adding a will trigger a 503 error
The server just emulated the bug, so you had to guess the right solution string.
Can you redirect ME to hackim.null.co.in?
First idea was trying http response splitting, but you won't get real feedback. I guess it's emulated again. At the end the following request did it.
Click here to Login
Click here to Register
Invalid Flag. Please try again.
and we get
Debug Info: INSERT 'Admin125email@example.com|admin:no|comment:new user' INTO USER DB FILE
Login as Admin126 and you get
Welcome! You are logged in as ADMIN!
Level 4Can You Get Me all the Data?
Check for XPATH injection
We get 11 presidents of india
trying flag as node name and identify lenght of the flag
We get "Web+Level+4", but this is not the solution.
So trying to get all data.
Doing some experiments and get the count of all entries.
11 presidents but 12 nodes?
Either you guess the node name or you bruteforce the server with blind XPATH attacks like me.
After searching for the node //value
Afterwards i got non blind solutions from others
1: '] //* | //* ['1' ='1
Web Level 5
Do You Have What IT Takes to Break into the World's Most Secure Login System?
SQL injection with recaptcha?
If you insert ' OR ''=' you will be detected, so no spaces are allowed.
You can try '=' which should build a query like "where username=''=''" and this will be true.
In our case inserting '!=' or '<>' in username and password will pass the test.
username = '' != '' and password = '' != ''
Why is this working? The query is executed here from left to right.
username = '' is FALSE
FALSE != '' is TRUE
For SQLite: "Arithmetic, boolean, relational and bitwise operators are all left to right associated."
For corrections and other feedback send me an e-mail to bashrc at intruded dot net