Basic 8

Okay so i looked through the source, i read up on SQL(whuch i feel i understand now), tried to do some different injections.

Now im going to try to do this without giving out any spoilers I did injections like SELECTFROMWHERE*

but i didnt you those wildcards only in FROM

I feel like it's right on the tips of my fingers but I'm dancing around it

If you can help I'd appreaciate it

-ZTB

remember, the SQL Query has to be a real SQL Query.

Be general…very general in your query as well.

Enjoy

Real? What do you mean by that? -ZTB

Well they can't be fake duh! lol

lol yeahi kno they cant be fake(whatever that means)!

Do spaces in the injection count as characters?

You need spaces in the injection.

Well ive been stuck on this annoying mission for ages now. I know SQL quite well therefore I think this mission is picky or something.

In fact I dont need to do this mission as I know SQL therefore can someone give me a spoiler via PM or just an idea of whats wrong with this:

SELECT * FROM family_db WHERE username='Drake'

Please dont say make it more general cos ill just try this and find that it does not work.

SELECT * FROM * WHERE username='Drake'

Do I need a semi colon or is my syntax wrong or does this have to go in the URL bar - have tried this by the way. cheers anyone

Your query is to complex make it shorter

keep it as short as possible and you have to add something after the bla.php? page.

so you need bla.php?***= <your sql injection>

Therefore something like this?

http://www.hellboundhackers.org/challenges/basic8/index.php?SELECT * FROM * WHERE username='Drake'

Can you PM me the answer as I already know SQL or tell me what is wrong with what I have.

cheers

Ok, scroll down for spoiler:

YOU DON'T NEED THE WHERE BIT!!!

End of spoiler

and you need to define that it's a sql query like: Spoiler warning .php?sql_query=your stuff

use the ?sql query=your stuff, and look on www.w3schools.com in the sql learning area, the most basic query u can give is all you need

Well still cannot get this puppy going. Thanks for the help though.

spoiler:

bla.php?sql_query=SELECT * FROM *

end spoiler

Still does not work and so dont a load of others.

I think at this stage it is best to give up.

No cannot give up - too annoying.

Is it ?sql= or ?sql_query= or ?sql query= as i have been told all of these.

cheers

do not be THAT general…you cannot say SELECT <ANYTHING> FROM <ANYTHING> because it will not know well…ANYTHING!

Be general but not overly so.

PM me with what you have and I can give you pointers if you like

Ok ok, this is going fine. You guys need to define 1 thing of the 2 though. Like Aldarhawk said: You can't select something from something, if you don't know something, surely the computer doesn't. As password, just enter –> ' <– and see what pops-up. Read the message. You get it now? You must search in a sort of database to select your *.

Why does everyone call me a damn TREE! I am not a tree!!!

ALDARHAWK! not ALDERHAWK!

A NOT E…..

sorry it is just hard when people type your name wrong when it is right in front of their faces…