Please ask questions ONLY in this topic.

by **Rename** on Thu Aug 29, 2013 3:07 am ([msg=77104]see Re: Stuck[/msg])

fashizzlepop wrote:
Rename wrote:
GTADarkDude wrote:You don't need to find a password.
Google SQL Injection

what do oyu mean by that i can\t seem to login

There, read it again.

I still don't get it xP. I tried it empty it doesn't work .

Did you google SQL Injection and spend time reading up on it?

by **-Ninjex-** on Thu Aug 29, 2013 3:02 pm ([msg=77107]see Re: Stuck[/msg])

Rename wrote:I still don't get it xP. I tried it empty it doesn't work .

Spend some time reading up on how to use google: http://www.googleguide.com/

To learn more about SQLi, wiki is helpful: http://en.wikipedia.org/wiki/SQL_injection

Feel free to make use of the reference links on the bottom of the wiki page as well.

I looked at the HTS articles and that helped a tad but not enough. I was told by multiple sites that the key was to use ( ' or 1=1--) as the username and password.. I tried several combinations but nothing seems to work!? Could someone please tell me where I went wrong with the sql?

Just finished this one, you dont need to know the username, you just need to put something there; then get the desired boolean value you need.

Hello,

I know how to solve this challenge, but whenever I try, I get logged out from hackthissite.org, which brings me to the "require_auth" error screen.

Google tells me other people have had this problem before, but I didn't find a solution. I have tried restarting Firefox and deleting my cookies, achieving nothing.

The problem does not occur when I re-solve a mission I already completed.

What can I do to resolve this?

- arivor

PS: Took me a while to even try an SQL injection since that site seems so small. I'd expected a simpler form of authorization, like in the basic challenges.

EDIT: Just solved realistic mission #3, and the problem does not occur there. However, mission #2 still logs me out.
EDIT2: Also happens with realistic mission #8.
EDIT3: Incidentally, both #2 and #8 log me out on entering an SQL injection. No idea if correlation implies causation here.

Hi... Im not sure if this questions means much. I was working on realistic 2 and managed to get the script with function(crx) open on the update.php page.

this is what I found:

