basic 7 :S
how can i make this task? i have use javascript and i think i got the encrypted password.. and how do i modify cookie? is it when i use javascript:void………….? and how do i put in sQl injection? :p im really stuck here :( i think i have tryed to do this task for some hours now… i hope some one can help me..:D
Alright, lets start off. You figured out what the username and password is eaither by looking at the cookies or by viewing the HTML source for that page. It tells you you need to encrypt the ASCII. 'use binary' So first you will need to change your name using javascript:void(document…….) put sam into the username box and press submit. You should now be to the second login. SQL Injection can really be any where that accepts user input. This can be Cookies / GET Variables / Post variables - Post and Get Variables are usually the top targeted places of injection. Post and Get variables are set threw things such as input fields. Like when you logged into this site, you put in yoru username and password and pressed login. if the script was insecure you can simply stick in a peice of SQL code that will alter the SQL query to do something you want "what hacking is all about". Here is a tutorial on SQL Injection, if you read this tutorial I gurentee you, this second part of the mission will be easy as pie to get past. http://www.securiteam.com/securityreviews/5DP0N1P76E.html
I will not tell you what the injection is, but I will let you know one thing. SQL Injection is one of the top exploits out there on the web, 90% of the sites I run into are vulnerable to SQL Injection. SQL Injection is a very dangerous threat. Things you can retrive with SQL Injection can range anything from dates / usernames / passwords / social security numbers / credit card numbers and all sorts of other information.
- Just a little disclaimer…
- I have gotten this kind of information threw SQL Injection before
- but I have done it legaly with permissions from the owner.
- In no way / shape or form have I ever used SQL Injection
- to steal information such as SSN's, CC#'s
- I do warn you, this is highly illegal, you should be here to learn
- about this stuff and how to secure yourself. The only reason
- I mentioned CC#'s and SSN's is that I have came acrost developers
- developing stores and what not that stores this kind of information
- and 80% of there user input is vulnerable to SQL Injection.
If you are here to learn about security you should put some time into learning SQL and Injecting it.