← Back to Challenges

Blind SQL Injection Challenge 🐱‍👓

Exploiting an SQL Inject attack involves solving a puzzle that is a cross between Hangman and 20 Questions. It needs a little understanding of SQL and a great deal of cunning.

WARNING: In many countries (including UK) it is illegal to use this attack.

Up to 6 months in jail for unauthorised access

I've set up a vulnerable test system here so that you can have a go.

I promise not to prosecute.

Try your Hacking skills against this test system. It takes you through the exploit step-by-step.

The SQL Injection attack allows external users to read details from the database.
In a well-designed system, this will only include data that is available to the public anyway.
In a poorly designed system, this may allow external users to discover other users' passwords.

Try these steps:

To gain access and find a user name.
Enter the string below as both user name and password in the login form on the right. This should get you logged in as a user (jake happens to be the first user in the table). This tells you that Jake is a user and it allows you to access his account - but it does not tell you his password.

Find out if Jake's password includes the letter "w".
Enter xxx as user name and enter the following string as the password:

Find out if Jake's password has "w" as the third letter.
Enter xxx as user name and enter the following string as the password:

Check if Jake's password length is between 3 and 8 characters
Enter xxx as user name and enter the following string as the password:

☠️

Login

Blind SQL Injection Challenge 🐱‍👓

Try these steps: