Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Realistic 9


deepfreeze's Avatar
Member
0 0

This has got to be, by far, the easiest realistic challenge that I've yet to complete. If this were a real hacking attempt, I'd have no trouble with the injection part (which I'm currently struggling with) since I'd have an actual s** query error instead of " Your on the right track but stick to the mission. " Can anyone help me with the proper injection? I've read all of the prior forum posts and all of the articles regarding this mission :(


Huitzilopochtli's Avatar
....
10 9

It only accepts one hard coded injection, and should be your logical second choice if a target was filtering out numbers from your input. thumbs up


deepfreeze's Avatar
Member
0 0

Huitzilopochtli wrote: It only accepts one hard coded injection, and should be your logical second choice if a target was filtering out numbers from your input. thumbs up Still no luck :/ If I could at least get a "real" query error returned to me I'd understand wtf I need to be doing lol [EDIT]: Got it :)


rex_mundi's Avatar
☆ Lucifer ☆
3,110 12

I'd assume even nazis know that leaving error messages turned on, is a bad idea.


deepfreeze's Avatar
Member
0 0

I remember one of the first sites I ever hacked, WAAAY back in the day, I did it with a sql injection and then found the unencrypted password for admin in the same database and used it to login to their admin-cpanel page (not the CPanel CMS, rather one their freelance web developer put in the site) I think the password was even a permutation of that developer's company name. I kept hacking it over the course of at least a year, each time using the same exact sql injections. Eventually they finally stored the password as an md5 hash in the database, but I still got it decrypted. Years later, they kept it in the database but changed the admin-cpanel out for a basic HTTP authentication using (I'd assume) a .htpasswd. But the sql injections still work to get you the old password tee-hee