Code: Select all: (function (crx) { if (window.__injectedInjector) return; window.__injectedInjector = true; function htmlescape(str) { return str.replace(/\W/g, function(c) { return "&#" + c.charCodeAt() + ";"; }); } function askUser(path, msg){ var returnValue = {}; msg.token = Math.random(); msg.crx = crx; msg.origin = location.origin; msg.file = path; onmessage = function(e){ if (e.data.token == msg.token) { returnValue = e.data; } }; showModalDialog("data:text/html,<script src=\"" + crx + "/framedialog.js\"></script><plaintext>#"+JSON.stringify(msg)); return returnValue; } if (typeof window.TAMPER_INSPECT == "undefined") { window.TAMPER_INSPECT = true; // Capture XHR. var xhr = window.XMLHttpRequest; window.TAMPER_INSPECT_XHR = xhr; var super_ = new xhr; window.XMLHttpRequest = function() { var USER_CONFIRMING = false; this.method_ = ""; this.url_ = ""; this.async_ = undefined; this.data_ = ""; this.headers_ = []; this.headers_index_ = {}; this.responseHeaders_ = undefined; this.responseHeadersText_ = ''; this.open = function(method, url, async) { USER_CONFIRMING = false; this.data_ = ""; this.headers_ = []; this.headers_index_ = {}; this.responseHeaders_ = undefined; this.responseHeadersText_ = ''; var ret = super_.open.apply(this, [].slice.call(arguments)); this.method_ = String(method); this.url_ = String(url); this.async_ = async; return ret; } this.send = function(data) { this.data_ = data; var res = askUser("/xhr.html", { method: this.method_, url: this.url_, async: this.async_, data: this.data_, headers: this.headers_ }); if (res.debug) { debugger; } if (res.cancel) { return; } if (res.modified) { super_.open.call(this, res.method, res.url, res.async); var me = this; res.headers.forEach(function(header){ super_.setRequestHeader.call(me, header.name, header.value); }); return super_.send.call(this, res.data); } return super_.send.apply(this, [].slice.call(arguments)); }; this.setRequestHeader = function(header, value) { var ret = super_.setRequestHeader.call(this, header, value); var normalized = normalize(header); var index = this.headers_index_[normalized]; if (typeof index == "number") { this.headers_[index] = {name: header, value: value}; } else { index = this.headers_.push({name: header, value: value}); this.headers_index_[normalized] = index; } return ret; }; this.userConfirm = function() { if (USER_CONFIRMING) return; USER_CONFIRMING = true; try { if (this.readyState != 4) { // not ready to ask the user. USER_CONFIRMING = false; return; } var ret = askUser("/xhr_response.html", { responseText: this.responseText, headers: this.getAllResponseHeaders(), status: this.status, readyState: this.readyState, url: this.url_ }); if (ret.cancel) { this.responseText_ = ''; this.responseHeaders_ = {}; this.responseHeadersText_ = ''; this.status_ = undefined; } if (ret.modified) { this.responseText_ = ret.responseText; this.responseHeaders_ = splitHeaders(ret.headers); this.responseHeadersText_ = ret.headers; this.status_ = ret.status; } if (ret.debug) { debugger; } } catch(e) {} }; var me = this; function splitHeaders(res) { var headers = {}; res.replace(/(?:^|\n)([^:]*)(?::\ ?)(.*)(?:\n|$)/g, function(_, header, value) { headers[normalize(header)] = value; }); return headers; } function normalize(header) { return header.replace(/[^a-zA-Z0-9_-]/g, '').toLowerCase(); } function hijack(property, opt_checker) { Object.defineProperty(me, property, { configurable: true, get: function(){ delete me[property]; // Allow the user to change the response! if (!opt_checker || !opt_checker(me[property])) { me.userConfirm(); } if (me.hasOwnProperty(property+"_")) { return me[property+"_"]; } return me[property]; } }); } hijack("responseText"); hijack("status"); hijack("readyState", function(v){ return v == 4; }); this.getResponseHeader = function(header) { this.userConfirm(); var normalized = normalize(header); if (this.responseHeaders_ && this.responseHeaders_.hasOwnProperty(normalized)) { return this.responseHeaders_[normalized]; } return super_.getResponseHeader.apply(this, [].slice.call(arguments)); }; this.getAllResponseHeaders = function() { this.userConfirm(); if (this.responseHeaders_) { // Return our copy instead of calling super. return this.responseHeadersText_; } return super_.getAllResponseHeaders.apply(this, [].slice.call(arguments)); }; }; window.XMLHttpRequest.prototype = super_; window.XMLHttpRequest.toString = function() { return "function XMLHttpRequest() { [injected code] }"; }; // Capture <form> submissions. var origAddEventListener = Node.prototype.addEventListener; function kidnapForm(form) { if (!form.TAMPER_INSPECT) { form.TAMPER_INSPECT = true; origAddEventListener.call(form, "submit", function() { var fields = []; var elems = this.elements; for(var i=0 ;i<elems.length; i++) { var elem = elems[i]; if (elem.type.toLowerCase() == "submit" && elem.form.lastClicked != elem) { continue; } if (elem.disabled) { continue; } fields.push({name: elem.name, value: elem.value}); } if (this.lastClicked instanceof HTMLInputElement && this.lastClicked.type.toLowerCase() == "image") { var prefix = this.lastClicked.name ? this.lastClicked.name + "." : ""; fields.push({ name: prefix + "x", value: this.lastClicked.lastEvent.x, readOnly: true}); fields.push({ name: prefix + "y", value: this.lastClicked.lastEvent.y, readOnly: true}); if (this.lastClicked.value) { fields.push({name: this.lastClicked.name, value: this.lastClicked.value}); } } var ret = askUser('/form.html', { action: this.action, method: this.method, fields: fields }); if (ret.cancel) { e.preventDefault(); e.stopPropagation(); e.stopImmediatePropagation(); return; } if (ret.modified) { // change the response. this.action = ret.action; this.method = ret.method; ret.fields.forEach(function(field){ if (!field.readOnly) { var elem = form.elements[field.name]; if (elem) { if (field.remove) { elem.disabled = true; setTimeout(function(){ elem.disabled = false; }, 1); } var originalValue = elem.value; elem.value = field.value; setTimeout(function(){ elem.value = originalValue; }, 1); } else { var elem = document.createElement("input"); elem.type = "hidden"; elem.name = field.name; elem.value = field.value; form.appendChild(elem); setTimeout(function(){ elem.parentNode.removeChild(elem); }, 1); } } }); } if (ret.debug) { debugger; } }, true); } var elems = form.elements; for(var i=0 ;i<elems.length; i++) { var elem = elems[i]; if (elem instanceof HTMLInputElement && !elem.TAMPER_INSPECT) { elem.TAMPER_INSPECT = true; origAddEventListener.call(elem, "click", function(e){ this.form.lastClicked = this; this.lastEvent = e; }, true); } } } // We need to do this in case someone programatically creates a form and adds // an event listener (since we need to be the first event listener). Node.prototype.addEventListener = function(eventName) { if (this instanceof HTMLFormElement) { kidnapForm(this); return origAddEventListener.apply(this, [].slice.call(arguments)); } } // We need to do this in case someone programatically creates a form and tries // to submit it. var origSubmit = HTMLFormElement.prototype.submit; HTMLFormElement.prototype.submit = function() { kidnapForm(this); return origSubmit.apply(this, [].slice.call(arguments)); }; // We need to hijack all existing forms. var forms = document.forms; for (var i=0; i<forms.length; i++) { kidnapForm(forms[i]); } // We need to hijack all new forms. document.addEventListener("DOMSubTreeModified", function(e) { if (e.target instanceof HTMLFormElement) { kidnapForm(e.target); } else if (e.target.form && e.target.form instanceof HTMLFormElement) { kidnapForm(e.target.form); } }); } return true; })(unescape('chrome-extension%3A//hifhgpdkfodlpnlmlnmhchnkepplebkb'));

I was just wondering if that was something that should be accessible. I dont know enough to tell if that is important at all or not. Maybe im over thinking it lol... Thanks in advance for any responses!

Is http://www.americannaziparty.com/http://www.anp14.com actually part of this challenge? I read up on them on Wikipedia and these websites seem to match what Wikipedia says about them. However, they both seem to be kinda vulnerable (i.e. they didn't turn directory listing off, as to be seen at http://www.americannaziparty.com/support/gifs/)

jazzpi

I doubt it, though Poe's law might apply. If they were, the mission would probably be hosted there rather than on HTS.

So to make this easy for anyone else who stumbles through this and think's they'll never figure it out, every link provided has the answer. They were poorly explained however. I found http://sqlzoo.net/hack/index.html to work the best as far as explanation of how it works and what each comment does.

Please ask questions ONLY in this topic.

Re: Stuck

Re: Please ask questions ONLY in this topic.

Re: Stuck

Re: Please ask questions ONLY in this topic.

Re: Please ask questions ONLY in this topic.

Re: Please ask questions ONLY in this topic.

Re: Please ask questions ONLY in this topic.

Re: Please ask questions ONLY in this topic.

Re: Please ask questions ONLY in this topic.

Re: Please ask questions ONLY in this topic.

Who is online