Follow us on Twitter!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 22
Guests Online: 19
Members Online: 3

Registered Members: 82823
Newest Member: Andyrayfun
Latest Articles
View Thread

HellBound Hackers | Challenges | Basic

Author

Basic 8


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-03-06 01:31
Okay so i looked through the source,
i read up on SQL(whuch i feel i understand now),
tried to do some different injections.

Now im going to try to do this without giving out any spoilers
I did injections like
SELECT*FROM*WHERE*

but i didnt you those wildcards only in FROM

I feel like it's right on the tips of my fingers but I'm dancing around it

If you can help I'd appreaciate it

-ZTB
Author

RE: Basic 8

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 10-03-06 13:54
remember, the SQL Query has to be a real SQL Query.

Be general...very general in your query as well.

Enjoy


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Author

RE: Real?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-03-06 17:37
Real? What do you mean by that?
-ZTB
Author

RE: Basic 8

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 10-03-06 17:38
Well they can't be fake duh! lol


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: Basic 8


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-03-06 17:44
lol yeahi kno they cant be fake(whatever that means)!

Do spaces in the injection count as characters?
Author

RE: Basic 8

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 10-03-06 17:53
You need spaces in the injection.


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: Basic 8


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-03-06 17:50
Well ive been stuck on this annoying mission for ages now. I know SQL quite well therefore I think this mission is picky or something.

In fact I dont need to do this mission as I know SQL therefore can someone give me a spoiler via PM or just an idea of whats wrong with this:

SELECT * FROM family_db WHERE username='Drake'

Please dont say make it more general cos ill just try this and find that it does not work.

SELECT * FROM * WHERE username='Drake'

Do I need a semi colon or is my syntax wrong or does this have to go in the URL bar - have tried this by the way.
cheers anyone
Author

RE: Basic 8

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 11-03-06 18:08
Your query is to complex make it shorter


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: Basic 8


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-03-06 18:10
keep it as short as possible and you have to add something after the bla.php? page.

so you need bla.php?***= <your sql injection>
Author

RE: Basic 8


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-03-06 19:27
Therefore something like this?

http://www.hellboundhackers.org/challenges/basic8/index.php?SELECT * FROM * WHERE username='Drake'

Can you PM me the answer as I already know SQL or tell me what is wrong with what I have.

cheers
Author

RE: Basic 8

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 11-03-06 20:05
Ok, scroll down for spoiler:






YOU DON'T NEED THE WHERE BIT!!!




End of spoiler


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: Basic 8


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-03-06 20:32
and you need to define that it's a sql query like:
*************Spoiler warning*************

.php?sql_query=your stuff




Edited by on 11-03-06 20:33
Author

RE: Basic 8


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-03-06 21:25
use the ?sql query=your stuff, and look on www.w3schools.com in the sql learning area, the most basic query u can give is all you need


Author

RE: Basic 8


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-03-06 11:47
Well still cannot get this puppy going. Thanks for the help though.

spoiler:










bla.php?sql_query=SELECT * FROM *

end spoiler


Still does not work and so dont a load of others.

I think at this stage it is best to give up.

Author

RE: Basic 8


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-03-06 15:44
No cannot give up - too annoying.

Is it ?sql= or ?sql_query= or ?sql query= as i have been told all of these.

cheers
Author

RE: Basic 8

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 12-03-06 15:49
do not be THAT general...you cannot say SELECT <ANYTHING> FROM <ANYTHING> because it will not know well...ANYTHING!

Be general but not overly so.

PM me with what you have and I can give you pointers if you like


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Author

RE: Basic 8


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-03-06 16:13
Ok ok, this is going fine. You guys need to define 1 thing of the 2 though. Like Aldarhawk said: You can't select something from something, if you don't know something, surely the computer doesn't. As password, just enter --> ' <-- and see what pops-up. Read the message. You get it now? You must search in a sort of database to select your *.




Edited by on 12-03-06 16:38
Author

RE: Basic 8

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 12-03-06 16:34
Why does everyone call me a damn TREE! I am not a tree!!!

ALDARHAWK! not ALDERHAWK!

A NOT E.....

sorry it is just hard when people type your name wrong when it is right in front of their faces...


Just ask Yahoo!Taboo! http://www.erikwestlake.com