Since LIKE patterns are inside single quotes in the SQL, but the single quote is filtered in input, how is the query built? Maybe the developer used double quotes for the SQL string? Let’s check the debug header again:
SELECT note FROM notes WHERE user_id = 2 AND note LIKE '%milk%'
So the outer SQL uses single quotes around the LIKE pattern. The input milk is placed inside those quotes. If you input a backslash (\), it escapes the closing quote in the SQL? Example:
Input: %\
SQL: LIKE '%\%' — the second single quote is escaped, causing a syntax error. The error message reveals the exact query:
LIKE '%\%'' — Yes, the last quote remains unmatched. So you can break out.
But how to get admin note? You need a union-based injection or boolean blind injection.
Try input: %\' UNION SELECT note FROM notes WHERE user_id=1 -- sql+injection+challenge+5+security+shepherd+new
Filter blocks single quote. But what if you use double quotes? The filter allows double quotes? Let’s test: input " — validation passes. Double quotes are not in the blocked set. Interesting.
This is where "sql injection challenge 5 security shepherd new" becomes a syntax puzzle. The filter looks for SELECT, FROM, WHERE, OR, and AND in uppercase. However, the filter does not look for mixed case.
Key Observation: MySQL (and many underlying DBMS platforms used in Shepherd) is case-insensitive for keywords.
Thus:
But is the filter case-sensitive? Yes. The Java filter in the new version uses String.contains("SELECT"), not a regex with case flags.
The Exploit: Write all your SQL keywords in randomized case.
1/**/UnIoN/**/SeLeCt/**/username/**/FrOm/**/users will bypass the keyword filter entirely.
The challenge presents a simple form that accepts a username and a password. Since LIKE patterns are inside single quotes in
Upon submitting credentials, the application responds with:
No other data is displayed on the page.
The flag is likely in a column named password, token, or flag.
Payload:
1'/**/aNd/**/(SeLeCt/**/count(flag)/**/FrOm/**/users)/**/>/**/0-- -
If true, column flag exists.
To perform a UNION injection, we need to know how many columns the original query is returning. We use the ORDER BY technique to enumerate columns incrementally.
If the error appears at 4, it means the query returns 3 columns.