 Hello everybody! Welcome back to another YouTube video. My name is John Hammond and we're looking at the Sunshine CTF. We've moved into the web category. This challenge is called Wrestler Book and I'm kind of excited to show it to you. I really like this kind of challenge. I think it's some fun sequel injection. So let's get right to it. Wrestler Book is the social network for wrestlers by wrestlers. Wrestler Book is exclusively for wrestlers, so if you didn't get an invite, don't bother trying to view our profiles. Rude? All right, so let's check out what this link is and welcome to Wrestler Book, sign in to view your profile. Cool, okay. Let's just see if we can log in with anything. Guest, guest, nope. Thanks LastPass. I don't need that extra security right now. Your login name or password is invalid. Try again. Okay, what about admin? Admin, still nothing. Admin password, still nothing. LastPass is just gonna keep trying, dude. Give up, buddy. All right, this is the CTF challenge. So let's try some sequel injection, right? We got iterations or some possible combinations of what we can be using here. The string might be with a single quote, the string might be with a double quote, that would cover the terminating string. You've also got the comment. The comment might be two hyphens, or it might be a hashtag, or it might be that forward slash star if we can get away with that. So let's just try some of them. We can try like admin, and then hyphen, and let's do or one equals one, and then comment that hyphen hyphen, and I'll paste that in for the passage as well. Okay, it looks like that got me in. That or one equals one is going to just straight up return the first result that it finds. Looks like that happens to be Hulk Hogan. We retreat some information from him. We've got Hulk Hogan, username Hulk Hogan age 65, and then a title, and then the flag is not available. Okay, dang. So can we reproduce that without an or one equals one, or will we just straight up fail? Like will our SQL injection work even without that? Okay, we get a login password. That's fine. Good. So now we can try. Now we know we have in our minds, we got a valid SQL injection, some kind of vulnerability. So what that means is we may or may not have explicit results return to us, as in we can see some of our some of our requests displayed on the screen, because that's very, very valuable. That means we don't have to do any crazy tricks, like a blind SQL injection where we only get a threshold, we can control a yes or a no, whether or not something actually returns or doesn't return. So well, that's the next step. Now that we found the SQL injection vulnerability, we can pretty much always do blind, except it requires some scripting and some more logic and some hardcore stuff. So the other option is check, do we have explicit? And the way you can just test for that is to see if you can actually run another query alongside the select statement that's already happening. So a union select, and then see if you can actually get any results returned back to you. So let's try that union select. And then let's just say one column to see what we've got, and I'll copy and paste that in that errors. But that means we have errors, which is good, maybe means we can actually help figure out what's going wrong, what's happening, debugging our queries here, selects to the left and right of union do not have the same number of result columns. Okay, this is the next part of the test, when you're using the union select statement, because the select statement that happens originally, the first the actual query that the server and the website does on its own, that's going to be using a specific number of columns. It might receive my age, my name, and my phone number, and that's three columns. So in my union select, I also have to have select one, select two, select three, so it will still return something. If it's the wrong number that we're supplying, it's just going to error out just like this. So thankfully, we can see the error, so we know that that's happening. But what we normally do is just go ahead and increment until we find which of these is going to get us a result. And this might take a little bit, especially considering we know that this application already returned a lot of information, it returned an age, it returned a title, it returned, etc, etc. So let's try four, that's going to take nothing again. And I'm fumbling around with my cursor, I'm sorry. Let's go to six. And it doesn't matter how long this takes, dude. You might, if you know you've got an error and you know something may very well return, you can go up to 30. Hell, you're a determined attacker. Okay, so now we've got a result. Now we've got five as our name, username is one, four, six, and seven. We got a page returned, and we know that what we've been selecting is actually being displayed to us. That means we have explicit SQL injection. So now in one of those fields, we can get some good stuff. We can actually start to do our own select statements and try and leak out information. I do this a lot with GitHub, John Hammond, Mr. Lanius. I have a SQL injection cheat sheet that might help leak out the entirety of a database if you don't know anything. Like, if you don't know what the database name is, if you don't know what a table name is, if you don't know what column you're looking for, this will help you figure it out if you can find one of those injection points and actually determine whether or not this returns for you. So if we wanted to select group concat schema name from information schema, maybe we could get this to return something. And let's say that five spot, let's put that in parentheses and spit that in there, copy and paste that for password as well. And it looks like that failed in this case. Okay, you know what? Sometimes we give the devils due, cut our losses. We know that we still have something in five. Can we select anything? Can we select hello as a string? Let's see if we can do it. Yes, that returns hello for us. Okay, so we can still run our select statements. That's not going to hold us back. What can we get? Is users a real table? Like if you select something from and then a table that doesn't exist, let's say a table that doesn't exist. That's fine. That will say no such table, a table that doesn't exist, or it will just straight up error if we won't return anything if you aren't seeing these errors and another challenge. What we can do then is try and determine does a table named users exist. And that's normally what it's called, right? If it's a sensible program. So we paste that in and that returns for us. So we now know that users exist. Okay, we can also probably determine some like, like column names, right? We know we have username, age, title, flag. We can try that. Let's select age. And we don't need string quotes for that anymore, because we're getting a real result back. Age was 65, just like we saw in Hulk Hogan. Okay, so how about select flag and a. So that's a non applicable that we saw earlier. That doesn't help us because we could select flag from users where maybe username is equal to admin or something. And maybe that would be what we're looking for. Let's try that. No dice. Okay. So let's try another route. I went back and I, because I still had my SQL injection cheat sheet in mind, I know I have some fields that I can get with group can cat. And that's this group can cat syntax here that will take a column that is a lot of results vertically, right? And it puts them all together. So it makes them horizontal. So it will use a comma as a delimiter by default, I think you can specify something else. But that group can cat will let you show all of the results, all the rows that will return to you all in one in one result. So that's very cool. We can actually take advantage of that to say let's group can cat every flag column, like everything that every flag row. And we don't need to specify where username is anymore, because it's just going to give us everything. So let's hit that copy, paste the thrown in password just to be safe and blah, blah, blah, blah, blah, cool. We've got example flag and now we have sun, just another SQL child. Cool. So there's our flag. When I first ran this, I think my zoom in was off because I wasn't as zoomed in as I was when I'm doing this for real. So it looked like it cut off the response. And I was like, well, that sucks. I can't really see it all that well. So what I had done is actually opened up developer tools with F 12. And in the network, I would reload the page, get it to resend. So in that post request, once I've got it responded to me, I can see the response. And that way I could actually view it in a much better way and control it that way. So there is our flag. That was the exploit. Some cool SQL injection I really like. I really like SQL injection explicit is very, very fun, especially because I feel like I've successfully weaponized that with the SQL injection cheat sheet. And blind is fun too, because it takes a little bit of fun troubleshooting and a good script. So you could submit that flag 100 points. And that is wrestler book in the Sunshine CTF web category, SQL injection stuff. Hey, I hope you guys enjoyed this video. If you did like the video, please do like comment and subscribe. I would love to see you on the discord server. There is a link in the description. I'd love to see you on patreon. I'd love to see you on PayPal. Just be a part of the family. Thanks again, guys. See you in the next one.