Follow us on Twitter!
Ideas are far more powerful than guns.
Sunday, April 20, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 25
Guests Online: 23
Members Online: 2

Registered Members: 82843
Newest Member: hx47
Latest Articles
View Thread

HellBound Hackers | Challenges | Basic

Author

Basic 16 - help with understanding the solution


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 30-01-11 19:49
Hi. I have solved this problem (perhaps on accident -.-) (if proof is wanted, i can pm you the code). However, I am still uncertain as too why only that particular format of the injection works. I understand that it has to do with comments, by why cannot other very similar forms of the injection work as well?
Author

RE: Basic 16 - help with understanding the solution

j4m32
Member

Your avatar

Posts: 81
Location:
Joined: 01.05.10
Rank:
Newbie
Posted on 30-01-11 20:18
The site is often coded to take a specific answer because it is looking for what, I think has been describe by other seniour members here as, the "pure" or "simplest" form of any exploit - particularly in the basic challanges.

As you probably know, there is a great number of inputs that would work given a real scenario, but this is often not a real scenario.

Hope that answers the question!

Jim
Author

RE: Basic 16 - help with understanding the solution

ADIGA
Member



Posts: 57
Location: Jordan - Middle East
Joined: 28.12.07
Rank:
Mad User
Posted on 30-01-11 20:23
freezard7734 wrote:
Hi. I have solved this problem (perhaps on accident -.-) (if proof is wanted, i can pm you the code). However, I am still uncertain as too why only that particular format of the injection works. I understand that it has to do with comments, by why cannot other very similar forms of the injection work as well?


as a simple answer and for you not to send PMs....
you have a query for the login that takes your input and checks it to give you access or not ...

now the aim is to make the query returns true always.
if the query is "select * from users where password='something';"
no comments will b needed but
if there is another condition added to that like
"select * from users where password='something' and ip='anotherthing';"

then even if your input returned true for the first part it will return false along with the second hale ('the ip thingy'Wink, so your input must return true and comments the second part without resulting a syntax mistake in the query.

and why only few injections may work on some cases (just as an example) ...
simple input validation maybe?? for an age input it will validate if its a number or not so if your injection has chars not numbers it may not work.
adiga_php@hotmail.com adiga.hacker@yahoo.com www.adiga.ws
Author

RE: Basic 16 - help with understanding the solution


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 31-01-11 01:06
Oh - I see. If it's just that specific answer that they want, then I understand... I'd think that it'd be more realistic if they were a little lenient on the syntax...
Author

RE: Basic 16 - help with understanding the solution

j4m32
Member

Your avatar

Posts: 81
Location:
Joined: 01.05.10
Rank:
Newbie
Posted on 31-01-11 23:57
freezard7734 wrote:
I'd think that it'd be more realistic if they were a little lenient on the syntax...


Yes it would, but that's where programming the challange becomes more complex and requires more input verification. The "soultion" then, may not necessarily be a better or cleaner solution or even a valid solution because there are many possibilites.

For example: If it were some regular expression that defines the solution, it may not exactly work given the real scenario - or in some cases, it maybe a completely invalid solution.

The idea is to avoid "unneccesarry complexity" in the Basic challanges, to just accept a single strict answer to demonstrate an idea.

Hope that answers the question!

Jim