Forced Entry

Discussion of challenges you have already solved
User avatar
klogk
Posts: 5
Joined: Fri Dec 23, 2011 3:45 pm

Post by klogk »

MatRush wrote:
klogk wrote:I got the answer for this challenge.

but indeed when I type the password "GRT***" in the page: http://www.adum.com/fortknox , it still tell me this password is wrong.
you must mixed the Uppercase and lowercase letters.
I can login as admin by my answer~

thanks
haellowyyn
Posts: 6
Joined: Thu Jan 03, 2013 12:13 am

Post by haellowyyn »

I used http://sqlmap.org/. It really is gold.
godefv
Posts: 5
Joined: Tue Jun 11, 2013 11:02 am

Post by godefv »

moose wrote:Could somebody please tell me how the original SQL-statement looked like?

I solved it with this string:

http://www.adum.com/fortknox/index.php? ... E%20'1'='1

admi' UNION SELECT password FROM user WHERE '1'='1

I got to know that the table is called user and has the rows id, name, password. But I don't know WHY the password gets displayed.
Haha !
Actually, people who used union here had no clue about what they really did !
Because, nothing from the results of the SQL requests is meant to be displayed.

...did you notice there are 2 requests ?
This was indeed a very interesting challenge : the result of the first request was used as an injection string in the second !

I could give you more or less the exact code used but apparently, this is not desired by the admin.
Post Reply