Page 1 of 2
Forced Entry
Posted: Sat Nov 22, 2008 10:42 am
by paradox.is.taken
alright so I solved but I am not happy with the solution. I don't know much about SQL so basically used the code from here
http://sqlzoo.net/hack/ and automized it with python... Of course since the password field for forced entry seems to escape special characters I just used the Secure Room form.
But I am sure there is a way to see the values from the error messages SQL gives. Can anyone tell me how is that done? or give me a link of sorts.
Posted: Sat Nov 22, 2008 11:35 am
by gfoot
It's all about what kind of feedback you can get from the site. I'm not aware of any way to get exact results printed back to you, though there are some techniques for some servers, e.g. asking the sql server to convert a non-numeric string into an int may cause it to print the string in its error message (e.g. MS SQL Server). But any time you find a way to get the response to vary according to whether or not your query succeeded, you can get information back piece by piece, which is roughly what the site you linked to is suggesting.
There are pages and pages of tips for SQL injection attacks against various server types - you should be able to find them easily with Google.
Posted: Wed Nov 26, 2008 6:29 am
by guxx
I used manual SQL injection attacks and finally managed to get the password published by an MySQL error ("Unknown column 'password' in where clause").
I'm interested in how the used SQL statements look like on the login page.
@adum: Can you post your code here please?
Guido
Posted: Wed Nov 26, 2008 8:02 am
by adum
hey, i think i'm not going to post the exact code because it might give things away from similar challenges. but it's pretty straightforward php/mysql queries.
Posted: Mon Dec 15, 2008 10:52 pm
by brazzy
guxx wrote:I used manual SQL injection attacks and finally managed to get the password published by an MySQL error ("Unknown column 'password' in where clause").
How did you manage that? I couldn't think of a way and had to resort to getting the result bit by bit following the method suggested in this paper:
http://www.ngssoftware.com/papers/sqlinference.pdf
Posted: Mon Dec 15, 2008 11:53 pm
by guxx
How did you manage that?
Put the following text in the name field and it exposes the password:
1' UNION ALL SELECT password FROM user/*
Of course this wasn't straightforward and I had to guess the table and column names. It took some time to get there
Guido
Posted: Fri Jul 03, 2009 7:09 pm
by visualq
Wrote an exploit for it.. I neve expected the 1' union select password from user \* would try to actually parse the password as a column.. Anyway the code below did the trick.. (Takes some time as it bruteforces)
Well seems I can't include the code without generating a 500 error.
Posted: Sun Jul 05, 2009 2:37 am
by therethinker
I like guxx's method. I did it letter-by-letter, but while I was doing it I figured there must have been a simpler way, considering 70+ people have solved it...
Posted: Sat Aug 08, 2009 7:51 pm
by V4hn
pretty nice challenge
got it letter by letter using XXXXXXXXXXX
[edit: I do think this gives away too much after taking a look at the next one ]
Posted: Mon Mar 01, 2010 7:45 pm
by zjorzzzey
Couldn't guess the table name
So I tricked the page into dumping the table name(s) :
Code: Select all
' UNION ALL SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'injecto' LIMIT 2,1 UNION SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'asdfasdfasdf
Where injecto is the DB name, which I figured out earlier
Fiddling with the LIMIT statement this gave me the right table name. After knowing the name of the database and the table, getting the password wasn't all that hard anymore. Using more or less the same statement as in the code-block above, I got the password exposed in the same way as guxx described earlier in this topic;)
Posted: Tue Aug 30, 2011 5:52 pm
by moose
Could somebody please tell me how the original SQL-statement looked like?
I solved it with this string:
http://www.adum.com/fortknox/index.php? ... E%20'1'='1
admi' UNION SELECT password FROM user WHERE '1'='1
I got to know that the table is called user and has the rows id, name, password. But I don't know WHY the password gets displayed.
Posted: Tue Sep 13, 2011 6:38 am
by Abinmorth
I got the answer letter for letter with
admin' AND ASCII(SUBSTRING(password, i, 1))>x -- e
just changing i and x
but when I got the pass, I couldnt log in ("wrong password")
it still worked on the challenge description site
Posted: Tue Sep 13, 2011 8:08 am
by Karian
Abinmorth wrote:I got the answer letter for letter with
admin' AND ASCII(SUBSTRING(password, i, 1))>x -- e
just changing i and x
but when I got the pass, I couldnt log in ("wrong password")
it still worked on the challenge description site
That method you used is case insensitive. The result is the same for eg 'e' and 'E'. If you want to log in on the site, you need to have an exact match. The challenge site like with most challenges strips away the cases in your answer.
Posted: Mon Feb 06, 2012 12:26 pm
by klogk
I got the answer for this challenge.
but indeed when I type the password "GRT***" in the page:
http://www.adum.com/fortknox , it still tell me this password is wrong.
Posted: Mon Feb 06, 2012 5:08 pm
by MatRush
klogk wrote:I got the answer for this challenge.
but indeed when I type the password "GRT***" in the page:
http://www.adum.com/fortknox , it still tell me this password is wrong.
you must mixed the Uppercase and lowercase letters.
I can login as admin by my answer~