Skip to main content

~repack~: Sql+injection+challenge+5+security+shepherd+new

Navigate to the interface inside your Security Shepherd dashboard. Locate the Coupon Code input box. Submit a random string, such as TEST1234 .

You’ve just completed Challenge 4, where you bypassed a login using a basic ' OR '1'='1 attack. Now, Challenge 5 presents a new target: — a minimalist web app that claims to have fixed all SQL injection vulnerabilities.

The -- sequence comments out the rest of the query, effectively bypassing the password check.

This post breaks down the methodology to solve Challenge 5, moving from error analysis to successful data extraction.

Forcing users to extract secondary tokens (e.g., a "VIP Coupon Code") from one part of the app and apply it elsewhere to complete the level. sql+injection+challenge+5+security+shepherd+new

: For "blind" scenarios where data isn't directly echoed back, tools like

Once you find the column count (e.g., 3), use UNION SELECT to pull data. 1' UNION SELECT 1,2,3 --

You are given a guest account:

In the new edition, you will likely find that characters like ' are stripped or escaped. Step 2: Bypassing Filters (The Core Challenge) Navigate to the interface inside your Security Shepherd

The response header contains a hint: X-Debug-Query: SELECT note FROM notes WHERE user_id = 2 AND note LIKE '%milk%'

: Find the input text area marked "Coupon Code" on the checkout simulation interface. Inject the Payload : Type or paste "" OR 1=1 into the field.

: By closing the implicit string variable manually with standard quotes and appending OR 1=1 , the query alters its behavior. Because 1=1 is mathematically always true, the database completely ignores the validity of the coupon string and evaluates the entire WHERE clause as true, returning every entry in the coupon table. Payload Option B (Escaping with Comments)

Enter a standard, benign string such as WELCOME20 to verify how the application behaves on a failed query (e.g., "Invalid Coupon" or "No results found"). Step 2: Injecting the Logical Tautology You’ve just completed Challenge 4, where you bypassed

She submitted it. The Security Shepherd interface chimed. A golden badge appeared on her dashboard:

The search query is not using prepared statements here — the developer hand-wrote a LIKE clause directly inside the query string. The user_id=2 corresponds to the guest user. The admin’s user_id is almost certainly 1 .

To solve this challenge, we must move beyond basic UNION-based attacks and focus on bypassing the filters. Step 1: Enumeration and Error Handling

SELECT * FROM coupons WHERE coupon_code = "" OR 1=1SELECT * FROM coupons WHERE coupon_code = "" OR 1=1 4. Execute and Retrieve Key Enter 1 (or any number ≥1is greater than or equal to 1 ) in the field for the Troll. Paste the payload "" OR 1=1 into the Coupon Code box. Click Place Order .