I have been working on finding vunuralabilitys to a site (of my friends I do have prermission) and I am supposed to hack into his site (the members only section) with out knowing anything about the inside workings. So I don't know if it uses mysql or any sql,I assume it does because there are going to be alot of people on this site (at least he plans to.)
Any way, my basic questions are
1. Is there a way to find out if there is a mysql thing.
2. If it does have mysql, will sql injection work?
3. If I work through a proxy (online probobly a CGIProxy) will he be able to . find my ip?
4. Does anyone know anywhere with a challenge like this that I can practice on? perferably one with an active forum.
Posts: 2468 Location: Brighton, UK Joined: 30.11.04 Rank: Uber Elite
Posted on 25-09-05 00:30
1. Try SQL injections to get a error (might not work due to magic quotes)
2. If magic quotes are enabled, you cant SQL inject
3. no he wont
4. setup your own forum and practice
RE: Multi-User pass
Posts: Location: Joined: 01.01.70 Rank: Guest
Posted on 25-09-05 23:29
3.) Yeah, he could, depending on what CGI-Proxy site you use. Unless you make your own, the people who own the site basically have to keep logs on people who visited because of people who might hack through such a thing. So, if the site owner just gives away the information to your friend because he said something as to the sort of that originating i.p. was from the person who hacked his site.
*Feel free to correct me on this one because i think i might have something wrong in that statement..
Edited by on 25-09-05 23:32
Hellbound Hackers is the collective work of the staff and the community and is therefore licensed under the CC BY-NC-SA license.