This is a SQL injection problem from the challenges section of the SQLi Labs by AUDI 1 :

We are supposed input an id (integer) as parameter into the URL to find the ' secret key ' that is hidden in one of the random tables of the database. All we know is the name of the database - ' challenges '.

The interesting part is that we have 10 attempts to submit our queries and get the secret key.

After 10 unsuccessful attempts , the problem resets and produces a random table , and a random column within it , which inturn produces a random secret key.

So , the first attempt is to break the query. On providing a single quote , the query breaks.

We have successfully broken the query and fixed it by commenting out the rest of the query . Now , we have ample oppurtunities to inject our queries inbetween the quote and the comment :

Query :

index.php?id=1' (our input query here) --+

Inorder to find out the number of columns that have been used , we can try out the ' ORDER BY ' clause.

Query :

index.php?id=1' ORDER BY 4 --+

This gives no result , which means its an error. So , lets try a smaller number.

index.php?id=1' ORDER BY 3 --+

And that works ! So , we have 3 columns. Now that we know the number of columns , lets try to get the name of the random table which has the secret key.

Query :

index.php?id= -1 union select 1 , table_name , 3 from information_schema.tables where table_schema = ' challenges ' --+

We put a ' -1 ' ( a negative) because we need that part of the query to be false so that the rest of the query is evaluated. And , we use 1 , 2 , 3 because we beforehand know that there are only 3 columns. So, instead of using 2 ( any one column can be chosen out of the three) , we use the ' table_name ' which is what we need.

This query gives us the name of the table that is randomnly created in the database.

since the second column , which we chose to inject our query is the login name column , the value

Now , we know the name of the table which has our secret key. So,our query can be altered a bit :

Query :

index.php?id=-1' union select 1,2,group_concat(column_name) , from information_schema.columns where table_name = '27PGCA7N15TZ' --+

So , now we get the columns within the table. Among these , the ' secret_VIL3 ' column seems interesting. Our next query is very simple. Since we know the table name and column name , we jus need to use them in the query :

QUERY :

index.php?id=-1' union select 1,2,group_concat(secret_VIL3) from 27PGCA7N15TZ --+

There we are ! that is the secret key that we needed. Let's try it !

#SQLiLabs #Challenge54 #SolutionSQLiLabs #SQLinjection #web #webexploitation