Think Very Carefully About What the SQL Commands are Doing

FAP is company that slaughters animals and turns their skin into overpriced products which are then sold to rich bastards! Help animal rights activists increase political awareness by hacking their mailing list.

Re: Think Very Carefully About What the SQL Commands are Doing

Post by kai_wanders on Mon Jan 17, 2011 5:36 pm
([msg=52325]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

So, excuse my idiocy, but...

Between the hints on these forums (which I was trying to avoid, but gave in to), and reading about ten different articles saying the same thing in different ways, I finally managed to pass the level. Thing is, I got the basics of what I needed pretty fast from all the articles. I then spent nine hours on and off, messing around with the format of the damn thing to get it to work.

And I did.

My question is, why did it work that way? I could recite exactly what all the websites I read say, but no matter how hard I think about it, I just don't understand it. I managed to figure out what to do in this situation, but there's no way I could apply it to another, since I'm still not entirely sure what it was, exactly, I did. I'd love to do as the title says and think about what the commands are doing, but I really, really can't. So, if anyone better than me is feeling like sending a PM and helping the moron out, I'll be sitting here...

(By the way, sorry if this is in the wrong place/would be better in another/has been asked before etc.)
kai_wanders
New User
New User
 
Posts: 2
Joined: Mon Jan 17, 2011 5:23 pm
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by fashizzlepop on Mon Jan 17, 2011 7:32 pm
([msg=52331]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

I know how you feel. It took me forever to get it just right. I have a feeling that it's not a legit simulation. In the recode we might fix this.

Basically, it's just very picky.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2303
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by Defience on Mon Jan 17, 2011 7:44 pm
([msg=52332]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

kai_wanders wrote:So, excuse my idiocy, but...

Between the hints on these forums (which I was trying to avoid, but gave in to), and reading about ten different articles saying the same thing in different ways, I finally managed to pass the level. Thing is, I got the basics of what I needed pretty fast from all the articles. I then spent nine hours on and off, messing around with the format of the damn thing to get it to work.

And I did.

My question is, why did it work that way? I could recite exactly what all the websites I read say, but no matter how hard I think about it, I just don't understand it. I managed to figure out what to do in this situation, but there's no way I could apply it to another, since I'm still not entirely sure what it was, exactly, I did. I'd love to do as the title says and think about what the commands are doing, but I really, really can't. So, if anyone better than me is feeling like sending a PM and helping the moron out, I'll be sitting here...

(By the way, sorry if this is in the wrong place/would be better in another/has been asked before etc.)


Pm sent.
User avatar
Defience
Addict
Addict
 
Posts: 1281
Joined: Thu Jun 12, 2008 3:16 pm
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by kai_wanders on Tue Jan 18, 2011 10:53 am
([msg=52379]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

Defience wrote:Pm sent.


Thank you! That was an article I hadn't come across, and I think (yet another) slightly different wording is helping to drill it into my head a little more.
kai_wanders
New User
New User
 
Posts: 2
Joined: Mon Jan 17, 2011 5:23 pm
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by silkhound on Tue Feb 15, 2011 9:52 pm
([msg=53611]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

This was a good challenge.
Definitely helps to read up on SQL injections while doing this one.
I got a big breakthrough when I realised that its is actually a command in itself, which calls for another union somewhere there.

Watch the syntax and don't expect to get text... you'll have to get the e-mails the hard way.

(Apologies for any spoiling material!)
User avatar
silkhound
New User
New User
 
Posts: 5
Joined: Mon Apr 14, 2008 5:46 am
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by ru2009ru on Tue Mar 08, 2011 10:50 pm
([msg=54827]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

hey guys still have one question to sql injection :)
i understand the parts of a sql query and know the solution to this challenge, but don't understand still one thing.

in the solution the last part of the query looks like this:

Code: Select all
xxxx..... select null,*,null,null from email;   


but to know which column you have to select, you have to know the structure or shema of the tables, how to win this knowledge?

thx a lot ;)
ru2009ru
New User
New User
 
Posts: 1
Joined: Tue Mar 08, 2011 10:43 pm
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by bandchicky314 on Fri Mar 18, 2011 9:53 pm
([msg=55226]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

Okay, so this is going to sound really stupid, but I haven't been able to find any really good non-confusing information on SQL injections and I've been scouring the information and reading up and yeah. So if anyone has any links I would really really like them please.
bandchicky314
New User
New User
 
Posts: 20
Joined: Sat Jan 08, 2011 11:14 am
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by mShred on Fri Mar 18, 2011 9:57 pm
([msg=55227]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

bandchicky314 wrote:Okay, so this is going to sound really stupid, but I haven't been able to find any really good non-confusing information on SQL injections and I've been scouring the information and reading up and yeah. So if anyone has any links I would really really like them please.

