Please ask questions ONLY in this topic.

Racist pigs are organizing an 'anti-immigrant' rally in Chicago. Help anti-racist activists take over their website!

Re: Please ask questions ONLY in this topic.

Post by TitaniumSparrow on Fri Apr 25, 2014 10:24 am
([msg=80430]see Re: Please ask questions ONLY in this topic.[/msg])

monked wrote:Just finished this one, you dont need to know the username, you just need to put something there; then get the desired boolean value you need. ;)


I was so close with answers like this. Thank you to all who have posted them.

In addition, I would only add, that "put something there" was half of it, I needed to "put something" (that same something) somewhere else as well before succeeding. This was the key part I was missing.
TitaniumSparrow
New User
New User
 
Posts: 2
Joined: Thu Apr 24, 2014 7:48 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by Secret Combo on Tue May 06, 2014 5:37 pm
([msg=80565]see Re: Please ask questions ONLY in this topic.[/msg])

It took awhile for me to figure it out, but that was actually a good thing! I learned a lot about SQL and SQL injection in the process.

This link helps with the mission itself the most:
http://www.securiteam.com/securityrevie ... 1P76E.html

This link (at least for me) made SQL injection make sense and understandable!
http://www.thisislegal.com/tutorials/3
Secret Combo
New User
New User
 
Posts: 1
Joined: Tue May 06, 2014 5:34 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by bvanderpijpen on Fri Jul 04, 2014 5:31 am
([msg=81962]see Re: Please ask questions ONLY in this topic.[/msg])

Hello,

I managed to solve this, but don't understand for 100% why it worked. I don't want to give away spoilers, so can I PM someone with what I did so that person can explain why it worked?
bvanderpijpen
New User
New User
 
Posts: 3
Joined: Fri Jul 04, 2014 4:23 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by cyberdrain on Fri Jul 04, 2014 5:36 pm
([msg=81975]see Re: Please ask questions ONLY in this topic.[/msg])

Go ahead.
Free your mind / Think clearly
User avatar
cyberdrain
Contributor
Contributor
 
Posts: 821
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by nannan on Sat Jul 26, 2014 5:54 pm
([msg=82527]see Re: Please ask questions ONLY in this topic.[/msg])

Hey all, i kind of new here. I just finished realistic mission 2, but i didn't understand much about what really happened.. So, I took this simple code and tried to hack it the same way i did with this mission. But didn't have much success. Can somebody help me with this? (i use xampp to work with php files)

Code: Select all
<html>
<head>
<title>Form</title>
</head>
<body>
<h1>Enter your name</h1>
<form method="post" action="handler.php">
<input type="text" name="username">
<input type="submit">
</form>
</body>
</html>


Here is the handler.php
Code: Select all
<html>
<head>
<title>Form</title>
</head>
<body>
<h1>Hello <?php echo "Your name is ".$_POST["username"]?></h1>
</body>
</html>
hi am new so plz dont troll me or i report 2 the HTS mods ty
nannan
New User
New User
 
Posts: 2
Joined: Sat Jul 26, 2014 5:27 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by -Ninjex- on Sun Jul 27, 2014 1:55 am
([msg=82528]see Re: Please ask questions ONLY in this topic.[/msg])

You will not be able to "Hack" the code you posted above in the same manner as Realistic 2. For realistic 2 you did a SQL Injection, which requires the PHP script to query a database of users.
Which probably looked something like:
Code: Select all
$user = $_POST['username'];
$client = new mysqli('localhost', 'guest', 'pass', 'login_table');
$query = <<<SQL
    SELECT *
    FROM `users`
    WHERE `user_name` = $user
SQL;

if(!$result = $client->query($query)){
    die('Error: [' . $db->error . ']');
}

while($row = $result->fetch_assoc()){
    echo $row . '<br />';
}

$result->free();
$db->close();


However, you should be able to pull off some XSS/CSRF/Redirect attacks with the code you posted above.

Play around in the link below and go learn about SQL if you didn't understand how Realistic Mission 2 was solved:
http://sqlfiddle.com/#!2/d307c/5
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1236
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by nannan on Tue Jul 29, 2014 9:15 am
([msg=82557]see Re: Please ask questions ONLY in this topic.[/msg])

ohh, i kinda understand what you are saying.. yes, maybe if i study about sql a bit more, i will understand better.. :) Thanks -Ninjex-
hi am new so plz dont troll me or i report 2 the HTS mods ty
nannan
New User
New User
 
Posts: 2
Joined: Sat Jul 26, 2014 5:27 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by -Ninjex- on Wed Jul 30, 2014 8:27 am
([msg=82575]see Re: Please ask questions ONLY in this topic.[/msg])

nannan wrote:ohh, i kinda understand what you are saying.. yes, maybe if i study about sql a bit more, i will understand better.. :) Thanks -Ninjex-


Heehee, I would suggest not going on until you fully understand though :D
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1236
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Previous

Return to (Real 2) Chicago American Nazi Party

Who is online

Users browsing this forum: No registered users and 0 guests