Click here: LEVEL 4
I remember that here I write SPOILERS!
We note that links are from type ?category=<something>. So it's possible using SQL Injection. In addition, email form doesn't check data.
Let's go to products. As you can see by the URL, the data for the coats is also held in an sql database:
category=1
We note that there are two "input points". The first is a small form asking for you
to enter your email. The second is the link to the products pages (products.php?category=1). Any input can be fuzzed.
to enter your email. The second is the link to the products pages (products.php?category=1). Any input can be fuzzed.
There should be two tables, one for the products and the other for the email ID. To get table name of email ID, we must type on email form into homepage a string that isn't a email. The developers of the site have not bothered to mask their error messages (quite common in real life) and so we get, by error message, the name of table that is "email".
Clearly the sql injection attempt is being blocked. There is no way to do blind sql injection at this point since we don't have a way to view the information. (Yes you could try pinging and stuff, but this is just a test).
If I type
products.php?category=1 or 1=1
it produces a page with all products on it. Further more, if you put in a sql statement that generates an error, you get a nice little blank page.
products.php?category=1 or 1=1
it produces a page with all products on it. Further more, if you put in a sql statement that generates an error, you get a nice little blank page.
Let's exploit:
Sql
has a command that is called Union All. Basically, this command allows
you to combine the results from two select statements. The key is that
the column numbers have to match. By looking at the product page, you
can try and guess how many columns are being returned in the original
query. There seems to be a link to an image, a description, and a
price. There is probably also an id of some kind. That makes 4 columns.
However, other way to check the number of columns is typing:
https://www.hackthissite.org/missions/realistic/4/products.php?category=1 order by <any number>
Keep increasing the number. There are x
columns, if, when x+1 is entered, a broken image appears.
However, in our case, we have 4 columns.
So, we type:
http://.../realistic/4/products.php?category=1 UNION ALL SELECT null, *, null, null FROM email
* means everything, and email probably only has 1 column.
We place the * at the second position because request will place the
pictures at first position and description at second position. By
placing our target field as the second position enables to view the
content.
The objective of an UNION ALL request is to concatenate the results of a
given request with the results of another request. In order to work,
both the requests must return the same number and types of fields.
However, at the end, we have to send the list of grabbed emails in a mail to SaveTheWhales.
Go to your profile, click on your name. On the right, click on your name again.Then, send message to SaveTheWhales with all emails
Source:
RispondiEliminaI strongly recommend the service of a GREAT Hacker to you and his email is
(wizardcyprushacker@gmail.com) I have used him quite a number of times and he has never disappointed me.
He does all types of mobile hacks, get unrestricted and unnoticeable access to your Partner/Spouse, Skype, Facebook Account, Email(s), Whatsapp, Instagram, Text messages, In coming and Out going calls, Twitter, Snap Chats, Bank accounts, Deleted files,bitcoin address etc. He can also help you boost your credit score limit and also clear all debts on your card(s).
Getting the job done is as simple as sending an email to (wizardcyprushacker@gmail.com) stating what you want to do.and is services is cheap and affordables.