Forced Entry

paradox.is.taken · Post by **paradox.is.taken** » Sat Nov 22, 2008 10:42 am

alright so I solved but I am not happy with the solution. I don't know much about SQL so basically used the code from here http://sqlzoo.net/hack/ and automized it with python... Of course since the password field for forced entry seems to escape special characters I just used the Secure Room form.

But I am sure there is a way to see the values from the error messages SQL gives. Can anyone tell me how is that done? or give me a link of sorts.

gfoot · Post by **gfoot** » Sat Nov 22, 2008 11:35 am

It's all about what kind of feedback you can get from the site. I'm not aware of any way to get exact results printed back to you, though there are some techniques for some servers, e.g. asking the sql server to convert a non-numeric string into an int may cause it to print the string in its error message (e.g. MS SQL Server). But any time you find a way to get the response to vary according to whether or not your query succeeded, you can get information back piece by piece, which is roughly what the site you linked to is suggesting.

There are pages and pages of tips for SQL injection attacks against various server types - you should be able to find them easily with Google.

guxx · Post by **guxx** » Wed Nov 26, 2008 6:29 am

I used manual SQL injection attacks and finally managed to get the password published by an MySQL error ("Unknown column 'password' in where clause").

I'm interested in how the used SQL statements look like on the login page.
@adum: Can you post your code here please?

Guido

Post by **adum** » Wed Nov 26, 2008 8:02 am

hey, i think i'm not going to post the exact code because it might give things away from similar challenges. but it's pretty straightforward php/mysql queries.

brazzy · Post by **brazzy** » Mon Dec 15, 2008 10:52 pm

guxx wrote:I used manual SQL injection attacks and finally managed to get the password published by an MySQL error ("Unknown column 'password' in where clause").

How did you manage that? I couldn't think of a way and had to resort to getting the result bit by bit following the method suggested in this paper:

http://www.ngssoftware.com/papers/sqlinference.pdf

guxx · Post by **guxx** » Mon Dec 15, 2008 11:53 pm

How did you manage that?

Put the following text in the name field and it exposes the password:
1' UNION ALL SELECT password FROM user/*

Of course this wasn't straightforward and I had to guess the table and column names. It took some time to get there

Guido

visualq · Post by **visualq** » Fri Jul 03, 2009 7:09 pm

Wrote an exploit for it.. I neve expected the 1' union select password from user \* would try to actually parse the password as a column.. Anyway the code below did the trick.. (Takes some time as it bruteforces)

Well seems I can't include the code without generating a 500 error.

therethinker · Post by **therethinker** » Sun Jul 05, 2009 2:37 am

I like guxx's method. I did it letter-by-letter, but while I was doing it I figured there must have been a simpler way, considering 70+ people have solved it...

V4hn · Post by **V4hn** » Sat Aug 08, 2009 7:51 pm

pretty nice challenge
got it letter by letter using XXXXXXXXXXX
[edit: I do think this gives away too much after taking a look at the next one ]

zjorzzzey · Post by **zjorzzzey** » Mon Mar 01, 2010 7:45 pm

Couldn't guess the table name

So I tricked the page into dumping the table name(s) :

Code: Select all

' UNION ALL SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'injecto' LIMIT 2,1 UNION SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'asdfasdfasdf

Where injecto is the DB name, which I figured out earlier

Fiddling with the LIMIT statement this gave me the right table name. After knowing the name of the database and the table, getting the password wasn't all that hard anymore. Using more or less the same statement as in the code-block above, I got the password exposed in the same way as guxx described earlier in this topic;)

moose · Post by **moose** » Tue Aug 30, 2011 5:52 pm

Could somebody please tell me how the original SQL-statement looked like?

I solved it with this string:

http://www.adum.com/fortknox/index.php? ... E%20'1'='1

admi' UNION SELECT password FROM user WHERE '1'='1

I got to know that the table is called user and has the rows id, name, password. But I don't know WHY the password gets displayed.

Abinmorth · Post by **Abinmorth** » Tue Sep 13, 2011 6:38 am

I got the answer letter for letter with

admin' AND ASCII(SUBSTRING(password, i, 1))>x -- e

just changing i and x

but when I got the pass, I couldnt log in ("wrong password")

it still worked on the challenge description site

Karian · Post by **Karian** » Tue Sep 13, 2011 8:08 am

Abinmorth wrote:I got the answer letter for letter with

admin' AND ASCII(SUBSTRING(password, i, 1))>x -- e

just changing i and x

but when I got the pass, I couldnt log in ("wrong password")
it still worked on the challenge description site

That method you used is case insensitive. The result is the same for eg 'e' and 'E'. If you want to log in on the site, you need to have an exact match. The challenge site like with most challenges strips away the cases in your answer.

klogk · Post by **klogk** » Mon Feb 06, 2012 12:26 pm

I got the answer for this challenge.

but indeed when I type the password "GRT***" in the page: http://www.adum.com/fortknox , it still tell me this password is wrong.

MatRush · Post by **MatRush** » Mon Feb 06, 2012 5:08 pm

klogk wrote:I got the answer for this challenge.

but indeed when I type the password "GRT***" in the page: http://www.adum.com/fortknox , it still tell me this password is wrong.

you must mixed the Uppercase and lowercase letters.
I can login as admin by my answer~