Input: %\ SQL: LIKE '%\%' — the second single quote is escaped, causing a syntax error. The error message reveals the exact query: LIKE '%\%'' — Yes, the last quote remains unmatched. So you can break out.
Advanced labs use complex setups to prevent simple text submissions from working. Common blocks include:
Expected result: When the number of NULLs matches the original SELECT (likely 2 columns), the page returns "User Found" even with the 1=2 condition. This confirms 2 columns.
This challenge is designed to teach you about —a common, but often insufficient, defense mechanism where an application attempts to "sanitize" user input by escaping certain characters. sql+injection+challenge+5+security+shepherd+new
/ prepared statements – the #1 defense.
OWASP Security Shepherd remains a gold-standard web application capture-the-flag (CTF) platform. It helps cyber security students and application developers learn practical, real-world exploitation in a sandboxed ecosystem. Among its database-driven exercises, stands out as a critical test of your structural logic manipulation.
The app has two pages:
Since ""="" is always true, the condition resolves to true for all rows, returning the entire customers table.
Using typical sleep-based payloads ( ' WAITFOR DELAY '0:0:5' -- ) yields no delay. This suggests either:
Decoding (if Base64) or simply reading plaintext gives the , which is submitted in the challenge. Input: %\ SQL: LIKE '%\%' — the second
In the new edition, you will likely find that characters like ' are stripped or escaped. Step 2: Bypassing Filters (The Core Challenge)
Try searching for: %' UNION SELECT note FROM notes WHERE user_id=1 --
// Secure: Using place-holders treats all input strictly as literal text data String query = "SELECT coupon_code FROM coupons WHERE coupon_code = ?"; PreparedStatement pstmt = connection.prepareStatement(query); pstmt.setString(1, userInput); ResultSet resultSet = pstmt.executeQuery(); Use code with caution. Advanced labs use complex setups to prevent simple
Since the page doesn’t output data, we must brute-force the flag one character at a time.