SQL INJECTION(redtiger.lab)-Part4

Till now we have completed up to level 4 of redtiger lab and learned various ways of performing SQL Injection to extract information.

Today in this part we will be completing level 5 of the redtiger lab.

Now lets first complete level 5 . In level 5 we have to bypass the login system and the hint given is that it is not Blind(which means error can be seen ) and the password is md5-encrypted.

fig 1: Interface of level 5

Now at first if we enter some random username and password its says no user found . so we must first by pass the username input.

So as we know that it is not blind SQL injection ,let’s try to generate some error by providing ‘ as an input in username and password field.

fig 2: error response after after providing ‘ as an input to username and password field

Here we get error:
mysql_num_rows() expects parameter 1 to be resource, boolean.

From this we can know that username can be boolean so
let try to bypass the username using query
username: hey’ union select 1 #
and password: hey

Here instead of hey you can use anything it doesn’t matter.

fig 3: user not found

Now lets again try by increasing no of column of select statement to 2.

username :hey’ union select 1,2 #
and password: hey

fig 4: login failed(bypass username)

Here it says login failed which means that we have successfully bypass the username but login failed because password is not bypassed.

So now to bypass password lets look into hint .It says that password is md5 encrypted.

Here from above we can see that there are two columns in the table and one of them is password and another is username now lets try to determine which columns is password for this lets try to enter following query.

  1. username : hey’ union select md5(‘hey’),2 #
    and password: hey

Here the string in md5() and in password must be same.

Result of this query is login failed(just like shown in fig 4).

From this we came to know that if login is failing while putting password in column 1 then the password must be second column So now lets modify our query accordingly.

username : hey’ union select 1,md5(‘hey’) #
and password: hey

fig 5: Successfully bypassed login

BINGO!!! We successfully bypass the login system.

Link to part 5:





Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Effective Coding Habits You Should Start Developing Now

Best Coding Practice and Habits. Photo of a boy in love with coding. Photo by Arpit Falcon

Detect Language of Text using NLP in C/C++

Successful strategies to Micro services architecture testing — Part 1

The Desktop Version of the ASSEMBLE Wallet has been Completed!

Use GitHub Actions to create an Azure API Management resource instance

Kubernetes Deploy Guide

Linux basics — command-line interface (part 9)

Single-page applications vs. multiple-page applications: pros, cons, pitfalls

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
aayush malla

aayush malla

Data Engineer, Cybersecurity enthusiast , PLSQL, Data Analyst

More from Medium

Pickle Rick Ctf Writeup

Vulnerability Scanning with Metasploit

4 Epic Cybersecurity Tools and Techniques

Let’s learn WebApp Pentest from basic on DVWA. From setup to hack. Part 2. Bruteforce(low to high).