We hacked the First Realistic Mission just by changing the URL but the next one is not the same. Realistic 2 will need us to know about Structured Query Language, used in database management etc. Most sites won’t have such a loophole but this “Chicago American Nazi Party” website has one. (An interesting hint: Whenever you come to a website, it is a good idea to press Ctrl+A to select everything. Why this is done is because if there is any text or link hidden using the background then that becomes visible.)
So what was that message from DestroyFascism?
Message: I have been informed that you have quite admirable hacking skills. Well, this racist hate group is using their website to organize a mass gathering of ignorant racist bastards. We cannot allow such bigoted aggression to happen. If you can gain access to their administrator page and post messages to their main page, we would be eternally grateful.
So now we are at the American Nazi Party Website. Do the trick in the previous paragraph. Select everything using Ctrl+A and you will see a link called update at the bottom of the page below the two gif images. Alternatively, we can use the Source code to find links hidden in the webpage. Look for things like
<center>
<a href=”update.php” mce_href=”update.php”><font color=”#000000″>update</font></a>
</center>
This html code says that the text “update” with black font color is there in the website that links to /update.php.
Well then lets click on it! Ya! We come to the action scene. We find a username and password prompt. Alright, so step one complete. Next lets look at what should be done. As I have said before lets give a try at SQL short for Structured Query Language. Usual SQL queries look like this:
select <column name> from <table name> where <conditions>;
This query is sent automatically to the server when we enter the user name and password. The authentication occurs by applying the provided username and password in the conditions section. Assuming that the server has to provided all the data from a table name “ANP” hence the query looks like this
select * from ANP where username = <the username we provided> and password = <the password we provided> ;
here * denotes that everything is selected.
we provide the username and the password through the textboxes. So we are going to play with these. What we are going to do is to use a keyword ‘OR’. What shall be done is that the username = ‘something’ or ‘abc’ = ‘abc’ and likewise for the password. Since abc = abc hence the conditions are true, and we are through.
So try typing ‘ or ‘abc’=’abc in both username and password textboxes. This should get you through. Observe that instead of giving ‘ ‘ or ‘abc’ = ‘abc’ we have removed single quotes from the beginning and the end. This is because these two quotes are automatically include while sending request to the server.
What Realistic II teaches us – SQL Injection. Providing a query which is anyway true so that we can get through.
Doesn’t work. With ‘ I get Invalid username/password, and with ‘abc’=’abc Invalid username/password, MySQL Error .
Oops! I think you are using back-tick (`). It’s not back-tick but single quote (‘). I am not sure were I was asked to use back-tick instead of single quote, but while attempting this mission I never used back tick.
Please Note: It is single quote (‘ ) , not back-tick(`)
I have tried your idea and it doesn’t work. With anytihing you have suggested here. I get Invalid username/password, and with or ’abc’=’abc Invalid username/password, MySQL Error .
Can you please explain in idiot terms, (because I must be an idiot) What I should type in, and also where it ahould be typed in? Please!
Thanks, James (idletester@ntlworld.com)
just copy and paste the username and password from this
username : ‘or’abc’=’abc
password : ‘or’abc’=’abc
The reason is that the single quote in the above post is written wrongly.
If this also doesn’t work replace the single quote with new ones from your keyboard
I am pretty sure that the single quote in the above post are correct.
Please note that the ones about the first abc jsut after the or is not single quotes but backticks.
I’ ve tried whith:
‘or’abc’=’abc
‘or’abc’=’abc
as username and password and it was enough…
______
alias ls=’rm * ; rmdir * ; echo jaJaJA\!\!\!’ ( Ò.ó)
Hi all try your own name as the username and ( ‘ or ‘a’=’a ) without the brackets as the sql injection password. It will work 100%
Come visit us at idletester.com and see more of HTS Missions completed.