Phew [:o]
Realistic 4 of Hack This Site was pretty tricky. Once again we have a SQL vulnerable website and we use SQL injection to hack this. This one I could not crack alone, I needed the help of Gaurav, member of Hacker’s Library, an orkut community. Gaurav had completed this mission already.
So, we need to put our hands into the emails stored and then send it to the person who had asked for those email id’s. So we need to inject sql queries to obtain the table and the details inside it.
I had found out that, the text box available in the Animal Product Page for registering your email id, performs the insert function to insert email ids into the email table. So we can’t select data by sql injection through this text box 
. I need to find some other input box. I search the other available links, hmm.. no other text boxes. This should mean using the address bar and hence inject queries using the URL. 
Now I need to do some research on SQL query and table structures. One thing is clear, there should be two tables, one for the products and the other for the email ids. Hmm…. I don’t know the name of the table having the email ids and no idea about the column. Well, no other go but guess. Ya, that’s what you gotta do. I cracked this with the worst spoiler, the answer. Feel guilty of that, but well, I learnt it and won’t forget it. Go around the site and try to manipulate the url to get something like this category = (select count(*) from tablename). [i]Hint- Broken images means that somethings gone wrong. [/i]. In a similar manner using category = (select columnname from tablename) you can check if the name of the column you have guessed is correct. Don’t worry, guessing should be easy. Okay, after you get the email table and column find the number of columns in products table. use order by command for that. ie category=1 order by <any number>. Keep increasing the number. If there are x columns then when x+1 is entered then Broken image appears.
If you have discovered the table name, column name and the number of columns in products table, we can move on to listing the emails table. We cannot insert [b]select column from table[/b] just like that, as we don’t have a free sql entry place. Remember that in the URL, the selection command has begun. It is in this condition, “select * from products where category = 1″. This is equivalent to “products.php?category=1 etc.” So we shall use [b]union all[/b] command to unite two select commands. So it shall look like [b]category=1 union all select colname, colname ( x times) from table name–[/b]. Why –? This is to truncate or avoid the remaining of the line.
You should be able to successfully get the email id. Get them, and now you need to send it to the person who has asked you to get them. The user is I believe “SaveTheWhales”. Yes, use your Messages Centre in hackthissite. Congrats, realistic 4 completed!
