Sql Injection Method
It can be better said as query string manipulation. A Query-string is any data in the URL that appears after the page name which will be followed by a question mark (?). All information after this question mark is the query-string.i.e.
| http://www.site.com/index.php?variable1=[value1]&variable2=[value2] |
Notice that everything is something = [some text or numbers]. The something is basically a variable that the system is passing, and [some text or numbers] is its value.
So to manipulate the query-string, you would change the value of [some text or numbers]. Do Not change the “something”, otherwise the system will probably not pick up what you sent, unless you accidentally changed it to another possible name the system would recognize. After you have changed the value of [some text or number] hit Enter or click Go to reload the page, and now your new value is sent to the server.
To know that you are sending a query-string to another page or database of some kind you need to find the following piece of code in the source code:
| <form action=”v.php” method=”get”> |
This line says the following form will submit to v.php. Using the method get. This indicates that the page v.php will be looking for variables in the query string. Note if you see:
| method=”post” |
This is something different. I suggest reading up on “get vs post” if you are not sure between the two.
So you have opened the realistic challenge number 1 in hackthissite account and have observe the source code of the site at the point of what does the clicking on “vote!” button do? !!
The question now is what variables We are sending to vote.php. The first piece of code you find might be obvious:
| <select name=”vote”> <option value=1>1</option> <option value=”2″>2</option> <option value=”3″>3</option> <option value=”4″>4</option> <option value=”5″>5</option> </select> |
This is indicating that there is a variable vote with a dropdown list of values. So when you submit the page it will look something like this vote=1. Unfortunately this means nothing if you do not know what band to apply the vote to. After looking over the code a bit more you notice:
| <input type=”hidden” name=”id” value=”3″/> |
This is indicating that a variable id has a value of 3. This piece indicates that the band id = 3.
When you put everything you learned together you have a querystring that should look like this:
| v.php?id=0&vote=999999999999 |
So we are sending the v.php page the id=0 (which represents the band) and a vote count of 999999999 (which increases thier rating). When you submit this you might notice it doesn’t work. Well that is because we forgot something:
| <input type=”hidden” name=”PHPSESSID” value=”abcaeadfc31a5c43b2534bf995c0553f”/> |
Add this to the query string and you should be all set.
| v.php?PHPSESSID=abcaeadfc31a5c43b2534bf995c0553f&id=3&vote=999999999 |
Means we have to change http://www.hackthissite.org/missions/realistic/1/index.php to
Javascript Injection Method
Goto http://www.hackthissite.org/missions/realistic/1/index.php and type the following in the URL and press enter.
| javascript:alert(document.forms[4].vote.options[0].value = 999999999) |
This is a typical javascript injection which sets our value 1 to our desired value. Just click “Vote!” and it will work superb!!
