Please ask questions ONLY in this topic.

[padpad]

Me three. Totally confused.

[TomSharp]

Hello, I'm a little stuck with the Fischer's Animal Products problem. So far, I see that there is an enter email box, which presumably performs an INSERT SQL statement with the data you give it. But it seems to sanitize the input so I've had no success using SQL injection to return a page full of emails. Also, the website is based upon PHP, so I assume there is some way of using this to query the database but I don't know what it is. Maybe insert a PHP statement into one of the pages? I'm a little out of my depth, pointers would be great.
Thanks,
Tom

[lbearl]

I attempted to play with the other links and got an image to come up, but image src=.jpg... which is not so good. Any hints?

[flapchunk]

I'm in the same boat. My attempts at a SQL injection have failed in the INSERT statement.

[l33tm4st3rhu99z]

I'm having issues here too, however, I was able to find the injection vulnerability. I can confirm that it does appear that the input into the text box is sanitized and, therefore, not useful for launching an injection attack.

Having found a weak point, however, I still can't figure out how to view the email addresses. My experience at exploiting things is rather minimal, and the various resources that I'm finding on injecting SQL aren't helping a whole lot. I could really use a pointer from "Little Bobby Tables" right about now. Haha.

[TomSharp]

I'm having issues here too, however, I was able to find the injection vulnerability. I can confirm that it does appear that the input into the text box is sanitized and, therefore, not useful for launching an injection attack.

Having found a weak point, however, I still can't figure out how to view the email addresses. My experience at exploiting things is rather minimal, and the various resources that I'm finding on injecting SQL aren't helping a whole lot. I could really use a pointer from "Little Bobby Tables" right about now. Haha.

Little Bobby Tables is busy repairing the school database in detention right now. How about you hint at how you found the injection point, and when I get there I can see if I can help figure out the right query to execute.
Tom

[l33tm4st3rhu99z]

Hinting... I'll see if I can remember how to do that. In order to be talking about SQL Injections, I must assume that one knows how the vulnerability works... once one has even a basic understanding, they should be able to reason that ANY un-sanitized input path is USDA certified choice meat for an injection attack. ANY!! And by any, in this circumstance, I am referring to more than just HTML form text boxes.

[wolfganga]

well, got 9 mail addresses but what to do with them?

[barretp]

same here. I can't seem to be able to submit them

[johnnyfastfinger]

Hi there,

I tried the following:

SELECT * FROM `email` ORDER BY `email`;
SELECT * FROM `products` WHERE `category`=`'1' AND `category`='2' UNION SELECT * FROM `email` ORDER BY 'email'

Am I on the right track.

J