Username: 
Password: 
Restrict session to IP 

The Guesbook  Go to the The Guestbook challenge

1 2
Global Rank: 4
Totalscore: 471519
Posts: 60
Thanks: 58
UpVotes: 53
Registered: 8y 54d





The User is Offline
RE: The Guesbook
Google/translate3Thank You!3Good Post!1Bad Post! link
Another game of "spot the error"... Nice distraction with the indentation. ;)
You're not sending the full request to the server.
Try reformatting your code.
line 14
echo $out1
You're a busy clicker Drool


You might also run into problems with checking eof in combination with HTTP/1.1, because the connection isn't closed immediately.
Last edited by tehron - Mar 06, 2012 - 13:23:15
Global Rank: 216
Totalscore: 84142
Posts: 1259
Thanks: 1119
UpVotes: 602
Registered: 9y 300d




Last Seen: 4h 34m
The User is Offline
RE: The Guesbook
Google/translate1Thank You!1Good Post!0Bad Post! link
Nice post, tehron.

I can see the error you have spotted now as well, and i actually looked for these myself, but it had to be in the last concat of course, when eyes are lazy.

Cheers!
The geeks shall inherit the properties and methods of object earth.
Global Rank: 8195
Totalscore: 57
Posts: 3
Thanks: 0
UpVotes: 0
Registered: 4y 213d
Last Seen: 4y 53d
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
Hi Gizmore, I am able to bypass the mysql_escape_string() in my simulation lab (based on DVWA), encoding the '\' but can't bypass your guesbook with the same injection...Can you give us some hint?
Thanks in advance.
Global Rank: 216
Totalscore: 84142
Posts: 1259
Thanks: 1119
UpVotes: 602
Registered: 9y 300d




Last Seen: 4h 34m
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
Maybe give us a hint how to bypass mysql_real_escape_string nowadays Euh

I call "impossibru"!

Smile
The geeks shall inherit the properties and methods of object earth.
Global Rank: 8195
Totalscore: 57
Posts: 3
Thanks: 0
UpVotes: 0
Registered: 4y 213d
Last Seen: 4y 53d
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
As I said, in DVWA (mysql 5.5):
Code behind:
$id = trim($_GET['id']);
$id = mysql_real_escape_string($id);
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";
$result = mysql_query($getid); // Removed 'or die' to suppres mysql errors


Injection chain ID: 0xc2bf5c27 or 1=1-- - (i.e. ¿\' or 1=1-- -, though also works without the ' (0x27)

Results:
ID: char(0xc2bf5c27) or 1=1-- -
First name: admin
Surname: admin

ID: char(0xc2bf5c27) or 1=1-- -
First name: Gordon
Surname: Brown

ID: char(0xc2bf5c27) or 1=1-- -
First name: Hack
Surname: Me

ID: char(0xc2bf5c27) or 1=1-- -
First name: Pablo
Surname: Picasso

ID: char(0xc2bf5c27) or 1=1-- -
First name: Bob
Surname: Smith

I am a bit confused about this challenge (I also have been considering a cookie injection but..)
Thanks Smile
Global Rank: 216
Totalscore: 84142
Posts: 1259
Thanks: 1119
UpVotes: 602
Registered: 9y 300d




Last Seen: 4h 34m
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
Maybe you should take a look at the challenge's code Smile
The geeks shall inherit the properties and methods of object earth.
1 2
jacobs, Redknee, tunelko, silenttrack, qdxy, TheHiveMind, Z, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123 have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 178423 times.