Basic 18

what exactly is the objective in basic 18

To learn more about Blind SQL Injection.

The challenge description says: system_meltdown coded an article script which pulls articles from the database and echoes the content, but we think it could have a possible problem, he mentioned something to do with blind something. Databases, "blind something"… It shouldn't be hard to figure out what this challenge is all about ;)

yea it's b++++ I++++++++ and building a db picture but ounce you have that what would you do

just sit back and be happy you have the info?? where do you use this acquired info at??

ok i just got something one this challenge and im not sure what happened

i got

markupArticle 1 AND 1=1;

this was displayed on the page itself

what did i screw up on

yeah that's bullcrap ;) you don't write "article" in the id var, just numbers, then you are sort of on right track,just research Q injection and then blind Q injection in more depth…

i did and i got this site [url] http://www.imperva.com/resources/adc/blind_sql_server_injection.html Imperva ADC | Blind SQL Injection[/url]

i read it and decided to try a ; to end the original q Q**** and begin my own and it prints the original 2nd W**** clause and drops the rest

Ok, heres a little help without any answers.

1: Search the site for Blind *** *********. (this shouldn't be hard, its one of the most read "articles".)

2: Read up on the UNION statement.

3: If 1 & 2 still do not help you, Google "Advanced SQL Injection" there is a pdf out there that has all the information in it. You will know when you have the right one. hint this pdf is also posted in the forums by other members, maybe look here first.

Believe it or not the those three suggestions WILL give you the information to complete this challenge.

Admins: If this gives out to much please edit.

Look through the forums and articles before asking man. Just thought I'd point this out for future reference. And I didnt try to edit Blind SQL because if anyone does a little research through the forums its written everywhere.

DeafCode wrote: what exactly is the objective in basic 18 They are trying to teach you the technique of blind sql whereby you can manipulate basic sql commands to get information from a ssystem.The final answer is just some sql ,i would suggest that you do some resarch on google.if you are familiar with hack this site, there is a realistic mission that is similar .i think it is realistic 4.

redhothacker wrote: [quote]DeafCode wrote: what exactly is the objective in basic 18 They are trying to teach you the technique of blind sql whereby you can manipulate basic sql commands to get information from a ssystem.The final answer is just some sql ,i would suggest that you do some resarch on google.if you are familiar with hack this site, there is a realistic mission that is similar .i think it is realistic 4.[/quote]

Yes, but the spacing is different in this one I believe. I had this injection correct after the 2nd or 3rd try, only to realize I had bad spacing around my commas.

I realize the thread is very old. It's more for other people trying to solve this. If you have happened to recently completed HTS Real 4, then you will probably try to apply a similar injection here, only to realize your spacing was off the hold time.

why "and 1=1" works and "and 2=2" does not. I'm frustrated.

probably because 1=1 is hardcoded in the verification for the "correct answer", in a real life situation though they are both the same..

is there any clue??

30% warn for posting this question to all the basic 18 threads. Please don't spam the forums.

~samurai

There should be an auto-lock feature on forums after a certain time has lapsed.

I'm also stuck on this…

I got up to "OD** BY 5". Next step I believed was to "*IO L **LCT 1,2,3,4,5". But that didn't work. Why???

could I PM someone for help?

espartaniac wrote: I'm also stuck on this…

I got up to "OD** BY 5". Next step I believed was to "*IO L **LCT 1,2,3,4,5". But that didn't work. Why???

could I PM someone for help?

From your profile, I'm guessing you finally got it. Congratz.

Ya' did some horrid necrophiliac shit on with this thread though. o.O

If you have any trouble with future challenges, PM me, and I'll be glad to help you out some. Just no more bumping dead threads though, eh. Would be nice. :P

yeah, i got it :)

sorry, but why shouldn't I ask a question on a thread that's been inactive (that's what you meant about necrophilia, right? lol)? (it's a legit question… i'm not trying to be rude)

is that why I got 'warned'? :(

it was most probably the reason, yes. if a thread has been dead for a while, its better to make a new thread, and for people to forget the old one.

if there was useful information in one of the old ones you can always post that you saw something in the other threads.

just best to make a new thread as apposed to continuing an old one.

make a new thread as apposed to continuing an old one.

And then you get redirected to already existing threads? Makes sense!

this challenge basically aims to make us more familiar with sql injections and how to use them apart from the simple injections we used to use aka 'or'1=1 and that kind of staff,

concerning the challenge, just read more about basics of sql injections and focus mainly about finding how many columns are there and how to get all the data printed from the DB

Best of luck ;-)