fallenonehf
11 years ago

0

Very cool that there are new levels, but I don’t understand anything of SQL..
The first level I completed by reading 4-5 tutorials on google, after thinking I managed to get in.
This level it’s much harder for me I don’t know what to do. I go to the members list, read source but can’t find anything. I also didn’t find any useful name, and tried editing URL but just don’t come out.
I really like this, but I have no idea what to do.

Can you guys help me by giving a hint ( I don’t want answers, otherwise all the fun will go :( )

just a 13 year old kid.

Luke [flabbyrabbit]
11 years ago | edited 11 years ago

0

The second level is orders of magnitude harder than the first. My suggestion is to do as you have been, concentrating on the browse members portion of the level. You are on the right lines with the URI keep changing that and see what results you get. Seeing as you don’t have much knowledge about SQL I would suggest doing some serious research into some more complex statements available.

The vulnerability should be fairly straight forward to find but how to exploit it is a bit more tricky.

Kabue
11 years ago | edited 11 years ago

0

^_^ nice atitude.
I found this TUT on Hackforums, but you have to be registered to read it…. If you aren’t, just tell me, and I’ll try to find another one…. But this tutorial really teach it simple, and easy. So it’s really good.

For later:

http://www.mediafire.com/?td99j9qwzhbfp06

Hope you can do it ;).
-Kabue

fallenonehf
11 years ago | edited 11 years ago

0

@Flabbyrabbit, what I have to do is more vivid now thanks! I’m gonna keep searching on the internet
@Kabue Yes I have an account on hf, thanks for sharing bro will read this first!
edit: I read that sort of injection already but in the url it says: browse&q=a
so how am I suppose to inject it here..

just a 13 year old kid.

Kabue
11 years ago

0

If you have read all there is in that tutorial, then the SQLi 2 should be a piece of cake for you ;). It’s all about how to inject in something looking like browse&q=a ^_^
-Kabue

fallenonehf
11 years ago

0

Haha alright!
I’m gonna try to guess this on my own with only this tutorial, gonna make things more spicy!

just a 13 year old kid.

#RS69 [Rs69]
11 years ago

0

SQLi i’m also don’t understand about it. :-)

HT6996

fallenonehf
11 years ago

0

So didn’t I! But as your bio says ‘i believe. i can do anything what i want if i try to get it’
you gotta do it! read the post of flabbyrabbit, maybe it can help you!

just a 13 year old kid.

#RS69 [Rs69]
11 years ago

0

oke oke.. :-D i’ll learn how to complete on this level. keep spirit masbro sisbro.. :-D

HT6996

fallenonehf
11 years ago

0

mweh.. I can’t even find the url that I have to exploit what’s this..

just a 13 year old kid.

daMage
11 years ago

0

The link you’re looking for is on the level page :)

daMage

fallenonehf
11 years ago

0

I’m close to finishing this level :D

just a 13 year old kid.

???Roun512 [roun512]
11 years ago

0

hehe we all are close :) but cant find it :D

If you make people think they’re thinking, they’ll love you. but if you really make them think, they’ll hate you.
~ Harlan Ellison

daMage
11 years ago

0

It’s not as hard as you think…

daMage

???Roun512 [roun512]
11 years ago

0

i know ! You finished it in like 2 mins ! but iam looking :D

If you make people think they’re thinking, they’ll love you. but if you really make them think, they’ll hate you.
~ Harlan Ellison

fallenonehf
11 years ago

0

I try: ( don’t read it if you want to solve it on your own.)

http://www.hackthis.co.uk/levels/s2.php?browse&q=a' order by 3–
I get:
ORDER BY column number 10 out of range - should be between 1 and 2
DEBUG: SELECT username, admin FROM members WHERE username LIKE ‘a’ order by 10–%'

then I try:
http://www.hackthis.co.uk/levels/s2.php?browse&q=a' union select 1,2–
but I get nothing.. just blank. I tried to change it to:
q=-a union select 1,2–
q=‘a union select 1,2–
q='a’ union select 1,2–
and many more.. but I get nothing. I have readed the error carefully but still nothing!
i only know sql injections with index.php?id=1' but not with a letter..

anyone help/hints?? I don’t want answers it took me 1 hour to figure out the vulnerability..
I still want the fun in it.

just a 13 year old kid.

Honey Boo Boo [Ski900]
11 years ago

0

Just email Flabby or DaMage saying you are the FBI and need the username/password for this level. Problem solved

Need help with math homework? Hit me up! I can help out with integral calculus and below.

[deleted user]
11 years ago

0

@Ski900: You’re funnily =))

heavenlyMe
11 years ago

0

@fallenonehf after you know about the table names and column names. Try to figure out how to display the record. And the rest is be a creative hacker :).
It’s important to know basic understanding about sql syntax. Beside that you should know how to understand the triggered error message. After that all you have to do is exploit it.

