When injecting into a numeric field in a SQL query, you do not need to break out of single quotes as part of your injection. The original query looks like this:
SELECT username FROM users WHERE isadmin = OUR_INPUT_HERE GROUP BY username ORDER BY username ASCThe isadmin variable is Boolean, expected to have the value true or false. Try injecting the string
true
The results show you which users are administrators.
We can perform the same injection attacks as shown in Challenge 1, except that we don't need quotes. Instead, we can just add SQL commands after the Boolean variable using a space.
Once we have found our SSN table, we can pull all the data using the following injection string:
true union select ssn as username from sqlol.ssn where 1=1
Notice that this query gets the SSNs followed by the usernames of the administrators. That's what the UNION command does--concatenate two tables together.
Posted 12-31-12 by Sam Bowne