I can't help that much if it's all confusing you.. But Google the Union All SQL command. That'll help you get on the right track. As for the confusing part, what exactly don't you understand?
User avatar
mShred
Addict
Addict
 
Posts: 1899
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by bandchicky314 on Fri Mar 18, 2011 10:09 pm
([msg=55228]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

mShred wrote:
bandchicky314 wrote:Okay, so this is going to sound really stupid, but I haven't been able to find any really good non-confusing information on SQL injections and I've been scouring the information and reading up and yeah. So if anyone has any links I would really really like them please.

I can't help that much if it's all confusing you.. But Google the Union All SQL command. That'll help you get on the right track. As for the confusing part, what exactly don't you understand?



I don't get the whole "use the asterisk" and the difference between oracle and MySQL and MSSQL. Which do I use and which one do I read up on? I know that I need to know information disclosure injections but after that I'm stuck.

-- Fri Mar 18, 2011 10:10 pm --

I also don't understand how to change an sql injection to make it specific to a situation.
bandchicky314
New User
New User
 
Posts: 20
Joined: Sat Jan 08, 2011 11:14 am
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by OnlyHuman on Sun Mar 20, 2011 3:45 am
([msg=55290]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

@bandchicky314

It sounds like you're missing a thorough grounding here. So rather than attempt to answer all of your questions, I'm instead, going to point you at a couple of resources.

First, I've recommended ~>this book<~ to a few people in the past. It's an excellent resource that will help you through a significant number of the challenges here at HTS. Quite a few of them in fact.

Another good resource, is The Database Hacker's Handbook. It attempts to be a comprehensive go-to-guide for all database systems. And it covers most of the popular ones. But you might hold off on going through that one until you've got a firm grasp on MySQL, which is the one you'll be attacking for this challenge. The reason is, because it's more of an attack pattern reference, as opposed to a starting point.

You say that you're having trouble understanding the tutorials you've already seen. This may be because of how you, as a person, learn things. We all learn things differently, and it's important that the subject matter, which is incredibly dense, be structured in a manner that's conducive to our own learning process. And, that's really the whole key, to find the method of studying that works for you.

For instance, if you're a visual learner, you might try searching for video tutorials on YouTube or vimeo, as opposed to text based examples, or even the books I've mentioned. Some will be total crap, but eventually you'll find one that's structured for how you learn things. Thankfully, more and more community members are making higher quality videos on various subjects.

And finally, the best advice I can give, is to install a simple LAMP server (or WAMP if you're on Windows). Simply because, no amount of study is a substitute for hands on experience.

One question I will answer however, is the one regarding the asterisk. That's the standard wildcard character. In pattern matching, it's used to specify that you would like to match ANY results as opposed to a specific result. Here's an example. If I were to want to find a specific text file on my system, I might search for

filename.txt

But, if I wanted to find ALL text files on my computer. I would use the following:

*.txt

The asterisk informs the pattern matching system that searches for the file, that I don't care about the name of the file, only that it contains the .txt file extension. It's used all over the field of computer science, including MySQL.

In know all this sounds like a lot of work, especially for getting past one simple challenge, but it takes years of study to master all this stuff. However, depending on how quickly you pick things up, you may advance pretty rapidly. Hopefully at least one thing I've written here will help. Don't give up, and don't lose hope. If you feel that nothing I've said here has been helpful, or have any specific questions, feel free to contact me through the HTS message center. I'll try to clear up any confusion that I can.
OnlyHuman
Poster
Poster
 
Posts: 191
Joined: Sat Aug 22, 2009 1:37 am
Blog: View Blog (0)


PreviousNext

Return to (Real 4) Fischer's Animal Products

Who is online

Users browsing this forum: No registered users and 0 guests