There is no escape Go to the No Escape challenge
Global Rank: 228
Totalscore: 94570
Posts: 1695
Thanks: 1365
UpVotes: 929
Registered: 17y 11d
Last Seen: 3d 3h
The User is Offline
There is no escape
Sep 28, 2010 - 00:29:18 (14y 154d)
Sep 28, 2010 - 00:29:18 (14y 154d)
As this is more or less a training challenge, i'd like to give some general hints:
If you are doing your injections, make sure you don`t end a query with semicolon(;). The php mysql extension does not like that.
There is a trim() for all $_GET and $_POST data. This means any trailing space get`s removed.
In this challenge, the / character is filtered. So you can not use /**/ as mysql comment style. A nice working mysql comment style for this challenge is: ?vote_for= blub%20--%20foo
everything after ' -- ' is treated as comment, but the trailing space is important.
At last, let me give you a specific hint for this challenge: mysql_real_escape_string() might not work for your input!
Also keep in mind: Our exploits are mostly not simulated and "Code you see is code in use"
Good luck!
If you are doing your injections, make sure you don`t end a query with semicolon(;). The php mysql extension does not like that.
There is a trim() for all $_GET and $_POST data. This means any trailing space get`s removed.
In this challenge, the / character is filtered. So you can not use /**/ as mysql comment style. A nice working mysql comment style for this challenge is: ?vote_for= blub%20--%20foo
everything after ' -- ' is treated as comment, but the trailing space is important.
At last, let me give you a specific hint for this challenge: mysql_real_escape_string() might not work for your input!
Also keep in mind: Our exploits are mostly not simulated and "Code you see is code in use"
Good luck!
The geeks shall inherit the properties and methods of object earth.
Global Rank: 6320
Totalscore: 2026
Posts: 5
Thanks: 4
UpVotes: 4
Registered: 14y 60d
Last Seen: 4y 251d
The User is Offline
RE: There is no escape
Jan 03, 2011 - 01:08:20 (14y 57d)
Jan 03, 2011 - 01:08:20 (14y 57d)
Is it really possible with an MySQL-Injection? Cant pass trough the mysql_real_escape_string().
My Thougts was to manipulate simply that +1.
%20--%20 the Comment doesnt work or?
%20--%20 Shows an ErrorMessage like this:
MySqlError(1054): Unknown column 'bill -- ' in 'field list' in Query:
UPDATE noescvotes SET `bill -- `=`bill -- `+1 WHERE id=1
But all after the comment should not parsed or?
No matter the comments are only usefull if i can put a ' after my bill or george.
If another hint would break the challenge for others please write me a PM
Thx for so much fun!
And sorry for my bad english iam german.
My Thougts was to manipulate simply that +1.
%20--%20 the Comment doesnt work or?
%20--%20 Shows an ErrorMessage like this:
MySqlError(1054): Unknown column 'bill -- ' in 'field list' in Query:
UPDATE noescvotes SET `bill -- `=`bill -- `+1 WHERE id=1
But all after the comment should not parsed or?
No matter the comments are only usefull if i can put a ' after my bill or george.
If another hint would break the challenge for others please write me a PM
Thx for so much fun!
And sorry for my bad english iam german.
Last edited by grMf - Jan 03, 2011 - 01:10:44
Global Rank: 228
Totalscore: 94570
Posts: 1695
Thanks: 1365
UpVotes: 929
Registered: 17y 11d
Last Seen: 3d 3h
The User is Offline
RE: There is no escape
Jan 03, 2011 - 01:36:26 (14y 57d)
Jan 03, 2011 - 01:36:26 (14y 57d)
Look closely again how the query is build
Injecting mysql in this challenge is quite easy.
Injecting mysql in this challenge is quite easy.
The geeks shall inherit the properties and methods of object earth.
Global Rank: 6320
Totalscore: 2026
Posts: 5
Thanks: 4
UpVotes: 4
Registered: 14y 60d
Last Seen: 4y 251d
The User is Offline
RE: There is no escape
Jan 03, 2011 - 17:24:36 (14y 57d)
Jan 03, 2011 - 17:24:36 (14y 57d)
Thx this was close enough
Great Challenge!
Great Challenge!
Global Rank: 16287
Totalscore: 72
Posts: 1
Thanks: 1
UpVotes: 1
Registered: 13y 166d
Last Seen: 11y 356d
The User is Offline
RE: There is no escape
Sep 20, 2011 - 18:45:59 (13y 162d)
Sep 20, 2011 - 18:45:59 (13y 162d)
Ive been trying evrything and searched for the mysql_real_escape_string(), but could get to nowhere. Can you please give me another clue ?? Please please .-) I found that the function does not excape some chars, but could find any usefull with them.
Thank you
Thank you
Last edited by estenole - Sep 20, 2011 - 18:49:15
Global Rank: 228
Totalscore: 94570
Posts: 1695
Thanks: 1365
UpVotes: 929
Registered: 17y 11d
Last Seen: 3d 3h
The User is Offline
RE: There is no escape
Sep 21, 2011 - 16:23:50 (13y 161d)
Sep 21, 2011 - 16:23:50 (13y 161d)
There is already a very big hint in my previous post ... and you are on a good track ... keep trying!
The geeks shall inherit the properties and methods of object earth.
Global Rank: 14863
Totalscore: 120
Posts: 1
Thanks: 1
UpVotes: 1
Registered: 8y 338d
Last Seen: 8y 239d
The User is Offline
RE: There is no escape
Jun 26, 2016 - 08:48:42 (8y 246d)
Jun 26, 2016 - 08:48:42 (8y 246d)
Gizmore first post helps out the most as i was stuck on commenting the rest of the command
Global Rank: 5193
Totalscore: 3066
Posts: 2
Thanks: 1
UpVotes: 0
Registered: 8y 183d
Last Seen: 8y 165d
The User is Offline
RE: There is no escape
Aug 31, 2016 - 00:31:23 (8y 180d)
Aug 31, 2016 - 00:31:23 (8y 180d)
Huh... I kept getting errors until I added the trailing space, and now I get two green boxes (Vote counted for [INJECTION] and All votes have been reset), leading me to believe that I solved it, but it doesn't show up as solved in my challenges, and I am not on the Heroes list.
Global Rank: 1
Totalscore: 758674
Posts: 437
Thanks: 497
UpVotes: 470
Registered: 15y 215d
The User is Offline
RE: There is no escape
Aug 31, 2016 - 18:02:00 (8y 180d)
Aug 31, 2016 - 18:02:00 (8y 180d)
Check the code. There are two ways to get those messages, only one is the solution.
Global Rank: 5193
Totalscore: 3066
Posts: 2
Thanks: 1
UpVotes: 0
Registered: 8y 183d
Last Seen: 8y 165d
The User is Offline
RE: There is no escape
Sep 03, 2016 - 00:24:32 (8y 177d)
Sep 03, 2016 - 00:24:32 (8y 177d)
Hah, I got it. It just didn't like me going overboard and using 999 instead of 111 in my injection.
Redknee, dbhui1984, testlele, tunelko, silenttrack, n0tHappy, nonfungiblesecurity, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, SwolloW, dangarbri, csuquvq have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 18223 times.
1 people are watching the thread at the moment.
This thread has been viewed 18223 times.