Think Very Carefully About What the SQL Commands are Doing

FAP is company that slaughters animals and turns their skin into overpriced products which are then sold to rich bastards! Help animal rights activists increase political awareness by hacking their mailing list.

Re: Think Very Carefully About What the SQL Commands are Doing

Post by Th3bugs on Thu Nov 19, 2015 10:07 am
([msg=90651]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

After i understand the use n*** values and the use of u**** in sql injection stats, it became quite easy to do it and send the message. :)
PS: the challenge should be reclacified to nearly impossible => without knowledge...
Th3bugs
New User
New User
 
Posts: 3
Joined: Thu Nov 19, 2015 7:43 am
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by cyberdrain on Mon Nov 23, 2015 10:32 am
([msg=90708]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

Th3bugs wrote:PS: the challenge should be reclacified to nearly impossible => without knowledge...

Everything you want to do yourself is impossible without knowledge. You need subconscious knowledge of e.g. balancing, coordination and proprioception to walk somewhere. All challenges on this site are made to teach something. Congrats on solving the challenge :)
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by BasedLizardTitties on Thu Dec 03, 2015 2:22 am
([msg=90834]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

Alrighty, finally hit a wall with this one, lol.

I've begun reading through W3Schools information on SQL so I actually understand it, but the way the injection is facilitated and attached to the GET in URLs is still a bit beyond me. I've dug through some articles specific to SQL injection, but am still scratching my head. Anyone have some good reading information to shed light on this facet?
User avatar
BasedLizardTitties
New User
New User
 
Posts: 15
Joined: Wed Dec 02, 2015 9:51 pm
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by boriz666 on Fri Dec 04, 2015 4:18 am
([msg=90848]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

Ok lets say you go to a site like this

http://example.com

You go to the site and use the search form and type in "ice",
you want to search for ice!

When you click the search button the request:
http://example.com?search=ice

Gets sent to the server, you can see this in the url if its a GET
request, else you can see it in the request body, but lets stick
to GET requests now.

At the server the, search=ice is received and tells the backend
program that someone is doing a search on "ice".

More often than not searches like this are handed over to a database
system in the code.

So lets say the code that does database lookup looks like this,
when you are doing a search on "ice":

select * from products where product name = "ice";

This would be a perfectly valid SQL query and it works like expected
but what if you instead of ice put in: " or "a"="a

The " should be included in the above. So with that in the search form
the query would be:

select * from products where product name = "" or "a"="a";

This will dump all the product items cause "a" is always equal
to "a".

This is the basic of sql injection, the text you use in the search form
on the website often gets used directly in the sql query in one way or
the other (your job is to deduct which way).

My example used text, but it can also be integers like
select * from products where productId=23

Where 23 comes from a selectbox on the site where you choose a product.
That can be easier to exploit cause you don't have to account for the " in the
sql query.

here instead of 23 you could insert:
23 or subselect userid,password,level from users where username='admin'

Which would make the query like this:

select * from products where productId=23 or subselect userid,password,level from users where username='admin'

In this case you have to make sure that the number of columns "Select *" returns, is the same as your
subselect returns, so you can "pad" the subselect with hard coded return values like this
subselect userid,password,level,"hello","hello" from users where username='admin'

SQL Injection is JUST THAT, instead of thinking about a search term as just text, think of it as a
part of an SQL statement and try to alter it in order to make the backend sql query do something
that it wasn't supposed to.

When you know what I just told you above, the only thing you need to be good at in order to
"solve" sql injections out in the wild, is to know about SQL.

In your question it seems like you don't know how the part of the GET requests gets to the
server, let me try to explain that also.

when you see an url like:
http://example.com?search=ice

That gets called when you click a search button where you have inserted "ice" in the form
field. you can immediately deduct that this function will perform a search or atleast you should
be able to see from the website that what you are doing is something with searching.

