Metro Clinic

Prompt

Conduct a security audit on the city's medical directory system.

Scope: This challenge is limited to HTTPS in scope, please do not attack any other ports on this server and do not brute force attack this web server.

Walk-Through

This challenge involves the exploitation of a SQL injection vulnerability. SQL is a language used to retrieve information from a SQL-compatible database. If you are not familiar with SQL, you can access this free lesson on Khan Academy or look at our full Tutorial Video linked at the bottom on this Walkthrough. You can also review the History Log Analysis Walkthrough to review some basics.

The website in this challenge unsafely trusts what the user inputs into the search bar, allowing an attacker to craft the SQL statement being executed by the server. This allows the attacker to expand the scope of the query and grab more data than the developers intended.

image
💻

All web-based challenges should be opened in a separate window to easily view the developer tools and to reduce confusion between resources on the Cyber Skyline website and the actual challenge website.

Guide

Questions 1 – 3 can be solved by conducting simple queries against the database and pressing “Search”. Experiment with the search bar. Try entering different characters to see what happens. The following is the result of entering “a” into the search bar:

This is a partial screenshot of the output from the query. Notice how two fields, name and profession, are returned. Each name consists of a first and last name together separated by a space.
This is a partial screenshot of the output from the query. Notice how two fields, name and profession, are returned. Each name consists of a first and last name together separated by a space.

A query using a blank space will return the entire directory since each user in the database has a space in their name.

A majority of the contents of the table have been redacted.
A majority of the contents of the table have been redacted.

Questions 4 and 5 require the use of SQL injection. The difficulty with SQL injections is that the attacker does not control the entirety of the SQL statement because the input in the search bar is being added into a section of a SQL statement.

To confirm that the backend uses SQL to search the database we can submit our own SQL statement through the search to find out more information.

SELECT * FROM name; was submitted to the search bar. Here is the output:

A SQLITE error wouldn’t be returned unless SQL was being used to query the database. Notice how a syntax error is pointed out. A ‘%’ symbol was not used in the query.
A SQLITE error wouldn’t be returned unless SQL was being used to query the database. Notice how a syntax error is pointed out. A ‘%’ symbol was not used in the query.

Our query above gives us a lot of information besides that our input becomes part of an existing sql statement. First, whatever existing statement is being used must be set to return information from the ‘Name’ and ‘Professional’ databases. Second, there must be a ‘%’ symbol used.

A percentage symbol (%) in SQL can be used to narrow the query to be more specific and is often used with LIKE.

%a - Finds all entries ending in ‘a

a% - Finds all entries that start with ‘a

%a% - Finds all entries that contain ‘a

Without the % characters, only users whose names exactly match the query would be obtained. Therefore, the last instance (%a% ) is very likely being used because when ‘a’ was entered earlier when it returned all professionals with ‘a’ in their name.

Understanding what this SQL statement looks like will help us craft our SQL injection. In the case of this challenge, the SQL statement being executed is:

SELECT name, [type] FROM users WHERE name LIKE "% + your_search_query_here + %";
This SQL statement will obtain the name and type (profession) fields of the table, named ‘users’, that have a name that contains the query entered into the search box. [type] is in brackets because ‘type’ is also a SQL keyword but in this case ‘type’ is a field (go to the deeper explanation section below to understand how to learn the names of the fields)

We can conclude a number of important things:

  1. The SQL injection you create will be added inside the existing SQL statement and therefore, what you enter into the search bar will not be a valid SQL statement.
  2. The combination of the existing SQL statement, plus the SQL injection will need to be a valid SQL statement.
  3. To exploit this vulnerability, the original SQL statement must be ended so that our SQL injection can run.

By escaping from the quotations, it is possible to chain the original statement with a second statement that will yield more data than intended. The following input into the search bar will accomplish this:

"; SELECT * FROM USERS WHERE "%"="
  • The "; terminates the SQL statement that the server is attempting to execute.
  • The SELECT * FROM USERS WHERE starts a second SQL statement which will grab all the fields from the users table.
  • The "%"=" makes the statement true so the query is valid
    • Refer to the fact that %"; is the next part in the existing SQL statement. The net result of the two parts combined is “%"=”%"; which will cause the WHERE to be true for every row in the table.

Below is a combination of the existing SQL statement and the SQL injection crafted above:

SELECT name, [type] FROM users WHERE name LIKE "%"; SELECT * FROM USERS WHERE "%"="%";
The yellow highlighted portion is the SQL injection that is provided to the search bar. The executed query will return results containing all the fields of all users stored in the database. Be careful with the encoding of the % as some browsers may modify this.
Most of the output has been redacted. Two additional columns appeared. We can assume these are the password and the username for the medical professionals listed.
Most of the output has been redacted. Two additional columns appeared. We can assume these are the password and the username for the medical professionals listed.
💡

Please keep in mind there are multiple different ways this vulnerability could be exploited and this walkthrough is only demonstrating one of those ways.

Deeper Explanation

Use a query to access the sqlite_master to verify the table names and fields used in the SQL database. Our SQL statement to run this would need to run correctly, therefore, the steps to get to this formatted statement were shown in the walkthrough above. However, entering this query would be helpful to understand what the existing SQL statement looks like. Submitting "; SELECT * FROM sqlite_master WHERE type="table" AND "%"=” returns the following information:

‘users’ appears to be the table name and the other fields of the table are ‘name’, ‘type’, ‘password’ and ‘username’. ‘type’ must indicate the profession of the person listed.
‘users’ appears to be the table name and the other fields of the table are ‘name’, ‘type’, ‘password’ and ‘username’. ‘type’ must indicate the profession of the person listed.

Pro Tips

In order to remove duplicate results from using the exploit above, try adding ANY character that’s not found in the names of the users at the start of what you enter into the search bar.

Example: 1"; SELECT * FROM USERS WHERE "%"="

This will cause the first SQL statement to return nothing and the second SQL statement to return just the four columns with all of the entries.

Useful resources for this challenge:

  • SQL Injection: https://www.owasp.org/index.php/SQL_Injection
  • Khan Academy: https://www.khanacademy.org/computing/computer-programming/sql
  • Use our Tutorial Video below

Tutorial Video

Watch our full Tutorial Video to learn more specifics about crafting SQL queries and injections and see a walkthrough of how to solve this challenge:

Cyber Skyline Live - SQL Basics - Oct 7, 2021

Learn how SQL injection works! In this episode of the Cyber Skyline Live tutorial series, Franz Payer, CEO of Cyber Skyline, discusses database concepts including what is SQL injection, gives an in-depth demo on how to write a SQL query, and much more. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Cyber Skyline Live - SQL Basics - Oct 7, 2021

Questions

1. What is the name of the only Orthopedist?

Enter a blank space into the search box to show all the results and find the Orthopedist.

2. What is Katie Cain’s profession?

Enter a blank space into the search box to show all the results and find Katie Cain’s profession

3. How many medical professionals can be found in this registry?

Enter a blank space into the search box to show all the results and count the total results.

4. What is the name of the person who has a password of "greyblob"?

Type 1"; SELECT * FROM USERS WHERE "%"=" into the search box to perform a SQL injection and display all of the columns in the USERS table.

5. What is Mike Torres' password?

Type 1"; SELECT * FROM USERS WHERE "%"=" into the search box to perform a SQL injection and display all of the columns in the USERS table.

⚠️
The password is randomly generated so the correct password for you will likely be different.

©️ 2026 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.