While doing my presentation at CarolinaCon 2007, “How to 0wn CTF”, the question of the winner came up as to if they were actually the winner or did they cheat by using SQL injection. I’ve been racking my brain off and on whenever I get a chance try to come up with a way to do a SQL injection to attack my application. It’s pretty trivial to just add the following to an item in the flag file to get the sql command to execute:

‘;<sql statement you want to run>

The issue that I take with this is that you need to know the table and field names to do any type of INSERT or UPDATE.

I ran across a SQL injection cheat sheet while doing some SQL injection googling. Read the rest of this entry »