OWASP top 10 vulnerabilities CTF lesson – SQL Injection

CTF365 lesson is based upon OWASP top 10 vulnerabilities which is still valid in 2020. The following are the lessons that are provided by CTF365. Let me tell you they are not only top 10, instead the list is of top 11 and please note they are not in any order. You can signup security shepherd using CTF365 account and start learning.

1. Broken Session Management
2. Cross Site Request Forgery (CSRF)
3. Cross Site Scripting (XSS)
4. Failure to Restrict URL Access
5. Insecure Cryptographic Storage
6. Insecure Direct Object References
7. Poor Data Validation
8. Security Misconfiguration
9. SQL Injection (SQLi)
10. Untrusted Input
11. Unvalidated Redirects and Forwards

9. SQL Injection

The short description has been given in the page itself but if you want to read more about it then you can always checkout the official OWASP page where they have described it more. Please click here to go to the link.

The task here is as follows

Exploit the SQL Injection flaw in the following example to retrieve all of the rows in the table. The lesson’s solution key will be found in one of these rows! The results will be posted beneath the search form.

SQL injection or SQLi is the most critical vulnerability that exists. A hacker can view data and may get shell access if they can exploit it.

To solve this challenge we need to inject the SQL in the given login form. Lets try to most common one ‘ OR 1=1 —

We got the error. It looks like the backend database use is MySQL. Lets try another query comment #. Now our query becomes ‘ OR 1=1 #

YAY!! We got what we need. Paste the last comment and finish SQL Injection lesson. BTW instead of # we can also use — –. Try inputting ‘ OR 1=1 — – . Did you get it?

Leave a Reply

Your email address will not be published. Required fields are marked *