In this CTF challenge, you will identify and exploit a blind SQL injection in a book search feature to extract the database’s name using timing-based attacks and substring functions. Direct data output is blocked; you must infer information one byte at a time.
- Identify a blind SQL injection point.
- Use timing-based payloads to prove SQL injection.
- Craft payloads with SUBSTRING and ASCII.
- Automate extraction of information with scripted or manual character-by-character attacks.
Intermediate
45-60 minutes
- Knowledge of SQL injection (especially blind techniques)
- Basic SQL syntax
- Familiarity with HTTP requests (e.g., curl, Burp Suite, browser dev tools)
- Understanding of ASCII codes
- Detecting blind SQL injection via timing analysis
- Crafting conditional SQL queries for data extraction
- Efficient enumeration via substring/ASCII methods
- folder : src (web app code)
- folder : setup (lab setup scripts, sample DB dump)
- file : readme.md
- file : .gitignore
Prerequisites: Docker and Docker Compose installed on your system.
Installation:
- Clone the repository.
- Run
docker-compose up --build. - Access the app at http://localhost:5000.
- Reset with
docker-compose down -vand rerun as needed.
https://github.com/YourCTFOrg/acmebooks-blindsql-lab/issues
This is a deliberately vulnerable lab designed solely for educational purposes.