Page 1 of 1
Inscrutable
Posted: Thu Jan 29, 2009 1:57 am
by evilredi
Hi,
can anybody give some hints about this challenge? ( I know probably 9 user could do
)
The first two (Secure Room and Forced entry) were no big problems for me but that seems much harder. I can't find a way to communicate with the Server or DB.
Is it in general the same way as the last two?
Thanks, anyway
greetings
evilredi
Posted: Thu Jan 29, 2009 11:17 pm
by MerickOWA
The problem is the same, the server is better about preventing error messages. You must find way to still extract the password without much if any indication as to success.
Posted: Sat Feb 14, 2009 10:34 pm
by m!nus
putting /* causes "no comments" which looks like some error, but it makes totally no sense, can't do anything with it, and since # and -- dont work it is kinda very strange.
Posted: Mon Feb 16, 2009 2:17 am
by MerickOWA
I believe the server checks the input to the sql server and rejects certain patterns. /* comments must be one of them. BENCHMARK() is another no-no. Try something else
Posted: Sat Feb 21, 2009 11:31 pm
by m!nus
i have no idea how to make it error other than via forbidden strings.
god damnit, why don't i know anyone with web/network security expierience
Posted: Sun Mar 08, 2009 3:06 am
by theStack
After trying any username and password combination and submitting I get this:
Code: Select all
Fatal error: Call to undefined function: stripos() in /home/.fabian/adum/html/adum/inscrutable/index.php on line 26
I guess this is a bug? Or is this indeed part of the challenge?
Posted: Sun Mar 08, 2009 2:19 pm
by m!nus
that's seriously strange, how can a function from the PHP core be missing
Posted: Sun Mar 08, 2009 2:43 pm
by theStack
m!nus wrote:that's seriously strange, how can a function from the PHP core be missing
Since stripos() is only available from PHP 5 I guess adum (or the provider of the webspace) has changed back to an older version. Would be nice if that could be fixed!
In the meantime I try to improve my internet security skills in another way - at this point my skills would be too lame for the challenge anyway (regarding the other posts in this thread
)
Posted: Sun Mar 08, 2009 4:00 pm
by m!nus
oh yeah, PHP 4.4.7 is installed (as seen in the server sig)
Posted: Mon Mar 09, 2009 2:42 am
by adum
that should be fixed now... on php5 now.
Posted: Mon Mar 09, 2009 4:31 pm
by m!nus
server sig says negative, still PHP 4, but it works now