ajkaro

Target: hXXp://wXw.comforthomesolution.com/product.php?c=11 Task: display version with your name display all tables in primary database with records count for each table all that should be result of one command Proof: Rules: use union select based SQLi post picture as proof send me your command to PM colors in output are not required Solvers: - danyweb09

Here is another SQLi challenge to sharpen your skills Target: hXXp://redc.lums.edu.pk/enrollment.php?section_id=10&pcid=53 Task: display version with your name display name of primary database display tables from primary database Proof: Rules: use union select based SQLi post picture as your proof send me your command to PM colors in SQLi output are not required Edit: In May 2013, when I opened that challenge, there was an interesting WAF (no more present) Solvers: - Bitmap - danyweb09 - Renegade

You can find tutorial how to solve this challenge here: http://www.hackforums.net/showthread.php?tid=3509460 or http://zentrixplus.net/forum/index.php?/topic/983-tutorial-sql-injection-in-where-part/

Have you ever heard of Google bot? I made original link with X in URL with intention...

Target: hXXp://wXw.tocsa.co.za/product.php?id=4&content_type=products Task: display version with your name on web page Proof: Rules: use union select based SQLi post picture as proof send me your syntax Solvers: - EDIT: challenge is closed. See links for tutorial how to solve this challenge bellow

Here is tutorial how to solve that challenge: http://www.hackforums.net/showthread.php?tid=3487536 or http://zentrixplus.net/forum/index.php?/topic/940-sqli-tutorial-playing-with-dump-in-one-shot-syntax-part-1/ You will probably have to register first on these two forums to see it. ajkaro

Target: hXXp://www.sonoshop.fr/pages/produit.php?id=55 Task: display version with your name display total number of databases display total number of tables (without those in information_schema) display all table names (excluding those from information_schema) and columns count for each table all numbers should be retrieved with function count() you should get your result (see picture) with one SQLi command colors in your result are not required Proof: Rules: use union select based SQLi display picture as proof send me your command to PM (required) Solvers: - Bitmap - danyweb09 - Renegade

Hi Sega, I don't see 32 items on your list. Compare your picture with mine. Also please add database name to each line in list. After doing that you will see you can't use your present command. You will have to heavy modify your command.

Target: hXXp://www.lesplastiquesdelouest.com/produit.php?id=55 Task: display version with your name display count how many column names start with characters id_ You should use command count() for that result. display list of columns (with their database and table name) where column names start with characters id_ use of colors is not obligatory Proof: http://www.anonmgur.com/up/2a4c605406c12ee7c60fccfd9f97165b.jpg Rules: use union select based SQLi send me your command to PM post picture as proof Solvers: - challenge closed See tutorial how to solve it: http://www.hackforums.net/showthread.php?tid=3487536 or http://zentrixplus.net/forum/index.php?/topic/940-sqli-tutorial-playing-with-dump-in-one-shot-syntax-part-1/

Challenge is re-open. Site owner patched SQLi vulnerability, so old command for challenge doesn't work any more. But there are other ways ... If anybody wants to try same challenge again: this time please give me version with your name. Use union select based SQLi. Send your command to PM. Proof:

As I promised: here is the link to my tutorial on HackForums where different strategies (when commas are blocked) are explained. One of them will help you solve this challenge http://www.hackforums.net/showthread.php?tid=3116000 Some countries are blocked and can't access Hackfourms so use a proxy. If I remember well Gecko told me Romania was blocked lately...

I will give you a link to my tutorial on HackForums how to solve such challenge (after challenge is over). For start try to learn from error response. That is the most important thing at every SQLi. From it you can see where the problem (WAF) is... And based on it you can adopt your command

Target: hXXp://www.scootmods.net/cart.php?action=add&id=23 Task: display version with your name Proof: Rules: use union select based SQLi post your picture as proof send me your command to PM Solvers: - denjacker - EterNo

Medium? It can't be more basic as this. Lesson 1 in every SQLi tutorial is enough to solve this. Don't take this personally. That is a fact. Thanks for challenge.

what ever you wish

Target: hXXp://www.fotodi.ru/vyst.php?id=632 Task: display version with your name Proof: Rules: post picture as proof send me your command to PM Solvers: - denjacker - Sweby - Gecko - EterNo - Xonecode - danyweb09

Site is still vulnerable. Bypass "Exploit Detected. Please stop"...

We can always discuss what is hard and what not as people have different taste. I named it hard compared to some other "medium" challenges here As you are the only solver so far I think the challenge was named quite good. And I can understand it wasn't hard for you...

Target: hxxp://www.kors-soft.net/nl Task: display version with your name Proof: Rules: use union select based SQLi post picture as proof Solvers: - H4xoru - EterNo - Kwelwild - Sickchet - Renegade

Thanks for the challenge

Here it is - visible on the web page Thanks for challenge.

Target: hxxp://www.1md.ru/catalog/list/9/ Task: display version with your name Proof: Rules: use union select based SQLi post picture as proof send me your command to PM Solvers: - Gecko

Target: hxxp://www.polercisewa.com.au/subcat.php?catid=OSAg&PHPSESSID=a9dae1baf405f3382d9efbfc09c1b9dd Task: display version with your name Proof: Rules: use union select based SQLi post picture as proof send me your command to PM Solvers: - SelfDestruct - boogy