Web 2: Advanced SQL Injection

Sql injection is a web vulnerability in which an attacker can inject special characters into an sql query and take control of the query. This allows them to potentially leak, delete, or compromise data. Ever seen a site asking you to not use —? That’s because of sql injection!

This cyber academy we will be learning more about this attack, and performing some more advanced techniques to exfiltrate data in various restrictive scenarios.

by Ronak Badhe

Slides

Challenges

The following challenges in increasing difficulty are deployed to platform.acmcyber.com to practice the concepts covered in the slides.

• Challenge 1 - web/penguin-login
• Challenge 2 - web/secure-penguin-login
• Challenge 3 - web/eepy-penguin-login

Resources

The following resources are great tools for sql challenges:

• db-fiddle: An sql playground for testing sql queries with many databases.
• payloadsallthethings: A list of common payloads.