Comments for jmchilton.net / blog

Comment on My Top 9 Favorite Movies of 2010 by Thomas Jonas

Thomas Jonas — Sat, 01 Jan 2011 20:46:40 +0000

I agree, The Girl Who Played With Fire was no where near as good as The Girl With The Dragon Tattoo. I am excited to see how they do the American version though. I think that comes out in November.

Comment on My Top 9 Favorite Movies of 2010 by Pratik

Pratik — Sat, 01 Jan 2011 20:09:24 +0000

I meant not John not Jihn – my apologies.

Comment on My Top 9 Favorite Movies of 2010 by Pratik

Pratik — Sat, 01 Jan 2011 20:08:08 +0000

Hello Jihn,

Neat ! Glad to hear that Social Network is # 1 – I personally think its worth an Oscar or two. Was surprised that you did not like Despicable Me. I watched it twice with my son and loved it. Wonder if you watch it when your son grows up and will your opinion change?

Comment on Tweeter – SQL Injection Practice by Nick

Nick — Fri, 06 Aug 2010 21:45:41 +0000

John,

Just wanted to point out that Tweeter was definitely the most interesting security workshop of the bunch. Thanks!

Nick

Comment on Tweeter – SQL Injection Practice by Omun

Omun — Sat, 10 Jul 2010 20:47:13 +0000

@Daniel You have to post as the user ‘agentgill’ or the link wont appear

Step 1 was quite easy, now im stuck @ step 2.
Any tip?

Comment on Tweeter – SQL Injection Practice by Daniel

Daniel — Fri, 09 Jul 2010 21:44:30 +0000

Went past round one easily – but didn’t get link to next round, any suggestions?

Comment on Tweeter – SQL Injection Practice by Neal Poole » Tweeter: An Awesome Tool for Practicing SQL Injections

Neal Poole » Tweeter: An Awesome Tool for Practicing SQL Injections — Wed, 07 Jul 2010 04:45:38 +0000

[...] More information about Tweeter (including a link to download the source) can be found on the author’s blog. [...]

Comment on Tweeter – SQL Injection Practice by agentgill

agentgill — Wed, 07 Jul 2010 03:15:44 +0000

warning spoilers….

Because the keyword “SELECT” was filtered to “” in level 3 what I did was “seSELECTlect”. Worked like a charm .

Comment on Tweeter – SQL Injection Practice by john

john — Tue, 06 Jul 2010 12:55:55 +0000

@p858snake I like the idea, making this seem applicable to the real world was a goal. I opted to write something custom so I could zero in on four specific lessons without a lot of distraction. I tried to make it seem more real world by making it vaguely resemble another microblogging service

@Ascomae Yeah it looks like people have found similar solutions for stage 1 and 2, I meant for them to be different, but this is what happens with open ended exercises. That said there is a really simple solution for stage 1 which I believe will not work on stage 2.

@rudeboy3 Glad you enjoyed it, and I love the idea for stage 5. If I do a revision at some point I will add that.

Comment on Tweeter – SQL Injection Practice by rudeboy3

rudeboy3 — Tue, 06 Jul 2010 12:42:57 +0000

I spent way too much time figuring out how to bypass the blacklist in round 3. Ah well. I nearly got stumped recently by a PHP file that took the parameter value from the URL without decoding it, and concatenated it into a MySQL query. What’s the big deal? No whitespace in your query! Fortunately, you can use /*comments*/ just like whitespace in MySQL. Took me a while to figure out what was wrong though, and then a little longer to work out how to get past it.

Another option for round 5 might be to have only one vulnerable page, with a blacklist against SELECT that can’t be bypassed, and no detailed error messages. Since you can now add extra users, you could just add another 100 users or so, then use inference-based character-at-a-time extraction to get the password, maybe a long string of replace(replace(replace(…replace(substring(password,1,1),’a',’97′),’b',’98′),’c',’99′)… or a big case substring(password,1,1) when ‘a’ then ’97′ when ‘b’ then ’98′… , decode and substitute it for the user_ID on the index.php page.

Anyhow, loads of fun. Thanks!