Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Modsecurity SQLi Challenge
Posted by: lightos
Date: June 22, 2011 05:00PM

Hey fellow slackers, I just wanted to share with you this SQLi Challenge sponsored by Modsecurity. The challenge consists of two levels, the first one is a speed test which is pretty straight forward - Be one of the first 4 to extract the required data and you're a winner. The second challenge is where it gets juicy, here you'll have to extract the same data, but without triggering an Inbound alert. Second level offers a prize to any winner. Good luck!

[www.modsecurity.org]

Options: ReplyQuote
Re: Modsecurity SQLi Challenge
Posted by: superevr
Date: June 23, 2011 06:23PM

I'm interested on how you might bypass the inbound alerts. The site I looked at was using an JetSQL (Access) database, which makes things difficult since there is not an inline commenting structure for it. I tried that and parameter pollution for my first attempts.

Options: ReplyQuote
Re: Modsecurity SQLi Challenge
Posted by: lightos
Date: June 23, 2011 08:29PM

The test sites use different DBMS, so if you get stuck on one you can always try a different site. I'm close to solving level 2 using the Acuart site. Haven't really tried any of the other ones yet.

Options: ReplyQuote
Re: Modsecurity SQLi Challenge
Posted by: Plitvix
Date: August 06, 2011 07:59PM

Do we have to get output or blind injection too all tables is fine?

Options: ReplyQuote
Re: Modsecurity SQLi Challenge
Posted by: Reiners
Date: August 07, 2011 10:39AM

blind SQLi is fine too as long as you can extract the data without triggering any alert.

Options: ReplyQuote


Sorry, only registered users may post in this forum.