ajkaro

Target: aHR0cDovL3d3dy5uZXd0ZWNoLmNvbS5way9wcm9kdWN0LnBocD9wX2lkPTIxMw==Base64 decode it Tasks: display version with your name display what users with ID 100, 113, 116, 122, 126 has bought from computer store (display ID and name of each user, name of bought product, quantity and its price) Proof: Rules: use union select based SQLi post picture as proof and send me your syntax to PM don't share any part of the challenge until challenge is open don't ask for hints until challenge is open Solvers: -

Target: h~~p://indus[RST]trial[RST]implar.com.br/not[RST]icias-look.php?noticia=1 replace all ~ and remove all [RST] Tasks: display version with your nick name display numbered list of all tables in primary database for each table (displayed only once) show numbered list of its column names. Display column names for column #1, #4 and #5 (if they exists) and numbered them with 1. or 4. or 5. If column #4 (or #5) doesn't exists go to next table name. Display tables in blue color and each column name of the same table in different color for better reading (for example column name #1 in black, #4 in red and #5 in green) Proof: Rules: use union select based SQLi post picture as proof and send me your syntax to PM local variables may be used only for numbering, not for columns displaying logic don't share any part of the challenge until challenge is open don't ask for hints until challenge is open Solvers: -

After last few harder challenges here, here and here time is for easier challenge again Target: h~~p://w~w.cent[RST]eraw[RST]ards.org/gallery/gallery-2013.php?comp=10&artist=17581replace all ~ and remove all [RST] Tasks: display version with your name display number of tables in primary database() Proof: Rules: use union select based SQLi post picture as proof and send me your syntax to PM don't share any part of the challenge until challenge is open don't ask for hints until challenge is open Solvers: - Renegade - danyweb0909

Target: h~~p://port[RST]alyug[RST]ioh.com.br/2013/ran[RST]king.php?ran[RST]king=1replace all ~ and remove all [RST] Tasks: display version with your name display number of all databases display last three databases (excluding information_schema) display last three tables (with theirs records count) from primary database() Proof: Rules: use union select based SQLi post picture as proof and send me your syntax to PM your command should work without knowing anything about databases/tables on that site (no previous SQLi is needed or allowed) don't share any part of the challenge until challenge is open don't ask for hints until challenge is open Solvers: -

Your command to display version doesn't work for me. I sent you mine.

If you don't want to have problems displaying result from your injection in some column because of wrong data type, then we must know table definition. That is main part in this challenge and purpose of this (challenge) exercise... Target: h~~p://wond[RST]erlandthe[RST]mepark.com/wat[RST]erpark.php?wid=5replace all ~ and remove all [RST] Tasks: display numbered list of all tables in primary database (each table name should be display only once - see proof picture) display numbered list of all column names in every table (use different color as for table names) for each column display type of column (date, time, integer, decimal, char, varchar, text...) for column accepting integers display precision and scale (in separated columns) and mark them with label (precision) for column accepting characters/integers display maximum allowed length for input, mark such columns with (length) and put / in column scale (as it doesn't exists for that type of data) divide each table with horizontal line put header above table definition output with column titles Proof: Rules: use union select based SQLi post picture as proof and send me your syntax to PM HTML elements <table> <tr> <td> for building table with columns are not allowed Solvers: - Renegade (by PM)

You second code is correct.

Sorry my friend, wrong code.

Target: h~~p://w~w.ut[RST]ahnsfo[RST]rpublics[RST]chools.org/media/releases/release.php?rel=5&start=0replace all ~ and remove all [RST] Tasks: display version with your name display all tables in primary database with column name used for its primary index Proof: Rules: use union select based SQLi post picture as proof and send me your syntax to PM don't share information about challenge until the challenge is open Solvers: - danyweb09 - Bitmap

Target: aHR0cDovL3d3dy5kdXJhbC5jby5ycy9pbmRleC5waHA/dmlldz02OA== Tasks: display version with your name show numbered list of all tables in primary database if table has 10 or more records display records count after each table name, otherwise display (in different color) columns count after each table name and mark tables with less than 5 columns align columns for nicer output (see proof picture) Proof: Rules: use union select based SQLi post picture as proof and send me your command to PM don't share any part of the challenge until challenge is not closed Solvers: - Renegade - Bitmap - Danyweb0909

I promised tutorial. Here it is http://www.hackforums.net/showthread.php?tid=3785325 Challenge closed.

Thanks for the challenge

Thanks for the challenge.

I am writing tutorial about manipulation of SQLi output data. It will be published on HF (soon). There will be complete explanation for this (and my other similar) challenge(s)

Please: - use font courier (or any other monospaced font) for easier reading of your output - replace all _ with white spaces