Username: 
Password: 
Restrict session to IP 
Questions  |  score: 6  |  5.61 8.14 7.68 |  Solved By 304 People  |  440961 views  |  since Feb 11, 2014 - 22:19:18

Table Names II (MySQL, Exploit)

Your mission...
Is to find out the database and table name used in this sql injection challenge.
This time, We have blocked a few keywords!

You can see the sourcecode, also as highlighted version.
Click here to access the vulnerable script.

We already created a fake account:
Username: test
Password: test

As solution enter the database and table name separated with an underscore, like "databasename_tablename".
GeSHi`ed PHP code for challenge.php
1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
32
33
34
3536
37
38
39
4041
42
43
44
4546
47
48
49
5051
52
53
54
5556
57
58
59
6061
<?php
$secret = require('secret.php');
chdir('../../../');
define('GWF_PAGE_TITLE', 'Table Names II');
require_once('challenge/html_head.php');require(GWF_CORE_PATH.'module/WeChall/solutionbox.php');
 
if (false === ($chall = WC_Challenge::getByTitle(GWF_PAGE_TITLE)))
{
        $chall = WC_Challenge::dummyChallenge(GWF_PAGE_TITLE, 6, 'challenge/nurfed/more_table_names/index.php', $secret['flag']);}
$chall->showHeader();
$chall->onCheckSolution();
 
if (false !== Common::getGet('login')){
        $username = Common::getGetString('username', '');
        $password = Common::getGetString('password', '');
        
        if (preg_match('/statistics|tables|columns|table_constraints|key_column_usage|partitions|schema_privileges|schemata|database|schema\(\)/i', $username.$password))        {
                echo GWF_HTML::error(GWF_PAGE_TITLE, $chall->lang('on_match'));
        }
        else
        {                if (false === ($db = gdo_db_instance($secret['host'], $secret['username'], $secret['password'], $secret['database'])))
                {
                        die('Database error.');
                }
                 $db->setVerbose(false);
                $db->setLogging(false);
                $db->setEMailOnError(false);
                
                                $query = "SELECT * FROM {$secret['database']}.{$secret['table_name']} WHERE username='$username' AND password='$password'";
                if (false === ($result = ($db->queryFirst($query, false))))
                {
                        echo GWF_HTML::error(GWF_PAGE_TITLE, $chall->lang('on_login_fail'));
                }                else
                {
                        $user = isset($result['username']) ? $result['username'] : '';
                        $message = isset($result['message']) ? $result['message'] : '';
                        echo GWF_HTML::message(GWF_PAGE_TITLE, $chall->lang('on_logged_in', array(GWF_HTML::display($user), GWF_HTML::display($message))));                }
        }
}
 
?><div class="box box_c">
<form action="challenge.php" method="get">
<div><?php echo $chall->lang('username'); ?>: <input type="text" name="username" value="" /></div>
<div><?php echo $chall->lang('password'); ?>: <input type="text" name="password" value="" /></div>
<div><input type="submit" name="login" value="<?php echo $chall->lang('login'); ?>" /></div></form>
</div>
<?php
echo $chall->copyrightFooter();
require_once('challenge/html_foot.php'); 
Your solution for Table Names II
Answer
© 2014, 2015, 2016, 2017, 2018, 2019 and 2020 by nurfed