Share
## https://sploitus.com/exploit?id=A2FE4D1E-1CC1-573F-86F9-D81E2AA3F3F3
# SQL Injection CTF Challenge - Quick Start Guide
## Files Overview
```
SQLi/
โโโ challenge/
โ โโโ vulnerable_app.py # Flask application with SQL vulnerabilities
โโโ solution/
โ โโโ exploits.py # Exploitation scripts and techniques
โโโ hints/
โ โโโ HINTS.md # Progressive difficulty hints
โโโ CHALLENGE_DOCUMENTATION.md # Complete technical documentation
โโโ requirements.txt # Python dependencies
โโโ setup.py # Setup and runner script
โโโ README.md # This file
```
## Quick Start
### 1. Install Dependencies
```powershell
python -m pip install -r requirements.txt
```
### 2. Start Vulnerable Application
```powershell
python challenge/vulnerable_app.py
```
The app will run at: `http://127.0.0.1:5000`
### 3. Access Challenge
Open browser and navigate to:
- Main page: http://127.0.0.1:5000/
- Level 1: http://127.0.0.1:5000/level1/login
- Level 2: http://127.0.0.1:5000/level2/search
- Level 3: http://127.0.0.1:5000/level3/verify
### 4. View Hints and Documentation
- **Hints**: Read `hints/HINTS.md` for progressive difficulty
- **Full Documentation**: Read `CHALLENGE_DOCUMENTATION.md` for complete technical details
## Challenge Levels
| Level | Topic | Time | Difficulty |
|-------|-------|------|------------|
| 1 | Authentication Bypass | 30 min | Easy-Medium |
| 2 | UNION-Based Injection | 45 min | Medium |
| 3 | Blind SQL Injection | 60+ min | Hard |
| Admin | Final Flag | 15 min | Medium |
| **Total** | | **120+ min** | **National** |
## Key Vulnerabilities
### Level 1: Direct String Concatenation
```python
query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'"
```
**Exploit**: `' OR '1'='1' --`
### Level 2: Unsafe UNION Queries
```python
query = f"SELECT username, email FROM users WHERE username LIKE '%{search_query}%'"
```
**Exploit**: `' UNION SELECT secret_key, flag_level_1 FROM secrets--`
### Level 3: Type Juggling in WHERE
```python
query = f"SELECT * FROM users WHERE id={user_id} OR 1=1"
```
**Exploit**: `1 AND ASCII(SUBSTR((SELECT encrypted_flag FROM secrets), 1, 1))=82`
## Algorithms Used
- **Base64 Encoding**: Flag obfuscation (RFC 4648)
- **SHA-256 Hashing**: Secret key verification
- **Boolean-Based Extraction**: Character-by-character ASCII comparison
- **UNION Query Injection**: Column alignment and data extraction
## Expected Solutions
All flags follow format: `FLAG{description}`
- **Level 1**: FLAG{SQLi_Level_1_Bypassed}
- **Level 2**: FLAG{SQLi_Level_2_Union_Select}
- **Level 3**: FLAG{SQLi_Level_3_Blind_Injection}
- **Final**: FLAG{SQLi_Challenge_Completed_Congratulations}
## Tools & Techniques
### Manual Exploitation
- Burp Suite for request interception
- curl or Python requests for automation
- Manual SQL crafting
### Automated Tools
- SQLMap for SQL injection detection
- Python scripts for boolean-based extraction
## Defense Mechanisms
The documentation covers:
- Parameterized queries
- Input validation
- Least privilege principle
- Error handling
- WAF and IDS implementation
## Scoring
```
Level 1: 100 points (25%)
Level 2: 200 points (50%)
Level 3: 300 points (75%)
Admin Panel: 200 points (100%)
Bonus: +50-90 points based on time
โโโโโโโโโโโโโโโโโโโโโโโโโโ
Total: 800+ points
```
## Time Analysis
The challenge is specifically designed to take **120+ minutes**:
- Reconnaissance & understanding: 15 minutes
- Level 1 exploitation: 20-30 minutes
- Level 2 exploitation: 30-45 minutes
- Level 3 exploitation: 45-90 minutes
- Flag validation & admin access: 10-15 minutes
## Requirements
- Python 3.6+
- Flask 2.3.0+
- requests library
- Any modern web browser
- SQLite support (built-in)
## Educational Purpose
This challenge teaches:
- SQL injection attack vectors
- Multi-stage exploitation techniques
- Encryption and encoding concepts
- Database security principles
- Real-world vulnerability patterns
## Disclaimer
โ ๏ธ **This challenge is intentionally vulnerable for EDUCATIONAL PURPOSES ONLY**
- Never use these techniques on systems you don't own
- Always practice responsibly within authorized environments
- Unauthorized access to computer systems is illegal
## Support
For issues or questions:
1. Check `CHALLENGE_DOCUMENTATION.md` for detailed explanations
2. Review `hints/HINTS.md` for guidance
3. Examine `solution/exploits.py` for example implementations
---
**Good luck with the challenge! ๐ฏ**
*National Level CTF Challenge v1.0 - January 28, 2026*