers in the email field. This is the exact query that you have to edit in the lab.

    SELECT * FROM users WHERE username='' or username='admin' --' and password='testing123'

    All of the ' in this query are single quotes except 1. The 2nd ' after username in the initial query is a backtick the character that breaks the query. They try to help you understand this with the question prior with how they only needed the ` (backtick) to get the same error. I didn't know which one was the backtick originally. Once I knew it becomes more obvious that they are pointing you towards that character. The second piece of information that will wrap this up for you is the statement where it says sometimes it's useful to use the URL encoded equivalent. This information will get you the second to last question.

    Adjust the second to last query with the specified username instead and you will have the final answer.

    Hope that helps!


  • TillyCorless's avatar
    TillyCorless
    Icon for Community Manager rankCommunity Manager
    7 months ago

    Hi SureshKumar, thanks for starting a discussion about this. I'll share this with the lab author to check and update you. 

    In the meantime, I can see that tc234e has recently completed the lab, along with others. I wonder if they can offer any hints or speak of their experience with the lab?

     

    • Robert_JOHN's avatar
      Robert_JOHN
      Icon for Bronze I rankBronze I
      6 months ago

      It appears this maybe a sporadic issue. I have completed the lab using the information in the Briefing, until I get to question 7.

      Nothing I provide will allow me to access the site as the user.

       

      • PersephoneHexworth's avatar
        PersephoneHexworth
        Icon for Immerser rankImmerser
        6 months ago

        Hey Robert_JOHN! Hope you're having a great week! Similar to what NyePrior stated earlier, what payload(s) are you trying in the username and/or password fields of the application? This will help with troubleshooting!

  • rwilli80's avatar
    rwilli80
    Icon for Bronze I rankBronze I
    3 months ago

    I also cannot get this to work, Using the email field and using the example injections at the bottom of the lab