Please ask questions only in this topic.

Re: Please ask questions only in this topic.

Post by firextin87 on Fri Mar 21, 2014 9:30 am
([msg=80005]see Re: Please ask questions only in this topic.[/msg])

Hi all...
ok I solved this mission but there is something not so clear for me: the final part of the mission. I don't understand because I need to use "that symbol" to retrieve the admin account. I try to figure out the system, I think that the page m******r.c** uses a SQL query to retrieve the information, and I suppose this query is: SELECT * FROM [tab_name] WHERE username=[id], so if I use the parameter I used the query would be: SELECT * FROM [tab_name] WHERE username=[the_symbol_I_used]. What I can't understand is because this query work with that symbol :(
I hope I explained, and please excuse me for my bad English.
firextin87
New User
New User
 
Posts: 2
Joined: Fri Feb 21, 2014 9:19 am
Blog: View Blog (0)


Great Mission

Post by horrorshow1984 on Sat May 24, 2014 3:39 am
([msg=80945]see Great Mission[/msg])

Thanks for this great challenge, that was so cool =)
horrorshow1984
New User
New User
 
Posts: 2
Joined: Sun May 04, 2014 8:46 am
Blog: View Blog (0)


Re: Please ask questions only in this topic.

Post by Zanna1x9x on Sun Aug 16, 2015 12:21 pm
([msg=89385]see Re: Please ask questions only in this topic.[/msg])

I've completed this mission, but, like firextin87, I'm still not understanding why the use of "that symbol" let me see admin's datas.
Is there someone who I can PM to have some more informations?
Zanna1x9x
New User
New User
 
Posts: 3
Joined: Mon Mar 09, 2015 8:43 am
Blog: View Blog (0)


Re: Please ask questions only in this topic.

Post by muddassir on Fri Jan 01, 2016 4:06 pm
([msg=91117]see Re: Please ask questions only in this topic.[/msg])

Hello Fellow Hackers,
I just fiddled through all the pages and after I came to the forum, the first post I read was about "poison null byte". How did you people even get the idea of utilizing this technique here? That's my question
muddassir
New User
New User
 
Posts: 1
Joined: Fri Jan 01, 2016 4:01 pm
Blog: View Blog (0)


Re: Please ask questions only in this topic.

Post by h2athts on Wed Feb 24, 2016 3:02 pm
([msg=91701]see Re: Please ask questions only in this topic.[/msg])

Hey all. For you who are stuck. forget the trying to bypass the perl check script in m********.**i as it can give you a valid id but not the one you need. If you follow that path, just compare the script input with all the functions in itself and try them out until a positive match. All you need is in that perl script.
After that dont forget this might not be related with sql and the script is taking other functions from another kind of database script that might be simple, like this symbol you use to get all possible names in querys.
h2athts
New User
New User
 
Posts: 1
Joined: Wed Feb 24, 2016 2:53 pm
Blog: View Blog (0)


Re: Please ask questions only in this topic.

Post by Faithe25 on Sun Mar 20, 2016 8:24 pm
([msg=91970]see Re: Please ask questions only in this topic.[/msg])

Hey everyone,

I used the NULL Byte to view the source of a specific CGI file. I wrote a simple java program to determine the correct id, and was able to login to that CGI file. I was able to find an admin username and password. However, when I log in using these credentials I see a page that says "...and of course... It's not that easy to beat this mission."

Could someone please point me in the right direction from here.




Also, I do not know Perl, so I may have missed a few things in those scripts.

Thanks for your help, everyone!


NVM: There were cookie issues....
Faithe25
New User
New User
 
Posts: 8
Joined: Tue Aug 04, 2015 1:46 pm
Blog: View Blog (0)


Re: Please ask questions only in this topic.

Post by conscience on Mon Jul 04, 2016 2:09 am
([msg=92546]see Re: Please ask questions only in this topic.[/msg])

It's been awhile since I've completed 'the reals', so I decided to go at them again.
I now feel embarassingly stupid :lol:
This mission is incredibly easy! Yet I spent hours trying to figure out what to do! Although I didn't remember anything about this, it should have taken like 5-10 minutes or so. I 'walked by' the file that gave me the admin username at least twice without noticing it is what I'm missing. When it suddenly hit me, it hurt. Especially so when I realized how much I poked around in vain searching for this info.

Once you figure out you can leverage n***.cgi to look around the files and folders, it's really a piece of cake.
You see some CGI files of importance, the source of one of which tells you it'll let you in if you can match a certain range of integers. Well, I simply replicated the functionality in JavaScript (5 lines of code) and since the algorithm is straightforward, it was fairly easy and quick to figure out what to throw at the page to gain access to user info.
Now you need to find who the admin is to be able to query him, and if you're like me, you'll take a look (or several) at the file key to this, go on, and then pull out all your hair when you realize your own stupidity :mrgreen:
As soon as you have the username of the admin, you make the query, and, now knowing far more about him than you need, you just need to log in...

Five easy steps, really:
1. You find script1, the one to be used for looking around
2. You find script2, which will give you user info once you get in
3. You analyze the source and quickly figure out an 'id' that'll let you in
4. You find the file with the username of the admin and slap yourse... erm... I mean you use this info to query him
5. You log in with admin credentials and go to script3

This was ultra fun! :geek:

[EDIT]
muddassir wrote:Hello Fellow Hackers,
I just fiddled through all the pages and after I came to the forum, the first post I read was about "poison null byte". How did you people even get the idea of utilizing this technique here? That's my question


Well, if you have never heard about or experienced the phenomena, you have minuscule chances of figuring it out. On the other hand, if you know such things exist, it's kind of automatic to check how the app reacts if you try to terminate a string in the middle. It's a very basic technique. I don't remember if there exists a Basic mission about it, I think there's none alike, but it'd definitely be a must have.
Let him who has understanding recount the number of the beast, for it is a human number: His number is 0x029A.
conscience
Poster
Poster
 
Posts: 254
Joined: Thu Jan 08, 2009 9:05 pm
Location: 127.0.0.1
Blog: View Blog (0)


Previous

Return to (Real 14) Yuppers Internet Solutions

Who is online

Users browsing this forum: No registered users and 0 guests