Follow us on Twitter!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Thursday, April 17, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 17
Guests Online: 17
Members Online: 0

Registered Members: 82813
Newest Member: VesuviusSentinel
Latest Articles
View Thread

HellBound Hackers | Challenges | Basic

Page 1 of 2 1 2 >
Author

BASIC 21


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-11-07 02:31
ok im having a bit of trouble with this. On a normal site (using an actual sql data base i can aquire table names and colums going by whether the page accepts it as a correctly formed query. Ex:SELECT COUT(*) FROM BLAH; and if that doesnt give me an error then its a valid table name.
Now since this isnt a real sql server im dealing with these methods wont work...so im a little lost. I can get the intial error but im having a problem getting past there. A nudge would be appreiated =) thanx
Author

RE: BASIC 21


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-11-07 02:35
The best nudge that anyone can give you is to tell you to check the previous "Basic 21" thread in the forums. In fact, most people won't be able to get even halfway in this challenge without seeing that thread.



Author

RE: crap


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-11-07 02:38
well i read all three pages of it...and i got the hint that was giving and did some research on it even though i knew quite a bit about it b4 had maybe im just a bad guesser
Author

RE: BASIC 21


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-11-07 02:40
Just try the most basic attempt you can, using that "hint from the thread", and look at the error message you get from that. If need be, Google the error message. You'll start to figure out where to go from there.



Author

RE: thanx


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-11-07 02:44
ok i shall do that. I do have a tendancy to overcomplicate. Anyways a shall leave this alone until i have exausted all other possibilities
Author

RE: BASIC 21

ZvirX
Member

Your avatar

Posts: 101
Location: Class Object
Joined: 03.11.07
Rank:
Newbie
Posted on 05-11-07 02:55
noober wrote:
ok im having a bit of trouble with this. On a normal site (using an actual sql data base i can aquire table names and colums going by whether the page accepts it as a correctly formed query. Ex:SELECT COUT(*) FROM BLAH; and if that doesnt give me an error then its a valid table name.
Now since this isnt a real sql server im dealing with these methods wont work...so im a little lost. I can get the intial error but im having a problem getting past there. A nudge would be appreiated =) thanx


Well, here is a nudge ... Advanced SQL Injection Wink


n0Ne n0Ne n0Ne
Author

RE: haha


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-11-07 03:07
naw i swear its not a lack of knowlege of sql i assure you. I have read more on SQL then any other subject im well aware of the range of commands and i have used them or real sites just to see how they work. Using wild cards like % and unions and well i dont want to go to far into it. Just trust me i have read a great deal include the quite extensive securiteam advanced sql in its entirty

Edited by on 05-11-07 03:09
Author

RE: BASIC 21


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-11-07 03:11
noober wrote:
naw i swear its not a lack of knowlege of sql i assure you.
<snip>


That's the problem... you're assuming. The whitepaper that is referenced in the previous Basic 21 thread is actually a good bit of help. The types of commands that it places focus on give you a good idea of what structure you're looking for in your attempts.

There's really no more help that anyone can give you until you at least TRY.



Author

RE: BASIC 21

ZvirX
Member

Your avatar

Posts: 101
Location: Class Object
Joined: 03.11.07
Rank:
Newbie
Posted on 05-11-07 03:13
noober wrote:
naw i swear its not a lack of knowlege of sql i assure you. I have read more on SQL then any other subject im well aware of the range of commands and i have used them or real sites just to see how they work. Using wild cards like % and unions and well i dont want to go to far into it. Just trust me i have read a great deal include the quite extensive securiteam advanced sql in its entirty


i'm not questioning your sql knowledge ,, its just that file helped me alot with this chall (basically it explained all the chall to me),, read it you get nothing to lose Pfft .. oh and it gets interesting from page 7 (which i assume you already figured it out Grin) gl :happy:




n0Ne n0Ne n0Ne
Author

RE: blah


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-11-07 03:23
ya...so it was the first thing i had tried minus the capitalization....i really hate that
Author

RE: BASIC 21


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-11-07 04:15
noober wrote:
ya...so it was the first thing i had tried minus the capitalization....i really hate that


Well, you get used to it here. The simulations are all case-sensitive; if something doesn't work that you think should, just try it in different cases, with different spaces, etc.

