Level 1: Super Easy

This challenge was a straight-forward Union-based injection.

To help us do this, let’s take a guess at what the statement looks like to find the price:

SELECT * FROM exploits WHERE ID=1

With the UNION statement, we can combine the output with other data that we want.

We first need to identify the number of columns in the table.

SELECT * FROM exploits WHERE ID=1 UNION SELECT 1,2--

Let’s now try entering this:

The error message tells us that we need to enter more columns, so let’s do that:

Since the error is gone, we know that there are three columns!

However, the data isn’t showing on the page. This is because the data from the original statement is coming through before our data. To solve this, we just need to invalidate the first id:

SELECT * FROM exploits WHERE ID=1 AND 1=2 UNION SELECT 1,2,3--

Now, only the data from our own selection will be returned:

The ID and Price is returned as 2 and 1 respectively, which means that our own inputs are being returned.

Let’s now change 2 and 1 to version() and user(), so our final statement looks like:

SELECT * FROM exploits WHERE ID=1 AND 1=2 UNION SELECT version(),user(),3--

The username and version were returned!