RegistrierenSidebar verstecken
Nickname: 
Passwort: 
Sitzung auf IP beschränken 
Fragen  |  score: 6  |  5.70 8.15 7.73 |  Von 347 Mitgliedern gelöst  |  459656 views  |  seit 11. Feb 2014 22:19:18

Table Names II (MySQL, Exploit)

Your mission...
Is to find out the database and table name used in this sql injection challenge.
This time, We have blocked a few keywords!

You can see the sourcecode, also as highlighted version.
Click here to access the vulnerable script.

We already created a fake account:
Username: test
Password: test

As solution enter the database and table name separated with an underscore, like "databasename_tablename".
GeSHi`ed PHP Quelltext für challenge.php
1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
32
33
34
3536
37
38
39
4041
42
43
44
4546
47
48
49
5051
52
53
54
5556
57
58
59
6061
<?php
$secret = require('secret.php');
chdir('../../../');
define('GWF_PAGE_TITLE', 'Table Names II');
require_once('challenge/html_head.php');require(GWF_CORE_PATH.'module/WeChall/solutionbox.php');
 
if (false === ($chall = WC_Challenge::getByTitle(GWF_PAGE_TITLE)))
{
        $chall = WC_Challenge::dummyChallenge(GWF_PAGE_TITLE, 6, 'challenge/nurfed/more_table_names/index.php', $secret['flag']);}
$chall->showHeader();
$chall->onCheckSolution();
 
if (false !== Common::getGet('login')){
        $username = Common::getGetString('username', '');
        $password = Common::getGetString('password', '');
        
        if (preg_match('/statistics|tables|columns|table_constraints|key_column_usage|partitions|schema_privileges|schemata|database|schema\(\)/i', $username.$password))        {
                echo GWF_HTML::error(GWF_PAGE_TITLE, $chall->lang('on_match'));
        }
        else
        {                if (false === ($db = gdo_db_instance($secret['host'], $secret['username'], $secret['password'], $secret['database'])))
                {
                        die('Database error.');
                }
                 $db->setVerbose(false);
                $db->setLogging(false);
                $db->setEMailOnError(false);
                
                                $query = "SELECT * FROM {$secret['database']}.{$secret['table_name']} WHERE username='$username' AND password='$password'";
                if (false === ($result = ($db->queryFirst($query, false))))
                {
                        echo GWF_HTML::error(GWF_PAGE_TITLE, $chall->lang('on_login_fail'));
                }                else
                {
                        $user = isset($result['username']) ? $result['username'] : '';
                        $message = isset($result['message']) ? $result['message'] : '';
                        echo GWF_HTML::message(GWF_PAGE_TITLE, $chall->lang('on_logged_in', array(GWF_HTML::display($user), GWF_HTML::display($message))));                }
        }
}
 
?><div class="box box_c">
<form action="challenge.php" method="get">
<div><?php echo $chall->lang('username'); ?>: <input type="text" name="username" value="" /></div>
<div><?php echo $chall->lang('password'); ?>: <input type="text" name="password" value="" /></div>
<div><input type="submit" name="login" value="<?php echo $chall->lang('login'); ?>" /></div></form>
</div>
<?php
echo $chall->copyrightFooter();
require_once('challenge/html_foot.php'); 
Ihre Lösung für Table Names II
Antwort
© 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 und 2024 by nurfed