And how would the backend know what you are searching for? Well it needs a search word,
and that word is "ice" in this example, it could be anything you could write in that search
form field on the page.

When you click the "search" button on the site, the html form gets sent to the server where
each form field (in the html) <input name="search" value="ice"> in our case, gets translated to
search=ice in http://example.com?search=ice .

So instead of actually inserting values in the form field, you can also just re-write the url
directly in the location bar in your browser:
http://example.com?search=ice" or "a"="a

See how we skip the ending ", thats because the sql code behind this will insert a " it self.
select * from products where "<the content of your search goes here>";
and we substitute with your actual search text:
select * from products where "ice" or "a"="a";

Can you see how it fits, if you had used an ending " it would have been:
select * from products where "ice" or "a"="a"";

And it would be a syntax error!
boriz666
Experienced User
Experienced User
 
Posts: 99
Joined: Tue Mar 24, 2015 11:53 am
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by BasedLizardTitties on Fri Dec 04, 2015 2:36 pm
([msg=90859]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

Ok, that clears up exactly what I wasn't understanding, thank you very much. I've been doing some reading on SQL, I'll just have to keep popping back to this one as I go until I figure it out. Thanks again very much.

Dec 4: Solved it as I was making this edit, lol. I figured out why u**** a** is important and I think I actually understand why it was needed. In my reading, I also found out how to isolate my query results from the original page, which was neat. Man, this one was a toughy ad I'm going to remember it fondly, for sure. Absolutely stellar mission, the first one that stumped me for more than an evening and really pushed me to learn something.

For anyone else still struggling with how the SQL injection looks when it gets sent up and still unsure of how it should be structured, this article is what pushed me over the hill.
User avatar
BasedLizardTitties
New User
New User
 
Posts: 15
Joined: Wed Dec 02, 2015 9:51 pm
Blog: View Blog (0)


Just point

Post by TheDemonCage on Wed Dec 09, 2015 9:38 am
([msg=90885]see Just point[/msg])

me in the right direction. I'm pretty sure I'm lacking something small and significant that's killing me. Can someone send me a msg, unfortunately I can't say much without giving something away to some extent. If you would thanks, if not I'm moving to the next mission today and coming back fresh tomorrow. Thanks guys

-thedemoncage
TheDemonCage
New User
New User
 
Posts: 1
Joined: Wed Dec 09, 2015 9:31 am
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by das1040 on Mon Dec 28, 2015 12:27 pm
([msg=91072]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

I can't finish this mission without using a PM, and to do that, I apparently need two forum posts.

-- Mon Dec 28, 2015 12:27 pm --

So I'm just posting these here. Sorry.
das1040
New User
New User
 
Posts: 1
Joined: Mon Dec 28, 2015 12:24 pm
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by seomantis on Wed Dec 30, 2015 8:40 pm
([msg=91102]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

hi
can you pls explain why the "ALL"? is it because of the &nbsp; identical to all ?
thanks!
seomantis
New User
New User
 
Posts: 1
Joined: Wed Dec 30, 2015 8:36 pm
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by Ethermist on Sun Jan 03, 2016 10:08 am
([msg=91137]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

this one had me stumped for quite a while, not because of the sql but b/c of the location of the injection.
something new learned today :D
Ethermist
New User
New User
 
Posts: 7
Joined: Wed Dec 30, 2015 11:08 pm
Blog: View Blog (0)


Re: Think Very Carefully About What the SQL Commands are Doing

Post by cyberdrain on Tue Jan 05, 2016 8:42 pm
([msg=91178]see Re: Think Very Carefully About What the SQL Commands are Doing[/msg])

das1040 wrote:I can't finish this mission without using a PM, and to do that, I apparently need two forum posts.
So I'm just posting these here. Sorry.

You're wrong, you need to use the HTS message center instead.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


PreviousNext

Return to (Real 4) Fischer's Animal Products

Who is online

Users browsing this forum: No registered users and 0 guests