💉 SQL Injection Challenge

HARD

Exploit the vulnerable login system

📋 Challenge Description

You've discovered a login portal with a critical SQL injection vulnerability. The backend query is poorly constructed and doesn't properly sanitize user input. Your mission is to bypass the authentication and retrieve the admin flag from the database.


Objective: Use SQL injection techniques to login as admin and retrieve the hidden flag.

📄 Backend Code (Python + SQL) 
# Vulnerable backend authentication code

def authenticate(username, password):
    # VULNERABLE: String concatenation without sanitization
    query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'"
    
    result = database.execute(query)
    
    if result:
        return {
            "success": True,
            "user": result[0],
            "message": "Login successful!"
        }
    else:
        return {
            "success": False,
            "message": "Invalid credentials"
        }

🗄️ Database Schema Information

Table: users
Columns: id, username, password, role, flag

Sample Data:
| id | username | password | role | flag |
|----|----------|----------|-------|------|
| 1 | admin | ******** | admin | CTF{sql_1nj3ct10n_m4st3r_2024} |
| 2 | user | password | user | NULL |
| 3 | guest | guest123 | guest | NULL |

💡 The admin's flag is hidden in the database!

💡 Hints to Get Started:

1. SQL Injection Basics: The query uses string concatenation. Think about how to break out of the quotes.
2. Comment Syntax: In SQL, you can use -- or # to comment out the rest of a query.
3. Always True: Try injecting something that makes the WHERE clause always true, like: ' OR '1'='1
4. Admin Bypass: Can you make the query check for username='admin' and ignore the password check?
5. Try This: Username: admin'-- Password: (anything)
6. Understanding the Query: After injection, the query becomes:
SELECT * FROM users WHERE username='admin'--' AND password='...'
7. Ask a Chatbot: "How do I bypass SQL authentication using SQL injection? The query is: SELECT * FROM users WHERE username='X' AND password='Y'"
Flag Format: CTF{...}