Inscrutable

evilredi · Post by **evilredi** » Thu Jan 29, 2009 1:57 am

Hi,
can anybody give some hints about this challenge? ( I know probably 9 user could do

)

The first two (Secure Room and Forced entry) were no big problems for me but that seems much harder. I can't find a way to communicate with the Server or DB.
Is it in general the same way as the last two?

Thanks, anyway

greetings

evilredi

MerickOWA · Post by **MerickOWA** » Thu Jan 29, 2009 11:17 pm

The problem is the same, the server is better about preventing error messages. You must find way to still extract the password without much if any indication as to success.

m!nus · Post by **m!nus** » Sat Feb 14, 2009 10:34 pm

putting /* causes "no comments" which looks like some error, but it makes totally no sense, can't do anything with it, and since # and -- dont work it is kinda very strange.

MerickOWA · Post by **MerickOWA** » Mon Feb 16, 2009 2:17 am

I believe the server checks the input to the sql server and rejects certain patterns. /* comments must be one of them. BENCHMARK() is another no-no. Try something else

m!nus · Post by **m!nus** » Sat Feb 21, 2009 11:31 pm

i have no idea how to make it error other than via forbidden strings.
god damnit, why don't i know anyone with web/network security expierience

theStack · Post by **theStack** » Sun Mar 08, 2009 3:06 am

After trying any username and password combination and submitting I get this:

Code: Select all

Fatal error: Call to undefined function: stripos() in /home/.fabian/adum/html/adum/inscrutable/index.php on line 26

I guess this is a bug? Or is this indeed part of the challenge?

m!nus · Post by **m!nus** » Sun Mar 08, 2009 2:19 pm

that's seriously strange, how can a function from the PHP core be missing

theStack · Post by **theStack** » Sun Mar 08, 2009 2:43 pm

m!nus wrote:that's seriously strange, how can a function from the PHP core be missing

Since stripos() is only available from PHP 5 I guess adum (or the provider of the webspace) has changed back to an older version. Would be nice if that could be fixed!

In the meantime I try to improve my internet security skills in another way - at this point my skills would be too lame for the challenge anyway (regarding the other posts in this thread

)

m!nus · Post by **m!nus** » Sun Mar 08, 2009 4:00 pm

oh yeah, PHP 4.4.7 is installed (as seen in the server sig)

Post by **adum** » Mon Mar 09, 2009 2:42 am

that should be fixed now... on php5 now.

m!nus · Post by **m!nus** » Mon Mar 09, 2009 4:31 pm

server sig says negative, still PHP 4, but it works now