Challenges
Last updated
Last updated
In this challenge, you need to get all transactions from the database.
The most common and used test case for SQLi is to try the ' sign in the input field. If we receive an error or weird result, there is a strong possibility that the app has SQLi. For SQLi cheatsheet, you can see on GitHub.
You can also test your application with various tools like SQLmap, which is one of the best tools available for testing your application against SQLi.
Go to /Transaction/Index
In the search field, if you will try with ' , you will notice that you receive an exception as seen on the image below (The exception inside the browser)
We can continue looking for this issue inside the dev tool window to see the response. From it, we can notice that an error occurs on the server.
For the final result, we need to modify the search string appropriately to create a proper SQL injection.
If you are using CTF mode, you will find the flag in the response header.