“People who doesn’t work hard doesn’t have the right to be envious of the people with talent. People fail because they don’t understand the hard work necessary to be successful.”

fallenonehf
11 years ago

0

@Ski, i’m not here to be the best. I’m here to learn.

@Heavenlyme, I’m gonna try some other things out,.
Yeah I noticed.. SQL is important, but no worries i’ll learn it soon or later :D

just a 13 year old kid.

Honey Boo Boo [Ski900]
11 years ago

0

@fallen, never said you were! I am having just as much trouble with this level as you are lol. I have been studying my ass off trying to complete it.

Need help with math homework? Hit me up! I can help out with integral calculus and below.

???Roun512 [roun512]
11 years ago

0

@Ski900 : hehe Nice one :D :D When You complete it u will know that its easy :)

If you make people think they’re thinking, they’ll love you. but if you really make them think, they’ll hate you.
~ Harlan Ellison

Honey Boo Boo [Ski900]
11 years ago

0

Lol, I am sure i’ll be like, wtf. However, right now, my issue whether I need to use a “php?id=(some number) or if I can just stick with browseq=… After that I should be golden if that is the direction this level heads.

Need help with math homework? Hit me up! I can help out with integral calculus and below.

???Roun512 [roun512]
11 years ago

0

yes stick to browse?q= :D :D

If you make people think they’re thinking, they’ll love you. but if you really make them think, they’ll hate you.
~ Harlan Ellison

Honey Boo Boo [Ski900]
11 years ago

0

Lol, the best thing about this is it’s new! There aren’t too many spoilers.

Need help with math homework? Hit me up! I can help out with integral calculus and below.

???Roun512 [roun512]
11 years ago

0

hehe yes first 2 days i waited someone to post topic about it ! ! ! but the way i solve it u must understand sql in my way in others i dnt know :)

If you make people think they’re thinking, they’ll love you. but if you really make them think, they’ll hate you.
~ Harlan Ellison

Honey Boo Boo [Ski900]
11 years ago

0

lol, back to the chalk boards.

Need help with math homework? Hit me up! I can help out with integral calculus and below.

???Roun512 [roun512]
11 years ago

0

hehe its old Days :P

If you make people think they’re thinking, they’ll love you. but if you really make them think, they’ll hate you.
~ Harlan Ellison

Honey Boo Boo [Ski900]
11 years ago

0

!!! lol, why am I not able to connect the dots?!?!?! I need to work on calc homework, but this shit is BOTHERING me that I can’t figure this out haha!!!

Need help with math homework? Hit me up! I can help out with integral calculus and below.

???Roun512 [roun512]
11 years ago

0

:P :P :P what do u mean :P ? :D :D

If you make people think they’re thinking, they’ll love you. but if you really make them think, they’ll hate you.
~ Harlan Ellison

fallenonehf
11 years ago

0

haha don’t worry, by trying new things you learn.

just a 13 year old kid.

la100cia
11 years ago

0

SQL Level 2 Scare the crap out the toilet!

Honey Boo Boo [Ski900]
11 years ago

0

Dots connected. Had words swapped lol

Need help with math homework? Hit me up! I can help out with integral calculus and below.

Neo [fuat]
11 years ago

0

What is the Username and Password??

curious jorge [bert0mac]
11 years ago

0

Nobody is gonna give you answers. Do it on your own

Thomas [25thomasoooo]
11 years ago

0

i got this symtex error message but i dont know what do with it

DEBUG: SELECT username, admin FROM members WHERE username LIKE ‘a’ UNION SELECT 1,2/.%‘%’
near “.”: syntax error

14 Year Old WhiT3 HaT HAcK3R LoV3 LiF3!!

Wibben
11 years ago | edited 11 years ago

0

I used union all select 1,2– and it returned 1, then I did union all select 1,2 from members and it returned a bunch of 1s. what am i supposed to do now?

**CLOSE** the thread after you're done!!! Crypt 7, the hardest and baddest so far. ![Image](https://www.hackthis.co.uk/user/hacking is about Knowledge and intuition/userbar.png)

Kabue
11 years ago | edited 11 years ago

0

Well why did you input union all select 1,2–??
When you know why you did that, you also know what the number 1 means. And then you need to figure out how to exploit it….. Try to read some tutorials or info about SQLi.
Edit: you don’t need to find the Version to finish this level, so just skip that.
Good luck ;)
-Kabue

teunissenstefan
11 years ago

0

I know SQL when I’m programming with PHP, but i don’t understand shiiiit of lvl 2

Just, NO!

malingas
11 years ago

0

i don’t know what to do. Plz help

[deleted user]
11 years ago

0

The SQLi part itself seemed easy enough after learning how to inject it into the URL bar. I sort of found it harder to get the password, I spent a while searching for reverse lookups on the net. One of the other users gave me a link to find the plaintext password. :)