Please ask questions ONLY in this topic.

FAP is company that slaughters animals and turns their skin into overpriced products which are then sold to rich bastards! Help animal rights activists increase political awareness by hacking their mailing list.

Re: I found the list...

Post by padpad on Tue May 13, 2008 6:21 am
([msg=2345]see Re: I found the list...[/msg])

Me three. Totally confused.
padpad
New User
New User
 
Posts: 2
Joined: Tue May 13, 2008 12:08 am
Blog: View Blog (0)


Working On Finding Emails

Post by TomSharp on Thu May 15, 2008 2:14 pm
([msg=2514]see Working On Finding Emails[/msg])

Hello, I'm a little stuck with the Fischer's Animal Products problem. So far, I see that there is an enter email box, which presumably performs an INSERT SQL statement with the data you give it. But it seems to sanitize the input so I've had no success using SQL injection to return a page full of emails. Also, the website is based upon PHP, so I assume there is some way of using this to query the database but I don't know what it is. Maybe insert a PHP statement into one of the pages? I'm a little out of my depth, pointers would be great.
Thanks,
Tom
TomSharp
New User
New User
 
Posts: 3
Joined: Thu May 15, 2008 8:46 am
Blog: View Blog (0)


Re: A lil Help...

Post by lbearl on Fri May 16, 2008 12:24 am
([msg=2549]see Re: A lil Help...[/msg])

I attempted to play with the other links and got an image to come up, but image src=.jpg... which is not so good. Any hints?
lbearl
New User
New User
 
Posts: 1
Joined: Wed May 14, 2008 11:59 pm
Blog: View Blog (0)


Re: Working On Finding Emails

Post by flapchunk on Fri May 16, 2008 12:17 pm
([msg=2571]see Re: Working On Finding Emails[/msg])

I'm in the same boat. My attempts at a SQL injection have failed in the INSERT statement.
flapchunk
New User
New User
 
Posts: 4
Joined: Mon May 12, 2008 11:43 pm
Blog: View Blog (0)


Re: Working On Finding Emails

Post by l33tm4st3rhu99z on Fri May 16, 2008 2:14 pm
([msg=2582]see Re: Working On Finding Emails[/msg])

I'm having issues here too, however, I was able to find the injection vulnerability. I can confirm that it does appear that the input into the text box is sanitized and, therefore, not useful for launching an injection attack.

Having found a weak point, however, I still can't figure out how to view the email addresses. My experience at exploiting things is rather minimal, and the various resources that I'm finding on injecting SQL aren't helping a whole lot. I could really use a pointer from "Little Bobby Tables" right about now. Haha.
l33tm4st3rhu99z
New User
New User
 
Posts: 2
Joined: Thu May 15, 2008 5:23 pm
Blog: View Blog (0)


Re: Working On Finding Emails

Post by TomSharp on Fri May 16, 2008 2:43 pm
([msg=2586]see Re: Working On Finding Emails[/msg])

l33tm4st3rhu99z wrote:I'm having issues here too, however, I was able to find the injection vulnerability. I can confirm that it does appear that the input into the text box is sanitized and, therefore, not useful for launching an injection attack.

Having found a weak point, however, I still can't figure out how to view the email addresses. My experience at exploiting things is rather minimal, and the various resources that I'm finding on injecting SQL aren't helping a whole lot. I could really use a pointer from "Little Bobby Tables" right about now. Haha.


Little Bobby Tables is busy repairing the school database in detention right now. How about you hint at how you found the injection point, and when I get there I can see if I can help figure out the right query to execute.
Tom
TomSharp
New User
New User
 
Posts: 3
Joined: Thu May 15, 2008 8:46 am
Blog: View Blog (0)


Re: Working On Finding Emails

Post by l33tm4st3rhu99z on Fri May 16, 2008 3:20 pm
([msg=2589]see Re: Working On Finding Emails[/msg])

Hinting... I'll see if I can remember how to do that. ;) In order to be talking about SQL Injections, I must assume that one knows how the vulnerability works... once one has even a basic understanding, they should be able to reason that ANY un-sanitized input path is USDA certified choice meat for an injection attack. ANY!! And by any, in this circumstance, I am referring to more than just HTML form text boxes.
l33tm4st3rhu99z
New User
New User
 
Posts: 2
Joined: Thu May 15, 2008 5:23 pm
Blog: View Blog (0)


Re: Working On Finding Emails

Post by wolfganga on Sat May 17, 2008 7:05 am
([msg=2632]see Re: Working On Finding Emails[/msg])

well, got 9 mail addresses but what to do with them?
wolfganga
New User
New User
 
Posts: 9
Joined: Sun May 11, 2008 5:08 am
Blog: View Blog (0)


Re: I found the list...

Post by barretp on Sat May 17, 2008 12:02 pm
([msg=2658]see Re: I found the list...[/msg])

same here. I can't seem to be able to submit them
barretp
New User
New User
 
Posts: 1
Joined: Fri May 16, 2008 1:28 am
Blog: View Blog (0)


Re: A lil Help...

Post by johnnyfastfinger on Sat May 17, 2008 12:27 pm
([msg=2659]see Re: A lil Help...[/msg])

Hi there,

I tried the following:

SELECT * FROM `email` ORDER BY `email`;
SELECT * FROM `products` WHERE `category`=`'1' AND `category`='2' UNION SELECT * FROM `email` ORDER BY 'email'

Am I on the right track.

J
johnnyfastfinger
New User
New User
 
Posts: 1
Joined: Sat May 17, 2008 10:57 am
Blog: View Blog (0)


PreviousNext

Return to (Real 4) Fischer's Animal Products

Who is online

Users browsing this forum: No registered users and 0 guests