Follow us on Twitter!
Don't judge the unknown - Grindordie
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 26
Guests Online: 25
Members Online: 1

Registered Members: 82885
Newest Member: ConiBE
Latest Articles
View Thread

HellBound Hackers | Challenges | Basic

Author

I'm really frustrated


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-10 14:37
I may understand that my message can be a call in a void but i'm really frustrated with the single answer that is accepted to many of challenges
for example in chall 18 it does not accept u* select n***,etc... without from
but this is legal in mysql
the worst thing is that if you give a correct but malformed request and the system does not accept it then you start thinking in a different direction
Maybe the variety of answers and behaviour of some challenges should be reconsidered?
AFAIK I'm not alone...
Author

RE: I'm really frustrated


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-10 14:53
Yes you told me that and I do understand it. I can help modify your testing scripts if it helps. Cause I've tried blind inj in ch18 for abot 4 hours and could not understand why 1=1 works and 2=2 does not and why my select 1,1,... does not work
at last i've read an article here about blind... and did it in 20 secs but I don't like to use an all- ready solution it doesn't teach you

Edited by on 04-06-10 14:55
Author

RE: I'm really frustrated


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-10 15:40
No one cares about doing the challenges really. If you find they don't teach you anything then it's time to move on.


Author

RE: I'm really frustrated


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 04-06-10 15:44
Honestly don't know what you expect from a simulation, do you want the authors to integrate every possible blind SQL injection?

Or would you rather have the authors to add a comment with the exact query you have to perform in a riddle as in like Basic 1? Is that enough 'real life' for you?

Take Web Patching for example, you have to use functions like addslashes() against SQL injections.

I personally wouldn't even go for the ancient mysql_* functions, even mysql_real_escape_string is in need of an open mysql connection, otherwise you'll have insecure escaping.

What i'm trying to say, I could in 'real life' use for example PDO against SQL injections, that way I won't have to escape parameters, simply because I can bind them like a real database API.
But obviously it's not gonna accept that as answer, in the end, it's a simulation.

Author

RE: I'm really frustrated


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 06-06-10 11:25
what comes to mind first:
in chall 18 the script checks the output and if there is more than one result and it is not a figure then write something like "you're close"
or if it meets u* s*
Using frameworks has a drawback of unknown security issues and performance. By the way all frameworks are also written by someone - that's a real life )