Please ask questions ONLY in this topic.

FAP is company that slaughters animals and turns their skin into overpriced products which are then sold to rich bastards! Help animal rights activists increase political awareness by hacking their mailing list.

Re: Please ask questions ONLY in this topic.

Post by macskay on Sat Jun 11, 2016 10:52 am
([msg=92447]see Re: Please ask questions ONLY in this topic.[/msg])

Hey guys,
I'm still stuck on the SQL Injection. What my understanding is, that the emails get stored in a relation called "email" and the addition of new emails work as follows

INSERT INTO email('email') VALUES (<string_I_entered>);

Using this information I tried to pass sth like

INSERT INTO email('email') VALUES("something") UNION SELECT * FROM email;
to inject a query on the email-relation returning all attributes without any specific projections on it.

To get this Injection I pasted this into the email field: "something') UNION SELECT * FROM email;-- -

I added the dashes to make everything following my entered string a comment, so the ); coming after <string_I_entered> above is commented out.
However I still get the "Error insertion into table 'email'". Am I correct in thinking about injecting a row-query into the DB and thus getting all columns of the table? Where am I missing sth here?
macskay
New User
New User
 
Posts: 1
Joined: Sat Jun 11, 2016 10:46 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by veemon293 on Sat Jun 11, 2016 8:12 pm
([msg=92449]see Re: Please ask questions ONLY in this topic.[/msg])

I think i kinda backdoored this one lol. can anyone pm me and explain why the answer is what it is and how it is supposed to b derived?
veemon293
New User
New User
 
Posts: 6
Joined: Fri Jun 10, 2016 5:27 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by Starman11 on Wed Aug 03, 2016 8:45 am
([msg=92728]see Re: Please ask questions ONLY in this topic.[/msg])

@macskay you are inserting the query into somewhere besides where you ought to be, try putting it somewhere that displays the web address
Starman11
Experienced User
Experienced User
 
Posts: 60
Joined: Wed Jul 27, 2016 9:07 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by skitzo2000 on Wed Aug 10, 2016 3:11 pm
([msg=92748]see Re: Please ask questions ONLY in this topic.[/msg])

I can't PM anyone yet so I need to post in the forum. I solved this one but can't send the message to SaveTheWhales. Anyone know how many times I have to post?

-- Wed Aug 10, 2016 3:12 pm --

I think its twice, so... heres my second post.
skitzo2000
New User
New User
 
Posts: 1
Joined: Fri Aug 05, 2016 3:12 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by conscience on Wed Aug 10, 2016 6:48 pm
([msg=92749]see Re: Please ask questions ONLY in this topic.[/msg])

You have to use the "HTS Messages Center", not BB.
Let him who hath understanding reckon the number of the beast, for it is a human number: His number is 0x029A.
conscience
Poster
Poster
 
Posts: 315
Joined: Thu Jan 08, 2009 9:05 pm
Location: 127.0.0.1
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by blind_gh0st on Thu Aug 11, 2016 2:55 pm
([msg=92759]see Re: Please ask questions ONLY in this topic.[/msg])

I keep trying different SQL injection commands in the email field and it keeps telling me there is an error inserting the email into "email". I also tried commands in the url bar and it only gives me the torn piece of paper image. I need so much help...
blind_gh0st
New User
New User
 
Posts: 1
Joined: Thu Aug 11, 2016 2:50 pm
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by Starman11 on Tue Aug 16, 2016 8:02 am
([msg=92784]see Re: Please ask questions ONLY in this topic.[/msg])

@blind_gh0st try injecting your SQL code into some place other than the email field. the torn image means you are getting somewhere, and it has been said already, that this particular level isn't completely legit, meaning the answer may seem a bit strange to you. if you've been at this level for hours then take a break and try again later. I recommend you do a little research on nulls.
Starman11
Experienced User
Experienced User
 
Posts: 60
Joined: Wed Jul 27, 2016 9:07 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by ran_yakumo on Sat Dec 17, 2016 1:27 am
([msg=93183]see Re: Please ask questions ONLY in this topic.[/msg])

macskay wrote:Hey guys,
I'm still stuck on the SQL Injection. What my understanding is, that the emails get stored in a relation called "email" and the addition of new emails work as follows

INSERT INTO email('email') VALUES (<string_I_entered>);

Using this information I tried to pass sth like

INSERT INTO email('email') VALUES("something") UNION SELECT * FROM email;
to inject a query on the email-relation returning all attributes without any specific projections on it.

To get this Injection I pasted this into the email field: "something') UNION SELECT * FROM email;-- -

I added the dashes to make everything following my entered string a comment, so the ); coming after <string_I_entered> above is commented out.
However I still get the "Error insertion into table 'email'". Am I correct in thinking about injecting a row-query into the DB and thus getting all columns of the table? Where am I missing sth here?


I got stuck on this challenge for a bout an hour or two too. another post in the other thread gave me a hint.

Like most typical challenges, the additional information on the page is not useless. Check out the other links on the main page (Realistic 4) and see if that helps. Those pages might seem useless when you initially looked at them but they are actually necessary to solve the problem.
ran_yakumo
New User
New User
 
Posts: 6
Joined: Fri Dec 16, 2016 10:00 am
Blog: View Blog (0)


Re: Please ask questions ONLY in this topic.

Post by PavelG on Mon Jan 23, 2017 11:28 pm
([msg=93355]see Re: Please ask questions ONLY in this topic.[/msg])

This page has all information needed to create proper query to get emails
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
PavelG
New User
New User
 
Posts: 8
Joined: Fri Jan 20, 2017 5:16 pm
Blog: View Blog (0)


realistic mission 4

Post by Zloy Obezyan on Tue Feb 28, 2017 9:22 pm
([msg=93486]see realistic mission 4[/msg])

Is it possible to test page by "SQLmap" from BlackArch, Kali Linux etc. ?
example:
sqlmap -u https://www.hackthissite.org/missions/r ... category=1 --dbs
and so on...
Yourth Faithfully, Zloy Obezyan
Yourth Faithfully, Zloy Obezyan
Zloy Obezyan
New User
New User
 
Posts: 3
Joined: Mon Feb 27, 2017 7:21 am
Blog: View Blog (0)


PreviousNext

Return to (Real 4) Fischer's Animal Products

Who is online

Users browsing this forum: No registered users and 0 guests