Page 2 of 2
Posted: Thu Feb 09, 2012 7:39 am
by klogk
MatRush wrote:klogk wrote:I got the answer for this challenge.
but indeed when I type the password "GRT***" in the page:
http://www.adum.com/fortknox , it still tell me this password is wrong.
you must mixed the Uppercase and lowercase letters.
I can login as admin by my answer~
thanks
Posted: Tue Mar 12, 2013 6:24 pm
by haellowyyn
I used
http://sqlmap.org/. It really is gold.
Posted: Tue Jul 16, 2013 4:50 pm
by godefv
moose wrote:Could somebody please tell me how the original SQL-statement looked like?
I solved it with this string:
http://www.adum.com/fortknox/index.php? ... E%20'1'='1
admi' UNION SELECT password FROM user WHERE '1'='1
I got to know that the table is called user and has the rows id, name, password. But I don't know WHY the password gets displayed.
Haha !
Actually, people who used union here had no clue about what they really did !
Because, nothing from the results of the SQL requests is meant to be displayed.
...did you notice there are 2 requests ?
This was indeed a very interesting challenge : the result of the first request was used as an injection string in the second !
I could give you more or less the exact code used but apparently, this is not desired by the admin.