 Hello, everyone. This is a video write-up for the challenge SQL for 40 points in the web category and the capture the flag competition TJCTF. So the challenge prompt here is find the IP address of the admin user. The flag is TJCTF, the regular flag format wrapped around the IP address. So they give us a link here to SQL, this web page here, and we can try and log in supposedly with an email address and a password. We can try anything for the password. And the result is that this is what I got about you from the database. No such column password. So you could try the typical or one equals one comment stuff, your typical SQL injection, you may have to go through to change the email type or input type to just regular text, blah, blah, blah. But the gist of this challenge is that it's not an easy breezy, regular SQL injection like CTF problem. So I'm going to open up a terminal, get some sublime text open. I'm going to use sublime text version two so I can use build view. And let's start to actually throw stuff at this level here. Let's import requests because we're going to be doing some web stuff. Let's grab the URL, which is simply SQL, TJCTF, paste that in here. And I'm going to get a session going on because those are handy in requests. s.close for good practice. And we can s.get URL or make that a variable here. And let's go ahead and print that out. Let's split the screen because sublime text two is handy. And let's just do that with our build output. We can set the syntax to HTML and it gives us a bunch of junk. But the only really interesting things that we want are the results of the output when we log in. So let's go ahead and just cut this up to let's say, I want to say like 70, 175 lines. Yeah. Okay. So let's just join what we will have once we try and split this by new lines. Let's go like 175 onward. So, oh boy, just at the very top. Okay. We'll get all that. And how much do we want to cut? Let's go 18, 175 plus 18. So, okay, cool. Now we should just get only that stuff. Let's go ahead and make a post request just as it would expect. We can supply data here that we want to supply. Duh. Data to supply that we want to supply. It's expecting email, which we had supplied as please sub at me.com. And it was wanting the password, right? So we can set that to anything. Let's actually just use double quotes here for consistency. Sure. Okay. And it says, this is what I got about you from the database. No such column password. So here you could, if you particularly wanted to, use your SQL injection or one equals one, etc. Try some of their comments or kinds of strings, blah, blah, blah. But I didn't get a whole lot of success with that. And actually, again, props to and shout out to Eagles Moto, who did a lot of fuzzing and actually got some traction with this. He figured out that, hmm, what if password is noted? There's no such column. What if I ask for something else? What if I got it anything like please sub? And it'll say, oh, no such column, that thing. So maybe that is our SQL injection vector, just like the second field that we're asking for. So he tried kind of at random IP address with underscores and it says, hmm, none type object is not iterable. Okay. So that looks like there is a column for that IP address, that field there, but we need to actually get results from it. So at that point, we could try IP address. And then what if we wanted our or one equals one or whatever, would we be able to do it just then equals result there? And it says, yeah, okay, cool. It got us some results. Let's de-entitize this so we can say, okay, here is the result from the database ID equals one, username equals some user here, first name, last name, blah, blah, blah, gender, male IP address here. Okay. So we want to get where username is equal to admin, right? Let's say, and username is equal to admin. Will that work for us? No such column admin. Okay. Let's remove some of those spaces there. Nothing username or we could just do where username. Oh, okay. Let's do actually and username equals admin in strings. So we will take that appropriately. Cool. We get a result here. Oh, no. Okay. Let's do use that as our aura clause or username equals admin. Now we get some responses. Sweet. We get our ID username admin there and the IP address that we want. Perfect. So if we wanted to, we could say TJCTF with that IP address wrapped in it, that will be our flag dot text. And simple as that, just some fuzzing, trying to determine where in that input is our actual vector or attack vector for some SQL injection. I did a little bit of like union selects in here. I did a union select one, two, et cetera, et cetera. I kept fuzzing this until I got a result. And then I actually was able to just, okay, now I can literally leak the entire database if I wanted to. But I just like select IP address from users where like username is equal to admin. And then I got that as a result or not. But I did use that. Let me pull up the script. This is what I ended up using select IP address from users where username equals admin. So there is a little bit of tinkering you can do because SQL injection is pretty neat. And that's just anything that you particularly want to go for. I didn't end up cutting this one up, but I did get the IP address just like that. So neat handy tricks. Once you find your attack vector for SQL injection, there's a lot of damage you can do. Very, very cool. Thank you guys for watching. Hope you're enjoying these. And I want to give a special shout out to the people that support me on YouTube and Patreon. Holy cow, I said the wrong word. It's all right, I'm a failure. $1 a month on Patreon will give you a special shout out just like this at the end of every video. $5 a month on Patreon will give you early access to everything that I released on YouTube before I released it. If you did like this video, please do like, comment, and subscribe. You're going to see more CDF videos and programming tutorials. Hey, please join our Discord server link in the description. Wow, this is cool. I've never done this that fast. Hey, thanks again, guys. Please see, I'd love to see you on Patreon and see you in the next video later.