mission behavoir

What is the nature of existence?

mission behavoir

Post by Fors4ken on Tue Apr 22, 2008 9:03 pm
([msg=1018]see mission behavoir[/msg])

Im curious, do these missions set up a semi realistic environment or simply search for a string when doing injections?

For example, missions that require SQL injections; Do these actually communicate with a database with unsanitized input or do they simply search for a proper "SQL injection" string?
Fors4ken
New User
New User
 
Posts: 4
Joined: Sun Apr 20, 2008 7:30 pm
Blog: View Blog (0)


Re: mission behavoir

Post by robi_petranovic on Wed Apr 23, 2008 10:23 am
([msg=1074]see Re: mission behavoir[/msg])

Fors4ken wrote:Im curious, do these missions set up a semi realistic environment or simply search for a string when doing injections?

For example, missions that require SQL injections; Do these actually communicate with a database with unsanitized input or do they simply search for a proper "SQL injection" string?


There is probably 2 sql querys, one for a test if you broke, and one which comunicates with a real database.... I hope I'm right?
robi_petranovic
New User
New User
 
Posts: 22
Joined: Thu Apr 17, 2008 1:31 pm
Blog: View Blog (0)


Re: mission behavoir

Post by TheMindRapist on Thu Apr 24, 2008 6:32 pm
([msg=1236]see Re: mission behavoir[/msg])

I do not think they made built in vulns to the site...
My guess would be it checks your input string against a list of possible answers, then stores that you completed that step of the mission in a cookie.
Image
User avatar
TheMindRapist
Contributor
Contributor
 
Posts: 585
Joined: Mon Apr 14, 2008 4:57 pm
Blog: View Blog (0)


Re: mission behavoir

Post by Fors4ken on Sun Apr 27, 2008 3:26 pm
([msg=1524]see Re: mission behavoir[/msg])

The reason I ask,

Logically approaching a possible SQL injectin attack requires testing assumptions of what the sql statement looks like in the code. My assumtion seems validated by some input and countered by other input which after a good 30-45 minutes at it, left me feeling like I was searching more for a magical string rather than working towards a solution by a sequence of sql queries each providing additional information to build a proper string required for the attack.

In retrospect it appears this is not in the appropriate forum. My apologies. Please move if needed.
Fors4ken
New User
New User
 
Posts: 4
Joined: Sun Apr 20, 2008 7:30 pm
Blog: View Blog (0)


Re: mission behavoir

Post by c24lightning on Thu May 01, 2008 8:24 pm
([msg=1885]see Re: mission behavoir[/msg])

It sure as heck doesn't go up against a real DB. For example, if you use certain commands in certain missions, such as basic 8 I believe, it says "If you are trying to use type of command, you're on the right track, but disabled certain queries for security issues." or a similar message. They filter out all vulns, and add what strings *would* have worked.
Here's some sites you might be interested in:

Need a proxy? Here - user:pass combination is proxy:bypass
c24lightning
Poster
Poster
 
Posts: 203
Joined: Sat Apr 19, 2008 7:46 am
Location: The infinite insanity of thought
Blog: View Blog (0)


Re: mission behavoir

Post by comperr on Fri May 02, 2008 3:33 pm
([msg=1929]see Re: mission behavoir[/msg])

Most of the missions test for a magical regex string. A regex of all possible working strings. While it may have worked a realistic environment the strings you tried may have actually caused a different flaw, one that can not be tested in a secure envrio.
User avatar
comperr
Poster
Poster
 
Posts: 373
Joined: Mon Apr 07, 2008 6:52 pm
Location: /dev/null
Blog: View Blog (0)


Re: mission behavoir

Post by blackprince491 on Thu May 29, 2008 4:50 pm
([msg=3556]see Re: mission behavoir[/msg])

cool to know
“If I lose the light of the sun, I will write by candlelight, moonlight, no light. If I lose paper and ink, I will write in blood on forgotten walls. I will write always."
blackprince491
Poster
Poster
 
Posts: 209
Joined: Thu May 15, 2008 12:23 pm
Blog: View Blog (0)


Re: mission behavoir

Post by thedotmaster on Wed Jul 09, 2008 4:07 am
([msg=6938]see Re: mission behavoir[/msg])

Otherwise the site would always be down, compared to usually down :D
Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 984
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests

cron