Last Friday's mission was to accomplish solving HackThisSite, realistic 4. The fourth in a series of realistic simulation missions was designed to be exactly like a situation you may encounter in the real world. This time, we are told "Fischer's Animal Products is a company that slaughters animals and turns their skin into overpriced products which are then sold to rich bastards! Help animal rights activists increase political awareness by hacking their mailing list."
This is serious business!
These missions are for everyone here, and you can join at any time. Your experience level doesn't matter. HackThisSite is a free, legal and safe practice ground for aspiring hackers wanting to test their knowledge on something real. We have full permission to exploit their servers, and we even get point rewards for it. In order to trump this mission, we need to find a way to get access to the original source code and restore the website to its former state.
Realistic 4
The request for our hacking skills this time comes from an animal rights activist:
When we click through to the website, we can see that they sell all sorts of illegal animal products. After a bit of exploration, you will see that it uses MySQL to parse information from databases just by examining a URL.
http://www.hackthissite.org/missions/realistic/4/products.php?category=2
So, we need to try an SQL injection so we can view the email database file. We already know the table name if we try to add ourselves to the sites email list.
http://www.hackthissite.org/missions/realistic/4/products.php?category=3%20UNION%20SELECT%20id,category,price,%20email+text%20FROM%20PRODUCTS,email%20where%20id%20=1
This gorgeously long URL is the SQL injection required to view the data contained in the email table. Now, just copy and paste the content of that page in a message to user "SaveTheWhales" on HackThisSite and you will emerge victorious.
Want more Null Byte?
Photo by ibtimes
