The #19th DOJO CHALLENGE gave the opportunity to perform a SQL injection where the limit statement was set to zero to show no output from the database. Participants had to come up with a way to display the database results on the screen and collect the admin’s email address and password.
💡 You want to create your own DOJO and publish it? Send us a message on Twitter!
WINNERS!
We are glad to announce the #19 DOJO Challenge winners list.
3 BEST WRITE-UP REPORTS
- The best write-ups reports were submitted by: Xk3tla, Karaharauh and Cyrilp! Congrats 🥳
Subscribe to our Twitter and Linkedin feeds to be notified of the upcoming challenges and read on to find the best write-up as well as the challenge author’s recommendations.
The challenge
The not so limited blind SQL injection
We asked you to produce a qualified write-up report explaining the logic allowing such exploitation. This write-up serves two purposes:
- Ensure no copy-paste would occur.
- Determine the contestant ability to properly describe a vulnerability and its vectors inside a professionally redacted report. This capacity gives us invaluable hints on your own, unique, talent as a bug hunter.
BEST WRITE-UP REPORT
We received a large number of reports and all of them were detailed, well explained… However, we had to make a selection of the best ones. These challenges allow to see that there are almost as many different solutions… as long as there is creativity! 😉
Thanks again for all your submissions and thanks for playing with us!
Xk3tla’s Write-Up
————– START OF Xk3tla’s REPORT ——————
SQL Injection via ($id) String Concatenation | CVSSv3 9.1 | CWE-89
SQL injection is a technique in which an attacker inserts malicious code into strings that are later passed to a database for execution. SQL injection exploits applications that formulate SQL statements from user input (e.g., from values input in a form on a web site). The vulnerability is due to either incorrectly filtered input or wrongly typed input, but is always the result of concatenating user input with SQL strings to perform a database action.
Impact
Consider a situation where the original query returns multiple columns from the target table. Instead of checking each column to determine which column contains the data type string, You can easily retrieve multiple values within a single column by concatenating the values together. This makes retrieval more straightforward, because it requires identification of only a single varchar field in the original query
Steps to Reproduce
(1) Observe the SQL code provided :