Page 2 of 35

hmm

PostPosted: Tue Apr 15, 2008 3:53 pm
by cthulhu666
I got to the list of accounts and have the guys real login info but don't know where to go from here. helpzor :D

Re: Stuck

PostPosted: Tue Apr 15, 2008 4:46 pm
by wibadgers8
where do you inject the SQL, in url or in the Username: field? any help would be appreciated!

Re: hmm

PostPosted: Tue Apr 15, 2008 4:56 pm
by novalyphe
Is there any way to make the site think you're someone you're not?

Re: Stuck

PostPosted: Tue Apr 15, 2008 5:20 pm
by Crystal_Bearer
This is pushing it. I'm hesitant to give this much, but these websites may be of some help. If you encounter a problem, the best way in these practice 'sites' is to try it and find out.

http://ocliteracy.com/techtips/sql-injection.html
http://www.securiteam.com/securityrevie ... 1P76E.html

-Both of these sites are on the first page of a google search, and are readily available to anyone. It's usually easier and faster to just look it up sometimes.

Re: Stuck

PostPosted: Tue Apr 15, 2008 6:03 pm
by Nyteblade
wibadgers8 wrote:where do you inject the SQL, in url or in the Username: field? any help would be appreciated!


Try the 'Search' page.. hint hint

Re: Stuck

PostPosted: Tue Apr 15, 2008 6:36 pm
by wibadgers8
Crystal_Bearer wrote:This is pushing it. I'm hesitant to give this much, but these websites may be of some help. If you encounter a problem, the best way in these practice 'sites' is to try it and find out.

http://ocliteracy.com/techtips/sql-injection.html
http://www.securiteam.com/securityrevie ... 1P76E.html

-Both of these sites are on the first page of a google search, and are readily available to anyone. It's usually easier and faster to just look it up sometimes.


thanks, i have been using those websites. i guess i should have rephrased my earlier question, because what i meant to ask about is why whenever i try to enter the sql injection it always returns me with 'Username too long'

Re: Stuck

PostPosted: Tue Apr 15, 2008 6:44 pm
by Nyteblade
OK... I've been able to list the accounts, found the required username and was able to transfer the $$. I used the GET method to clear the files (page came back saying 'files cleared').. not sure yet if that's what I needed to do to complete it. Still working on this mission :)

Re: Stuck

PostPosted: Tue Apr 15, 2008 6:47 pm
by Nyteblade
wibadgers8 wrote:
Crystal_Bearer wrote:This is pushing it. I'm hesitant to give this much, but these websites may be of some help. If you encounter a problem, the best way in these practice 'sites' is to try it and find out.

http://ocliteracy.com/techtips/sql-injection.html
http://www.securiteam.com/securityrevie ... 1P76E.html

-Both of these sites are on the first page of a google search, and are readily available to anyone. It's usually easier and faster to just look it up sometimes.


thanks, i have been using those websites. i guess i should have rephrased my earlier question, because what i meant to ask about is why whenever i try to enter the sql injection it always returns me with 'Username too long'


What's your injection statement look like? Take a closer look at 'http://ocliteracy.com/techtips/sql-injection.html' like Crystal gave you.

Re: Stuck

PostPosted: Tue Apr 15, 2008 7:25 pm
by wibadgers8
i have tried a whole bunch of stuff related to
SELECT * FROM 'users' WHERE Username= "hunter"

and then changing a few of the variables to see what happens, and whenever i enter it i usually get 'Username is too long'.
im guessing that my syntax is wrong >.<

Re: Stuck

PostPosted: Tue Apr 15, 2008 7:31 pm
by Nyteblade
wibadgers8 wrote:i have tried a whole bunch of stuff related to
SELECT * FROM 'users' WHERE Username= "hunter"

and then changing a few of the variables to see what happens, and whenever i enter it i usually get 'Username is too long'.
im guessing that my syntax is wrong >.<


Have you gotten the list of all the users yet?