dexter@aeron7.com

Sql Injection Method

It can be better said as query string manipulation. A Query-string is any data in the URL that appears after the page name which will be followed by a question mark (?). All information after this question mark is the query-string.i.e.

http://www.site.com/index.php?variable1=[value1]&variable2=[value2]

Notice that everything is something = [some text or numbers]. The something is basically a variable that the system is passing, and [some text or numbers] is its value.

So to manipulate the query-string, you would change the value of [some text or numbers]. Do Not change the “something”, otherwise the system will probably not pick up what you sent, unless you accidentally changed it to another possible name the system would recognize. After you have changed the value of [some text or number] hit Enter or click Go to reload the page, and now your new value is sent to the server.

To know that you are sending a query-string to another page or database of some kind you need to find the following piece of code in the source code:

<form action=”v.php” method=”get”>

This line says the following form will submit to v.php. Using the method get. This indicates that the page v.php will be looking for variables in the query string. Note if you see:

method=”post”

This is something different. I suggest reading up on “get vs post” if you are not sure between the two.

So you have opened the realistic challenge number 1 in hackthissite account and have observe the source code of the site at the point of what does the clicking on “vote!” button do? !!

The question now is what variables We are sending to vote.php. The first piece of code you find might be obvious:

<select name=”vote”>
<option value=1>1</option>
<option value=”2″>2</option>
<option value=”3″>3</option>
<option value=”4″>4</option>
<option value=”5″>5</option>
</select>

This is indicating that there is a variable vote with a dropdown list of values. So when you submit the page it will look something like this vote=1. Unfortunately this means nothing if you do not know what band to apply the vote to. After looking over the code a bit more you notice:

<input type=”hidden” name=”id” value=”3″/>

This is indicating that a variable id has a value of 3. This piece indicates that the band id = 3.
When you put everything you learned together you have a querystring that should look like this:

v.php?id=0&vote=999999999999

So we are sending the v.php page the id=0 (which represents the band) and a vote count of 999999999 (which increases thier rating). When you submit this you might notice it doesn’t work. Well that is because we forgot something:

<input type=”hidden” name=”PHPSESSID” value=”abcaeadfc31a5c43b2534bf995c0553f”/>

Add this to the query string and you should be all set.

v.php?PHPSESSID=abcaeadfc31a5c43b2534bf995c0553f&id=3&vote=999999999

Means we have to change http://www.hackthissite.org/missions/realistic/1/index.php to

hackthissite.org/missions/realistic/1/ v.php?PHPSESSID=abcaeadfc31a5c43b2534bf995c0553f&id=3&vote=999999999

Javascript Injection Method

Goto http://www.hackthissite.org/missions/realistic/1/index.php  and type the following in the URL and press enter.

javascript:alert(document.forms[4].vote.options[0].value = 999999999)

This is a typical javascript injection which sets our value 1 to our desired value. Just click “Vote!” and it will work superb!!

About the Author

Aloha, I'm Amit Ghosh, a web entrepreneur and avid blogger. Bitten by entrepreneurial bug, I got kicked out from college and ended up being millionaire and running a digital media company named Aeron7 headquartered at Lithuania.

Related Posts

Basic Mission 1   I can call you a pretty dumb as per you are now viewing the walkthrough for...

Basic Mission 2   I can again call you a pretty dumb as per you are now again viewing the walk...

Basic Mission 3   Have a look at the source code of that page and have you noticed the form section?...

Leave a Reply