SQL INJECTION — REDSTONE LOGISTICS
HARD ⭐⭐⭐⭐ — WEB APPLICATION SECURITY ASSESSMENT
OWASP A03 · NO HINTS · ENUMERATE · EXTRACT · REPORT
Loading target: portal.redstone-logistics.com...

OBJECTIVE

Find the SQL injection point
Determine the number of columns
Identify injectable column positions
Enumerate the database tables
Extract data from the credentials table
Retrieve the flag
Submit the pentest report
🌐
Browser
📝
Notes
📖
Reference
📋
Report
SQLI LAB
Browser
Notes
Reference
Report
--:--:--
PHASE 1 — RECONNAISSANCE
MISSION BRIEF
HARD ⭐⭐⭐⭐ — SQL INJECTION

SQL INJECTION LAB

TARGET: portal.redstone-logistics.com (simulated)

SCENARIO

You are conducting a black-box web application penetration test against Redstone Logistics. Your access credentials for the employee portal have been provided by the client.

Login: tester / Redst0ne!

OBJECTIVE

Identify any SQL injection vulnerabilities in the portal. Demonstrate exploitability by extracting the contents of the credentials table. Retrieve the flag stored within it and document your findings in a professional pentest report.

RULES

  • No automated tools — manual injection only
  • Scope: the shipment tracking search function
  • Document every payload used as evidence
  • No hints will be provided beyond this brief
Display Mode
BROWSER — Redstone Logistics Portal
🔒 portal.redstone-logistics.com/login
Login
Shipment Tracking
Page Source
NOTES — SQLi Enumeration
Use this to record your payloads, responses, and findings.
REFERENCE — SQL Injection
WHAT IS SQL INJECTION
SQL injection occurs when user-supplied input is concatenated directly into a SQL query without sanitisation. The attacker injects SQL syntax that changes the query's logic, enabling data extraction, authentication bypass, or data manipulation.
IDENTIFYING THE INJECTION POINT
Submit a single quote ' and observe the response. A database error message confirms injection. A boolean test — submitting 1=1 vs 1=2 — confirms blind injection if the response differs.
UNION-BASED EXTRACTION
UNION SELECT appends a second query to the original, injecting attacker-controlled data into the result set. Requirements: same number of columns as the original query, compatible data types.
STEP-BY-STEP METHODOLOGY
1. Confirm injection: ' OR '1'='1 ' OR '1'='2 2. Find column count (add NULLs until no error): ' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- 3. Find string-injectable columns: ' UNION SELECT 'a',NULL,NULL-- ' UNION SELECT NULL,'a',NULL-- 4. Enumerate tables (MySQL/MariaDB): ' UNION SELECT table_name,NULL FROM information_schema.tables WHERE table_schema=database()-- 5. Extract column names: ' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='target_table'-- 6. Extract data: ' UNION SELECT col1,col2 FROM table--
COMMENT SYNTAX
MySQL/MariaDB: -- or # MSSQL: -- Oracle: -- PostgreSQL: --
REMEDIATION
Parameterised queries (prepared statements) are the primary fix. The query structure is defined first; user input is passed as a typed parameter and never interpreted as SQL. ORMs and stored procedures with parameterised input also provide protection. Input validation is defence-in-depth, not a primary control.
PENTEST REPORT — Redstone SQLi Finding
SQL INJECTION — FINDING DOCUMENTATION
🚩 FLAG:
Score: 0 / 7