From aldeid
Jump to navigation Jump to search
  • Level: Realistic::4 (Fischer's Animal Products)
  • URL: http://www.hackthissite.org/missions/realistic/4/
  • Difficulty :
  • Exercise: FAP is a company that slaughters animals and turns their skin into overpriced products which are then sold to rich bastards! Help animal rights activists increase political awareness by hacking their mailing list.

Message: Hello, I was referred to you by a friend who says you know how to hack into computers and web sites - well I was wondering if you could help me out here. There's this local store who is killing hundreds of animals a day exclusively for the purpose of selling jackets and purses etc out of their skin! I have been to their website and they have an email list for their customers. I was wondering if you could somehow hack in and send me every email address on that list? I want to send them a message letting them know of the murder they are wearing. Just reply to this message with a list of the email addresses. Please? Their website is at http://www.hackthissite.org/missions/realistic/4/. Thanks so much!!

  • Solution:

Notice that links are from type ?category=<something>. In addition, email form doesn't check data. If you enter oops in the field, it produces an error msg that gives the name of our target table : EMAIL. A SQL injection seems to be the solution to our challenge. The pages with products seems to output 3 or 4 fields (pic, description, price, [id]). By using UNION ALL SELECT, we are done : Just paste this at the end of the URL (separate with space): ?category=2 <paste here>

UNION ALL SELECT null, *, null, null FROM email;
We place the * at the second position because request will place the pictures at first position and description at second position. By placing our target field as the second position enables to view the content.

The objective of an UNION ALL request is to concatenate the results of a given request with the results of another request. In order to work, both the requests must return the same number and types of fields.

Read more about SQL Injections.

Once done, you have to send the list of grabbed emails in a mail to SaveTheWhales.

Go to your profile, click on your name. On the right, click on your name again.

Fill in the popup window as follows and send your mail.