For this challenge, I actually kept open a text file and just put in my attempts as I tried them. If they gave an error, I put the attempt at the top with the error below it. This helped me to keep track of what I had tried and what I had not.



Author

RE: need some help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-11-07 00:28
--May contain spoilers, if so admin please delete--

well im on the final part of basic 21. ive read the whitepaper at http://www.ngssoftware.com/papers/advanced_sql_injection.pdf which the chall was based on. i am trying:

' u**** s***** *, user****, *, * fr** us***--

im trying that and many other things along those lines. ive tried:

' u**** s***** s**(user****) f*** us***--

none of these things are working although that is what the whitepaper says to do, and my sql knowledge says should work. im at a standstill. any help would be appreciated. thanks, anarchial_demise


Author

RE: blah


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-11-07 01:14
the white paper basicly...no ENTIRLEY gives you the mission. Its basicly an answer sheet...
Author

RE: well


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-11-07 02:16
ive even copy and pasted what the whitepaper says and its not working for me, can i pm someone who can help me get my syntax right?


Author

RE: BASIC 21


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-11-07 04:35
Not that I can be exactly certain what you're typing underneath those asterisks, but you have to be very careful. I had an extra space at the end, after the --, and it didn't show the error message. Check for those things.
Author

RE: BASIC 21


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-08-08 04:55
I'm having the same problem with anarchial_...

I've typed in that last statement he said and it just says that the username/password wasn't found in the database.

Help?


Author

RE: BASIC 21

DeafCode
Member



Posts: 214
Location:
Joined: 04.05.08
Rank:
Apprentice
Warn Level: 30
Posted on 10-08-08 05:08
I'm going to guess that your trying to figure whether the table column is an i****** or a s**. But just look what you've got. Isn't what your trying to figure out obvious?? I had the same problem. Everything worked up until page 9 i think and then that. You got all the info you need, now keep reading.



:ninja:
http://2130706433
Author

RE: BASIC 21


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-08-08 05:12
DeafCode wrote:
I'm going to guess that your trying to figure whether the table column is an i****** or a s**. But just look what you've got. Isn't what your trying to figure out obvious?? I had the same problem. Everything worked up until page 9 i think and then that. You got all the info you need, now keep reading.
Okay I know what you said but I don't know what you mean
^^;




Edited by on 10-08-08 05:13
Author

RE: BASIC 21

DeafCode
Member



Posts: 214
Location:
Joined: 04.05.08
Rank:
Apprentice
Warn Level: 30
Posted on 10-08-08 05:24
You have the table name right? Good.
You have the name of the columns right? Good.
Everything is going good. O' whats this? I can't find whether column is an i****** or a s**. OMG, WTF mate?

Look at the name of the columns. What seems to be a number and what seems to be text. Bingo, logic rises again and thwarts query denial ounce again. Muh Hahahah. Now that you got that, keep reading.

If this sounded rude to you, I'm sorry but now you got the point.



:ninja:
http://2130706433
Author

RE: BASIC 21


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-08-08 05:34
DeafCode wrote:
You have the table name right? Good.
You have the name of the columns right? Good.
Everything is going good. O' whats this? I can't find whether column is an i****** or a s**. OMG, WTF mate?

Look at the name of the columns. What seems to be a number and what seems to be text. Bingo, logic rises again and thwarts query denial ounce again. Muh Hahahah. Now that you got that, keep reading.

If this sounded rude to you, I'm sorry but now you got the point.
Actually I don't really get the number/text part


Page 1 of 2 1 2 >