Share
## https://sploitus.com/exploit?id=A2FE4D1E-1CC1-573F-86F9-D81E2AA3F3F3
# SQL Injection CTF Challenge - Quick Start Guide

## Files Overview

```
SQLi/
โ”œโ”€โ”€ challenge/
โ”‚   โ””โ”€โ”€ vulnerable_app.py          # Flask application with SQL vulnerabilities
โ”œโ”€โ”€ solution/
โ”‚   โ””โ”€โ”€ exploits.py                # Exploitation scripts and techniques
โ”œโ”€โ”€ hints/
โ”‚   โ””โ”€โ”€ HINTS.md                   # Progressive difficulty hints
โ”œโ”€โ”€ CHALLENGE_DOCUMENTATION.md     # Complete technical documentation
โ”œโ”€โ”€ requirements.txt               # Python dependencies
โ”œโ”€โ”€ setup.py                       # Setup and runner script
โ””โ”€โ”€ README.md                      # This file
```

## Quick Start

### 1. Install Dependencies
```powershell
python -m pip install -r requirements.txt
```

### 2. Start Vulnerable Application
```powershell
python challenge/vulnerable_app.py
```

The app will run at: `http://127.0.0.1:5000`

### 3. Access Challenge
Open browser and navigate to:
- Main page: http://127.0.0.1:5000/
- Level 1: http://127.0.0.1:5000/level1/login
- Level 2: http://127.0.0.1:5000/level2/search
- Level 3: http://127.0.0.1:5000/level3/verify

### 4. View Hints and Documentation
- **Hints**: Read `hints/HINTS.md` for progressive difficulty
- **Full Documentation**: Read `CHALLENGE_DOCUMENTATION.md` for complete technical details

## Challenge Levels

| Level | Topic | Time | Difficulty |
|-------|-------|------|------------|
| 1 | Authentication Bypass | 30 min | Easy-Medium |
| 2 | UNION-Based Injection | 45 min | Medium |
| 3 | Blind SQL Injection | 60+ min | Hard |
| Admin | Final Flag | 15 min | Medium |
| **Total** | | **120+ min** | **National** |

## Key Vulnerabilities

### Level 1: Direct String Concatenation
```python
query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'"
```
**Exploit**: `' OR '1'='1' --`

### Level 2: Unsafe UNION Queries
```python
query = f"SELECT username, email FROM users WHERE username LIKE '%{search_query}%'"
```
**Exploit**: `' UNION SELECT secret_key, flag_level_1 FROM secrets--`

### Level 3: Type Juggling in WHERE
```python
query = f"SELECT * FROM users WHERE id={user_id} OR 1=1"
```
**Exploit**: `1 AND ASCII(SUBSTR((SELECT encrypted_flag FROM secrets), 1, 1))=82`

## Algorithms Used

- **Base64 Encoding**: Flag obfuscation (RFC 4648)
- **SHA-256 Hashing**: Secret key verification
- **Boolean-Based Extraction**: Character-by-character ASCII comparison
- **UNION Query Injection**: Column alignment and data extraction

## Expected Solutions

All flags follow format: `FLAG{description}`

- **Level 1**: FLAG{SQLi_Level_1_Bypassed}
- **Level 2**: FLAG{SQLi_Level_2_Union_Select}
- **Level 3**: FLAG{SQLi_Level_3_Blind_Injection}
- **Final**: FLAG{SQLi_Challenge_Completed_Congratulations}

## Tools & Techniques

### Manual Exploitation
- Burp Suite for request interception
- curl or Python requests for automation
- Manual SQL crafting

### Automated Tools
- SQLMap for SQL injection detection
- Python scripts for boolean-based extraction

## Defense Mechanisms

The documentation covers:
- Parameterized queries
- Input validation
- Least privilege principle
- Error handling
- WAF and IDS implementation

## Scoring

```
Level 1:      100 points (25%)
Level 2:      200 points (50%)
Level 3:      300 points (75%)
Admin Panel:  200 points (100%)
Bonus:        +50-90 points based on time
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
Total:        800+ points
```

## Time Analysis

The challenge is specifically designed to take **120+ minutes**:
- Reconnaissance & understanding: 15 minutes
- Level 1 exploitation: 20-30 minutes
- Level 2 exploitation: 30-45 minutes
- Level 3 exploitation: 45-90 minutes
- Flag validation & admin access: 10-15 minutes

## Requirements

- Python 3.6+
- Flask 2.3.0+
- requests library
- Any modern web browser
- SQLite support (built-in)

## Educational Purpose

This challenge teaches:
- SQL injection attack vectors
- Multi-stage exploitation techniques
- Encryption and encoding concepts
- Database security principles
- Real-world vulnerability patterns

## Disclaimer

โš ๏ธ **This challenge is intentionally vulnerable for EDUCATIONAL PURPOSES ONLY**

- Never use these techniques on systems you don't own
- Always practice responsibly within authorized environments
- Unauthorized access to computer systems is illegal

## Support

For issues or questions:
1. Check `CHALLENGE_DOCUMENTATION.md` for detailed explanations
2. Review `hints/HINTS.md` for guidance
3. Examine `solution/exploits.py` for example implementations

---

**Good luck with the challenge! ๐ŸŽฏ**

*National Level CTF Challenge v1.0 - January 28, 2026*