Forum Discussion

Bronze I

8 months ago

Solved

Secure Testing: SQL Injection

6th and 7th questions in this lab is not matching with the briefing section. Answers in the briefing section is not accepted as the correct answer. something wrong with the evaluation part.

application security

help & support

Wilburritos
2 months ago
I'm going to make this as easy as possible without actually giving you the answer. The reason being is because once people see the answer they will be able to better understand the problem in the future.

A variation of this will be used for the final 2 answers in the email field. This is the exact query that you have to edit in the lab.

SELECT * FROM users WHERE username='' or username='admin' --' and password='testing123'

All of the ' in this query are single quotes except 1. The 2nd ' after username in the initial query is a backtick the character that breaks the query. They try to help you understand this with the question prior with how they only needed the ` (backtick) to get the same error. I didn't know which one was the backtick originally. Once I knew it becomes more obvious that they are pointing you towards that character. The second piece of information that will wrap this up for you is the statement where it says sometimes it's useful to use the URL encoded equivalent. This information will get you the second to last question.

Adjust the second to last query with the specified username instead and you will have the final answer.

Hope that helps!

Anonymous

8 months ago

Hi SureshKumar, thanks for starting a discussion about this. I'll share this with the lab author to check and update you.

In the meantime, I can see that tc234e has recently completed the lab, along with others. I wonder if they can offer any hints or speak of their experience with the lab?

Robert_JOHN

Bronze I

7 months ago

It appears this maybe a sporadic issue. I have completed the lab using the information in the Briefing, until I get to question 7.

Nothing I provide will allow me to access the site as the user.

PersephoneHexworth
Alumni
7 months ago
Hey Robert_JOHN! Hope you're having a great week! Similar to what NyePrior stated earlier, what payload(s) are you trying in the username and/or password fields of the application? This will help with troubleshooting!
KieranRowley
Community Manager
7 months ago
Thanks for the extra information, I will log a ticket with support on your behalf

Forum Discussion

Secure Testing: SQL Injection

Featured Places

Help & Support Forum

Related Content

Course Secure Testing: XSS

Pen Test CTFs: Jinja2 Exploitation

Rails: SQL Injection (Bugged?)

Pen Test CTFs: Immersive Code Q4

Stuck on "SQL Injection (Module 1) : File download"

Recent Discussions

Elastic Data Ingest: Ep.1 – Auditbeat

Ep 7 Post Exploitation With Metasploit

Active Directory Basics: Demonstrate Your Skills

Serial Maze Support Group

Web App Hacking (Lab series): CVE-2022-2143 (iView2)