Can someone give me a hint on challenge 2? I've been stuck on it for quite a while now. I've tried
' O/**/R 1=1 LIM/**/IT 1" );--
' OORR 1=1 LIMORIT 1" );--
But none works.
Any help is appreciated!
Well your first try is on the right track, but you've overcomplicated it a bit. Try simplifying it a bit.
Thanks, I got it.
Can you explain to me why Admin' " );-- wouldn't work?
I thought the ' " and ) were needed to prevent a syntax error.
Sounds like you were trying to close the PHP function, and it doesn't work that way. You're just making a SQL injection.
I see, so my input always gets ended at the " ?
When you have code like this:
mysql_query("select a from b where b.username='$x' and b.password='$y'")
And you enter Admin' " );-- then you'll get:
mysql_query("select a from b where b.username='Admin' \" );--' and b.password='whatever'")
and that's invalid syntax for a SQL query. You're just able to insert SQL code, not PHP code.
Is the username case sensitive and is the user name literally "Admin"?
khr0x40sh wrote: Is the username case sensitive and is the user name literally "Admin"?
Well part of the challenge is figuring that out, but yeah, you should assume that.
And just FYI, the SQL injection challenges were not working properly due to updates. They should be fixed now.
ynori7 wrote: And just FYI, the SQL injection challenges were not working properly due to updates. They should be fixed now.
This makes me so mad, lol, glad it is working now.