A Dangerous Contact | CyberStart Completion

A Dangerous Contact


During our research into The Choppers, we noticed that their website has a contact page with a form for getting in touch. Our agents want to know whether it might be vulnerable to SQL injection.

See if you can put the SQL code in the right order. If you do, the data should appear in the console at the top of the page. This will contain the information we’re looking for - a list of all previously submitted messages.

Tip: The flag is the last name of the most recent person to send a message through the form.


This is a test on SQL injection. You have to get the whole table of information by running the right SQL command, so re-order the parts of the command in the message box and submit the form. Try starting with the single quote character, which will close the speechmarks in the command and then think about what is always true.

How to Solve:

  1. Arrange the query in the correct order:
    1. '); SELECT first_name, last_name, email, message FROM messages:--


  • Wolsen