Forced Entry

Discussion of challenges you have already solved
paradox.is.taken
Posts: 14
Joined: Mon Oct 20, 2008 2:04 am

Forced Entry

Post by paradox.is.taken »

alright so I solved but I am not happy with the solution. I don't know much about SQL so basically used the code from here http://sqlzoo.net/hack/ and automized it with python... Of course since the password field for forced entry seems to escape special characters I just used the Secure Room form.

But I am sure there is a way to see the values from the error messages SQL gives. Can anyone tell me how is that done? or give me a link of sorts.
gfoot
Posts: 269
Joined: Wed Sep 05, 2007 11:34 pm
Location: Brighton, UK

Post by gfoot »

It's all about what kind of feedback you can get from the site. I'm not aware of any way to get exact results printed back to you, though there are some techniques for some servers, e.g. asking the sql server to convert a non-numeric string into an int may cause it to print the string in its error message (e.g. MS SQL Server). But any time you find a way to get the response to vary according to whether or not your query succeeded, you can get information back piece by piece, which is roughly what the site you linked to is suggesting.

There are pages and pages of tips for SQL injection attacks against various server types - you should be able to find them easily with Google.
guxx
Posts: 5
Joined: Thu Nov 06, 2008 12:58 pm
Location: Germany

Post by guxx »

I used manual SQL injection attacks and finally managed to get the password published by an MySQL error ("Unknown column 'password' in where clause").

I'm interested in how the used SQL statements look like on the login page.
@adum: Can you post your code here please?

Guido
User avatar
adum
Posts: 392
Joined: Thu Apr 19, 2007 12:49 pm
Contact:

Post by adum »

hey, i think i'm not going to post the exact code because it might give things away from similar challenges. but it's pretty straightforward php/mysql queries.
brazzy
Posts: 14
Joined: Fri Nov 07, 2008 2:30 am
Location: Munich, Germany
Contact:

Post by brazzy »

guxx wrote:I used manual SQL injection attacks and finally managed to get the password published by an MySQL error ("Unknown column 'password' in where clause").
How did you manage that? I couldn't think of a way and had to resort to getting the result bit by bit following the method suggested in this paper:

http://www.ngssoftware.com/papers/sqlinference.pdf
guxx
Posts: 5
Joined: Thu Nov 06, 2008 12:58 pm
Location: Germany

Post by guxx »

How did you manage that?
Put the following text in the name field and it exposes the password:
1' UNION ALL SELECT password FROM user/*

Of course this wasn't straightforward and I had to guess the table and column names. It took some time to get there :wink:

Guido
visualq
Posts: 1
Joined: Tue Jun 30, 2009 10:17 pm

Post by visualq »

Wrote an exploit for it.. I neve expected the 1' union select password from user \* would try to actually parse the password as a column.. Anyway the code below did the trick.. (Takes some time as it bruteforces)

Well seems I can't include the code without generating a 500 error.
therethinker
Posts: 144
Joined: Fri Mar 28, 2008 11:29 pm
Location: #hacker.org on Freenode

Post by therethinker »

I like guxx's method. I did it letter-by-letter, but while I was doing it I figured there must have been a simpler way, considering 70+ people have solved it...
V4hn
Posts: 14
Joined: Tue Nov 27, 2007 12:39 pm
Contact:

Post by V4hn »

pretty nice challenge
got it letter by letter using XXXXXXXXXXX
[edit: I do think this gives away too much after taking a look at the next one ]
Image
User avatar
zjorzzzey
Posts: 11
Joined: Fri Oct 30, 2009 7:31 pm
Location: NL

Post by zjorzzzey »

Couldn't guess the table name :oops:
So I tricked the page into dumping the table name(s) :

Code: Select all

' UNION ALL SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'injecto' LIMIT 2,1 UNION SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'asdfasdfasdf
Where injecto is the DB name, which I figured out earlier :wink:

Fiddling with the LIMIT statement this gave me the right table name. After knowing the name of the database and the table, getting the password wasn't all that hard anymore. Using more or less the same statement as in the code-block above, I got the password exposed in the same way as guxx described earlier in this topic;)
moose
Posts: 67
Joined: Fri Jul 16, 2010 7:32 pm

Post by moose »

Could somebody please tell me how the original SQL-statement looked like?

I solved it with this string:

http://www.adum.com/fortknox/index.php? ... E%20'1'='1

admi' UNION SELECT password FROM user WHERE '1'='1

I got to know that the table is called user and has the rows id, name, password. But I don't know WHY the password gets displayed.
Abinmorth
Posts: 4
Joined: Fri Jul 29, 2011 12:32 pm
Location: <u>test</u>

Post by Abinmorth »

I got the answer letter for letter with

admin' AND ASCII(SUBSTRING(password, i, 1))>x -- e


just changing i and x

but when I got the pass, I couldnt log in ("wrong password") :shock:
it still worked on the challenge description site
Karian
Posts: 75
Joined: Wed Jan 09, 2008 10:21 am

Post by Karian »

Abinmorth wrote:I got the answer letter for letter with

admin' AND ASCII(SUBSTRING(password, i, 1))>x -- e


just changing i and x

but when I got the pass, I couldnt log in ("wrong password") :shock:
it still worked on the challenge description site
That method you used is case insensitive. The result is the same for eg 'e' and 'E'. If you want to log in on the site, you need to have an exact match. The challenge site like with most challenges strips away the cases in your answer.
User avatar
klogk
Posts: 5
Joined: Fri Dec 23, 2011 3:45 pm

Post by klogk »

I got the answer for this challenge.

but indeed when I type the password "GRT***" in the page: http://www.adum.com/fortknox , it still tell me this password is wrong.
User avatar
MatRush
Posts: 33
Joined: Fri May 13, 2011 1:26 pm
Location: China
Contact:

Post by MatRush »

klogk wrote:I got the answer for this challenge.

but indeed when I type the password "GRT***" in the page: http://www.adum.com/fortknox , it still tell me this password is wrong.
you must mixed the Uppercase and lowercase letters.
I can login as admin by my answer~
Post Reply