Follow us on Twitter!
I'd prefer to die standing, than to live on my knees - Che Guevara
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 24
Guests Online: 22
Members Online: 2

Registered Members: 82905
Newest Member: BLckLIght
Latest Articles
View Thread

HellBound Hackers | Challenges | Patching

Author

Patch2 isn't working, spoilers.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-05-06 01:17
Possible Spoilers?
I've tried the following:


7(inject): $id = addslashes($_GET['id']);
7(inject): $id = mysql_real_escape_string($_GET['id']);
7(inject): if (ereg("^[0-9]+$", $_GET['id'])) $id = $_GET['id'];
11(xss): echo strip_tags($end);


No luck. It seems obvious that the problem is SQL Injection through $_GET['id']. I'm sure I'm getting it right but am just not entering the right string of text for whatever AI reads this stuff. Any suggestions?


Author

RE: Patch2 isn't working, spoilers.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-05-06 01:25
I have a suggestion.. they should make the patch challenges more flexible trying to think of ALL the ways it COULD be fixed and accepting a multitude of answers. Most of them have an error that could be fixed on more than one line in several ways, and after trying tons of variations using different functions and tactics in different places I decided I don't want the points anymore as I got pissed off.


Author

RE: Points whore


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-05-06 01:31
Of all the sections on HellBound this is the most usefull. I'm here for the defensive aspects not the offensive Smile. That and I'm a whore for points.

Maybe some admin could give me a tip wink wink.


Author

RE: Patch2 isn't working, spoilers.

korg
Admin from hell



Posts: 2798
Location: ENDING YOUR ONLINE EXPERIENCE!
Joined: 01.01.06
Rank:
God
Posted on 08-05-06 02:29
I agree I've spent a lot of time on 2&3 I see were to patch them but none of my answers will work. Even did a google search and found almost the same script rewrote with addslashes!
Pissing me off bad. I think they should be checked by admins like logic as there are different ways to patch.
O R
Author

RE: Patch2 isn't working, spoilers.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-06-06 03:59
Nucleocide, you're definitely on the right track. The type of vuln. is injection, but what _kind_? That being said, you have the wrong line, because you know the variable will be user-defined because of $_GET in the url.

Edited by on 05-06-06 04:04
Author

RE: cough


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-08-06 22:50
*cough*str_replace*cough*giveshint*cough*


Author

RE: Patch2 isn't working, spoilers.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-08-06 23:13
yes, addslahes is the way to go. You're close.


Author

RE: Patch2 isn't working, spoilers.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 05-08-06 23:15
lol yes like sharpskater80 said, reloook at what line you are trying then try the examples you said you have already tried, i just did it again to test it and it works Pfft


Author

RE: Patch2 isn't working, spoilers.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-10-06 06:07
ive just tried this one and it doesnt work. it tells me tha str_replace isnt the most effiecent way and to do something with numbers, wtf???


Author

RE: Patch2 isn't working, spoilers.

richohealey
Member



Posts: 1022
Location: #!/usr/local/bin/python
Joined: 01.05.06
Rank:
Monster
Posted on 10-10-06 06:22
it does have a list of acceptable answers that it compares to, admittedly it should be bigger....


bitchohealey at hotmail dot com skype:richohealey www.psych0tik.net