Join us on Slack!
Things are more like they are now than they have ever been before. - Dwight D. Eisenhower
Monday, October 14, 2019
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 60
Guests Online: 59
Members Online: 1

Registered Members: 118967
Newest Member: Frosh
Latest Articles
View Thread

HellBound Hackers | Challenges | Realistic

Author

Realistic 9

TheShadowbyte
Member



Posts: 8
Location: Canada
Joined: 11.01.14
Rank:
HBH Guru
Posted on 17-02-16 21:58
Hi, I'm working on different SQL injections. I'm aware it's a similar injection as the one on basic 16, but I've been having problems with it. Would I be able to message someone with what I've tried?

Thanks

EDIT: I figured it out. The literal expression that the system is looking for as input is really strict: I tried multiple variations (could've sworn I tried the right answer too), but it took hours to complete because of strict comparison. I suggest if possible to make this challenge a little more flexible with the injections variations that it accepts.

Edited by TheShadowbyte on 18-02-16 02:12
Y T
Author

RE: Realistic 9

Huitzilopochtli
Member



Posts: 1622
Location:
Joined: 19.02.13
Rank:
God
Posted on 19-02-16 04:41
Theres really nothing strict about the challenge only allowing one single injection, the one it accepts should be your second angle of attack in any real sqli scenario, if using numerical based injections fail, just to eliminate the possibility that it could be filtering the user supplied data for simple expressions like 1=1.

I've come across endless badly implemented sql/xss filters, and hastily applied 'fixes' on my travels, that admins have put in place to patch vulnerabilities on their sites, that only really limit or restrict the angle of your attack, as the actual vulnerability still exists, and can still be exploited by a change of tactics.

The sql injection part of the challenge is intended to be an example of just that kind of scenario.

The reason it only accepts a single correct answer should be obvious when you think about it, especially from a process of elimination standpoint.

Anyway, there was/is an issue with the encrypted text in the challenge link, using the one below should fix that till we push the fixes.

https://www.hellboundhackers.org/code/wgetcode.php?id=2154

Edited by Huitzilopochtli on 19-02-16 04:55