ajkaro Posted July 30, 2013 Report Posted July 30, 2013 (edited) Target:h~~p://w~w.ro[RST]xbur[RST]ynews.comreplace ~ and remove all [RST] from URL (anti-Google syntax)Tasks:display version with your name display TOP 5 tables from primary database ordered by records count display numbering of tables Proof:Rules:use union select based SQLi your command should work without knowing anything about database on that site (no previous SQLi injection for checking tables and/or records count are allowed/needed) post picture as proof send me your command to PM keep your solution or info about any part of the challenge private until challenge is open Solvers:- danyweb09 Edited August 30, 2013 by ajkaro Quote
Todo Posted August 9, 2013 Report Posted August 9, 2013 (edited) This is weird but I just got a "403 Permission Denied" after running different attack vectors on the vulnerable page. However, they only restricted my IP address because I can load the page again with a different one. I strongly recommend usage of a proxy in the given scenario. Edited August 9, 2013 by Todo Quote
Hannibal. Posted August 10, 2013 Report Posted August 10, 2013 This is weird but I just got a "403 Permission Denied" after running different attack vectors on the vulnerable page. However, they only restricted my IP address because I can load the page again with a different one. I strongly recommend usage of a proxy in the given scenario.@ajkaro .. I've told you.. Quote
ajkaro Posted August 10, 2013 Author Report Posted August 10, 2013 Guys, there is no IP blocking. Believe me. But you must inject properly. This challenge is (obviously) hard, although basic solution to inject is extremely simple Hint #1vulnerable are all links with php?r=Hint #2produce a SQL error Quote
Todo Posted August 10, 2013 Report Posted August 10, 2013 (edited) If there is no IP blocking how do you explain this? I try to access the index page without sending any attack vectors and i get this:However FoxyProxy and the proxy list from HMA saved me this time, and I managed to continue the challenge.All I gotta to is to find a good way to display the numbering of tables as requested.Generally the challenge is not that hard. Edited August 10, 2013 by Todo Quote
ajkaro Posted August 10, 2013 Author Report Posted August 10, 2013 (edited) Maybe we don't understand us. Your IP may be blocked after you try to inject improperly. I was never blocked on that site. And yes, I already said it is a simple injection (after you find out vulnerable link and way to inject).P.S.For numbering part see my tutorial: [sqli tutorial] numbering tables/columns in "dump in one shot" syntax Edited August 10, 2013 by ajkaro Quote
Active Members dancezar Posted August 30, 2013 Active Members Report Posted August 30, 2013 Done.Thanks ajkaro for the challenge. Quote
