SQL Injection (Basics)

Answer The Questions

Challenge 1:
Scenario: 
You encounter a login form with username and password fields. You suspect SQL injection. You try the username ' or '1'='1. The login is successful, bypassing authentication.
Question: 
What basic SQL injection payload bypassed the login?
 

Login to Answer

Challenge 2:
Scenario: 
After logging in, you find a page that displays user details based on a user ID provided in the URL: example.com/user.php?id=1. You suspect you can inject SQL into the ID parameter.
Question: 
What classic SQL injection payload would you use to cause an error that might reveal database information by attempting to break the SQL query?
 

Login to Answer

Challenge 3:
Scenario: 
The error reveals the database is MySQL. You want to determine the current database name. You try injecting ' UNION SELECT database() -- -.
Question: 
What function retrieves the name of the current database?
 

Login to Answer

Challenge 4:
Scenario: 
You've identified the database name. Now you want to list all tables in the database. You inject: ' UNION SELECT table_name FROM information_schema.tables WHERE table_schema = DATABASE() -- -.
Question: 
What schema contains information about tables and columns in the database?
 

Login to Answer

Challenge 5:
Scenario: 
You've found a table named "users". Now you want to see the column names in that table. You inject: ' UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'users' -- -.
Question: 
You are looking for a column name of the database?
 

Login to Answer

Challenge 6:
Scenario:
You find columns like "username" and "password". You want to retrieve the data from the "users" table. You inject: ' UNION SELECT username, password FROM users -- -.
Question: 
What type of SQL injection you are performing?
 

Login to Answer

Answer The Questions

Challenge 1:
Scenario: 
You have a URL that you believe is vulnerable. You want to use SQLmap to test it. You run the basic command: sqlmap -u "example.com/vuln.php?id=1" --dbs.
Question: 
What SQLmap option is used to enumerate databases?
 

Challenge 2:
Scenario: 
SQLmap identifies that the id parameter is vulnerable to SQL injection. You want to list the tables in the database. You run: sqlmap -u "example.com/vuln.php?id=1" -D "database_name" --tables.
Question: 
What SQLmap option is used to enumerate tables within a specified database?

Challenge 3:
Scenario: 
You've identified a table called "users". Now you want to list the columns in the "users" table. You run: sqlmap -u "example.com/vuln.php?id=1" -D "database_name" -T "users" --columns.
Question: 
What SQLmap option is used to enumerate columns within a specified table?
 

Challenge 4:
Scenario: 
You see columns named "username" and "password". You want to dump the contents of these columns. You run: sqlmap -u "example.com/vuln.php?id=1" -D "database_name" -T "users" -C "username,password" --dump.
Question: 
What SQLmap option is used to extract data from the database?
 

Challenge 5:
Scenario: 
You want to determine the backend database management system being used by the web application. You use the option --technique=B
Question: 
What do you need to add to find the technique?
 

Challenge 6:
Scenario: 
After identifying that the database server is MySQL you would like to run some commands on the database server itself.
Question: 
What SQLmap option do you use to execute operating system commands?
 

Answer The Questions

Challenge 1: Bypassing Authentication
Scenario:
You are testing Craw.in’s login page. It requires a username and password, but you don’t have valid credentials. You suspect that the backend SQL query is:
sql
SELECT * FROM users WHERE username = '$user' AND password = '$pass';
By injecting SQL into the login fields, you can bypass authentication.
Question:
What payload would you use in the username field to bypass authentication?
 

Challenge 2: Extracting User Data
Scenario:
After bypassing authentication, you access the dashboard. You find a search feature that interacts with a SQL database. It executes queries like:
sql
SELECT * FROM users WHERE name LIKE '%$input%';
You try entering ' OR '1'='1' -- and notice that all user details appear.
Question:
What SQL clause can be used to retrieve all user data?
 

Challenge 3: Finding the Number of Columns
Scenario:
Now, you want to retrieve sensitive information from another table. To use UNION SELECT, you first need to find the correct number of columns in the query.
Question:
What SQL payload helps determine the number of columns in the database table?
 

Challenge 4: Extracting Table Names
Scenario:
You suspect that Craw.in stores user credentials in a table. You decide to extract the table names using information_schema.tables.
Question:
What SQL injection payload retrieves table names from the database?
 

Challenge 5: Extracting Column Names
Scenario:
Now that you have found the table name (e.g., users), you need to extract the column names containing sensitive data.
Question:
What SQL injection payload retrieves column names from the users table?
 

Challenge 6: Dumping User Credentials
Scenario:
After retrieving column names, you identify username and password. Now, you execute an attack to extract user credentials.
Question:
What SQL payload retrieves usernames and passwords from the users table?

Challenge 7: Dropping the Database
Scenario:
In a real attack, a malicious hacker might try to delete the database. Craw.in has a serious vulnerability in its SQL query handling.
Question:
What SQL command would delete all records in the users table?