ajkaro

Target: h~~p://w~w.fer[RST]mano.com/mar[RST]chi.php?mar=23&idforn=14replace all ~ and remove all [RST] Tasks: display version with your name display all table names from primary database Proof: Rules: use union select based SQLi post picture as proof send me your command to PM Solvers: - Renegade

But you did use HTML table command in your syntax... Try to solve it without HTML table. That is preferred way. P.S. You solution is valid too. Added to solvers list. Congrats!

For the first part of this challenge you can follow my tutorial on HF or Z+ http://www.hackforums.net/showthread.php?tid=3687706 http://zentrixplus.net/forum/index.php?/topic/1264-tutorial-sqli-the-used-select-statements-have-a-different-number-of-columns/

Target: h~~p://apps.uc[RST]ab.edu.[RST]ve/diplom[RST]ado_ddhh/educ[RST]acion/uni_requisitos.php?dip=5&logo=icn_uruguay.jpgreplace all ~ and remove all [RST] Tasks: display user display your name display total number of databases display numbered list with names of first 10 databases Proof: Rules: use union select based SQLi post picture as proof send me your command to PM don't share any part of the challenge until challenge is open Solvers: - BitMap

What makes you think I was taking your post as addressed to me I just wanted to support your suggestion about using Google translate. That is what I use when post is in Romanian language. So I backed you up...

That is what I do with posts in Romanian language

It is holiday time Time for a SQLi challenge with few tasks Target: h~~p://w~w.mara[RST]bous.com.au/product.php?id=4 replace ~ and remove [RST] Tasks: display version with your name display number of tables in primary database display list with names, records count and columns count of these tables mark tables with column password (characters pass in column name) display numbering of tables display result in formatted output (like a table with header and footer) bellow last table name display totals for records count and columns count for all displayed tables Proof: Rules: use union select based SQLi post picture as proof send me your command to PM your command should work without knowing anything about database on that site (no previous SQLi injections for checking tables, records, columns count are allowed/needed) hiding any (intermediate) results (like white color on white background) is not allowed don't share any part of the challenge solution until challenge is open colors in your output are not required Preferred method is NOT to use HTML table command <table>... Solvers: - danyweb09 (with HTML <table> command)

Maybe we don't understand us. Your IP may be blocked after you try to inject improperly. I was never blocked on that site. And yes, I already said it is a simple injection (after you find out vulnerable link and way to inject). P.S. For numbering part see my tutorial: [sqli tutorial] numbering tables/columns in "dump in one shot" syntax

Guys, there is no IP blocking. Believe me. But you must inject properly. This challenge is (obviously) hard, although basic solution to inject is extremely simple Hint #1 vulnerable are all links with php?r= Hint #2 produce a SQL error

Nice challenge... :-)

Target: h~~p://w~w.ro[RST]xbur[RST]ynews.com replace ~ and remove all [RST] from URL (anti-Google syntax) Tasks: display version with your name display TOP 5 tables from primary database ordered by records count display numbering of tables Proof: Rules: use union select based SQLi your command should work without knowing anything about database on that site (no previous SQLi injection for checking tables and/or records count are allowed/needed) post picture as proof send me your command to PM keep your solution or info about any part of the challenge private until challenge is open Solvers: - danyweb09

Thanks for challenge

Target: hXXp://wXw.leclubdesproprietaires.com Tasks: display version with your name display all tables in main database with their columns count number all tables Proof: Rules: use union select based SQLi post picture as proof send me your command to PM keep your solution private until challenge is open Solvers: - Hannibal - Renegade - danyweb09 - Todo - BitMap

It is not on me to judge what did he do and why... For me Hannibal is DrHouse for sure. What coincidence can be I said something to Hannibal here on RST and DrHouse executed that on other forum? Lets wait for him to respond on your doubts...

Based on my conversation with Hannibal (RST) he is DrHouse on Z+ forum. I know that for sure because he made something on Z+ forum what I suggested him in my PM here on RST. To make it short: my suggestion to Hannibal (PM on RST) was executed by DrHouse on Z+ forum.

I know him (DrHouse) from some other forum. Here he has other name. I won't speak for him. I let him to answer you... P.S. What benefit would be my solution for that challenge? No big deal

Thank you for interesting challenge

Congrats Reckon. Please add part to display only first 7 tables from main database (see tasks)

Target: hXXp://wXw.bluegrassmidwest.com/details.php?id=10 Task: display version with your name display first seven tables in main database Proof: Rules: use union select based SQLi post picture as proof send me your command to PM Solvers: - Reckon - Renegade

Put label 1000 records ONLY with tables where there are more than 1000 records. And not at every table... Compare your picture with my picture.

When we inject we usually want to know all table names, we want to know if there are tables with many records and if you are searching for passwords you want to know column names for tables with password so in next step you can compose a SQLi command to get data from columns needed for login (like columns username & password). All that is your task in this challenge If you know how, also add some numbering cosmetics Target: hXXp://wXw.fotodi.ru/vyst.php?id=100 Task: display all tables (except those from information_schema) display numbering of all tables (all numbers should have same length of 3 numbers (001, 002, ... 011... 099, 100...) mark all tables with more than 1000 records with some label (like over 1000 records) display count and all column names at tables with password column (search for character combination pas) display numbering of all column names in each table with password column Proof: Rules: your command should work without knowing anything about database on that site (no previous SQLi injection for checking table or column names are allowed/needed) result (see proof picture) is made by one SQLi command use union select based SQLi post picture as proof send me your command to PM colors and lines in output are not required Solvers: - Bitmap

Thanks for the challenge

Thanks for the challenge

Yep, I remember that challenge. Nice one. Regarding tutorials: it is good people can enjoy so many tutorials and yours is in your language so there is no language barrier for RST users You should write more tutorials and share your great knowledge...

Target: hXXp://wXw.ece.com.tw/p-detail.php?id=12&cID=2&uID=1 Task: display number of all databases show all databases one after another and within each database show number of tables and list of all tables in that database all tables within each database should be numbered (ascending or descending is your choice) mark all table(s) in each database where column like "pass" is present with *** pass *** Proof: Rules: you can use only one command to get result (see proof picture) all database (and table) names should be retrieved by your SQLi. You can't use any of them hard coded in your command (not even information_schema using like table_schema!=information_schema) use union select based SQLi post your picture as proof send me your command to PM (obligatory) colors are not required font change for better output is not required lines for better output are not required Solvers: - Bitmap - danyweb09