Uh oh. Looks like your using an ad blocker.
Our site is support by ads that help to pay our hosting costs. Please disable or whitelist us within your ad blocker to help us keep the site online.
All money generate by ads and donations is used to pay the hosting costs of the site.
View Thread
Author | Realistic 9 | deepfreeze Member

Posts: 5 Location:
Joined: 12.09.16 Rank: God | | This has got to be, by far, the easiest realistic challenge that I've yet to complete.
If this were a real hacking attempt, I'd have no trouble with the injection part (which I'm currently struggling with) since I'd have an actual s** query error instead of " Your on the right track but stick to the mission. "
Can anyone help me with the proper injection? I've read all of the prior forum posts and all of the articles regarding this mission  |
 |
Author | RE: Realistic 9 | Huitzilopochtli Member

Posts: 1644 Location:
Joined: 19.02.13 Rank: God | | It only accepts one hard coded injection, and should be your logical second choice if a target was filtering out numbers from your input.  |
 |
Author | RE: Realistic 9 | deepfreeze Member

Posts: 5 Location:
Joined: 12.09.16 Rank: God | | Huitzilopochtli wrote:
It only accepts one hard coded injection, and should be your logical second choice if a target was filtering out numbers from your input. 
Still no luck :/ If I could at least get a "real" query error returned to me I'd understand wtf I need to be doing lol
[EDIT]: Got it 
Edited by deepfreeze on 01-03-17 20:48 |
 |
Author | RE: Realistic 9 | rex_mundi ☆ Lucifer ☆

Posts: 2018 Location: Scotland
Joined: 20.02.08 Rank: God | | I'd assume even nazis know that leaving error messages turned on, is a bad idea. |
 |
Author | RE: Realistic 9 | deepfreeze Member

Posts: 5 Location:
Joined: 12.09.16 Rank: God | | I remember one of the first sites I ever hacked, WAAAY back in the day, I did it with a sql injection and then found the unencrypted password for admin in the same database and used it to login to their admin-cpanel page (not the CPanel CMS, rather one their freelance web developer put in the site) I think the password was even a permutation of that developer's company name. I kept hacking it over the course of at least a year, each time using the same exact sql injections.
Eventually they finally stored the password as an md5 hash in the database, but I still got it decrypted.
Years later, they kept it in the database but changed the admin-cpanel out for a basic HTTP authentication using (I'd assume) a .htpasswd. But the sql injections still work to get you the old password  |
 |
|