Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Janus All Challenges 1 to 10
- 1. SQLi challenge 1 --->
- ~~~ Task ~~~
- - display version with your name
- - display all tables from primary database sorted by table records count (descending sort order).
- ~~~ Site ~~~
- aHR0cDovL3d3dy5sb3djYXJib25saXZlcnBvb2wuY29tL2xpdHRsZV9ncmVlbl9ib29rLnBocD9pZD0x
- (Base64 decode it)
- ~~~Proof ~~~
- https://www.anonimg.com/img/e6b7c21c0658c5e3683b073aee3b2907.jpg
- Records count on your picture will be probably different than on mine as records count is changing...
- ~~~ Rules ~~~
- use colors, group_concat and limit are not allowed, post your solution at https://privnote.com and send me link to it
- 2. [Janus] SQLi challenge #2 ---->
- Here is my new challenge. As I said in my previous challenge I will ask for something more in my challenges, so maybe they are not for newbies... Non
- ~~~ Task ~~~
- - display version with your name
- ~~~ Site ~~~
- aHR0cDovL2lhLWJjLmNvbS9zZXJ2aWNlcy5waHA/aWQ9Mg==
- (Base64 decode it)
- ~~~ Rules ~~~
- I will help WAF on that site with additional rule Devlish
- - you may not use concat or any other function with character _ in function's name (like concat_ws...)
- - post your syntax to https://privnote.com and send me link to PM
- 3. [Janus] SQLi challenge #3
- Hi folks,
- This is my challenge #3. Previous two were basic for advanced injectors. We were sorting data in DIOS output in searching alternatives for concatenating data there. After that warming up it is time to go to next level Pirate
- ~~~ Task ~~~
- - display version with your name
- - display numbered list of all tables in primary database (one table per row)
- ~~~ Site ~~~
- aHR0cDovL3d3dy5jaG5yaS5vcmcvcHJvZmlsZS5waHA/cHJvZmlsZUlkPTIzODk=
- (Base64 decode it)
- ~~~Proof~~~
- http://img15.hostingpics.net/pics/42028814c1.jpg
- As this challenge is harder I will force you to change your usual injections - see rules bellow.
- ~~~ Rules ~~~
- - complete injection must be done in one vulnerable column
- - you may not use concat or any other function with character _ in function's name (like group_concat...)
- - you may not use function IN() or Benchmark()
- - in your complete syntax command from may be used only once
- - your command should work without knowing anything about databases/tables on that site...
- Post your syntax to https://privnote.com (it is automatically destroyed after reading) and send me link to PM
- Let's SQL knowledge be with you
- 4. [Janus] SQLi challenge #4 ---->
- Hi folks,
- This is my challenge #4. Again, it will be a little harder than previous ones Pirate
- ~~~ Task ~~~
- - display all tables in primary database
- - under each table (displayed only once) display numbered list (use roman numbers) of columns in that table (with their length in characters) sorted by column length descending
- - display only column names with more than 6 characters in its name (hide all shorter ones)
- - make a statistics about records in each table, number of columns and number of hidden columns (those shorter than 6 characters in column_name) in each table - see proof picture
- ~~~ Site ~~~
- aHR0cDovL3d3dy5ldmVuZW1lbnRpZWwtZnJhbmNlLmNvbS90YXJpZi1ldC1kZXZpcy10YXJpZnMucGhwP2lkYXBwZWw9NjA1MA==
- (Base64 decode it using online decoder like https://www.base64decode.org/)
- ~~~ Proof ~~~
- http://img15.hostingpics.net/pics/98313178c1.jpg
- ~~~ Rules ~~~
- - complete injection must be done in one vulnerable column
- - don't use group_concat, limit and substring_index (use pure DIOS)
- - your command should work without knowing anything about tables/columns on that site...
- Post your syntax to https://privnote.com (it is automatically destroyed after reading) and send me link to PM
- Let's SQL knowledge be with you
- 5. Janus] SQLi challenge #5
- Hi folks,
- This is my challenge #5 for advanced injectors. Again, it will be a little harder than previous ones Pirate
- ~~~ Task ~~~
- - display version with your name
- - find total number of all databases
- - find total number of tables in all databases
- - find total number of columns in all databases
- - go trough all databases and find highest and lowest number of tables among all databases
- - go trough all databases and find highest and lowest number of columns among all tables in all databases
- - go trough all databases and find highest and lowest number of records among all tables in all databases
- ~~~ Site ~~~
- aHR0cDovL3d3dy5wYW50ZXJhLmNvbS5ici9ub3RpY2lhcy92ZXJub3RpY2lhLnBocD9ub3Q9NQ==
- (Base64 decode it using online decoder like https://www.base64decode.org/)
- ~~~ Proof ~~~
- http://img4.hostingpics.net/pics/43654018c2.jpg
- ~~~ Rules ~~~
- - you may not use command count() for finding totals (task 1 - 3)
- - don't use database name information_schema anywhere in your syntax...).
- - in your syntax you should use all three relevant tables: information_schema.schemata for data about databases / information_schema.tables for data about tables and information_schema.columns for data about columns.
- - your command should work without knowing anything about databases/tables/columns on that site...
- Post your syntax to https://privnote.com (it is automatically destroyed after reading) and send me link to PM
- Let's SQL knowledge be with you
- 6. [Janus] SQLi challenge #6 [hard]
- Hi folks,
- This is my challenge #6 for advanced injectors. After warming up with previous 5 let's start with hard SQLi challenges Pirate
- ~~~ Tasks ~~~
- - display version with your name
- - display number of tables in main database
- - display top 10 tables (with their date of change) that were changed most recently
- - display top 10 "oldest" tables (with their date of change) according to their dates of change
- - each list should be numbered separately
- ~~~ Site ~~~
- aHR0cDovL3d3dy5wcmVtaXNlcy5jb20uYXUvcmVzaWRldGFpbHMucGhwP2lkPTYwNzk2Nzg=
- (Base64 decode it using online decoder like https://www.base64decode.org/)
- ~~~ Proof ~~~
- http://img15.hostingpics.net/pics/32830315c1.jpg
- ~~~ Rules ~~~
- - you may not use command order by or group by
- - solution should be pure SQL
- Post your syntax to https://privnote.com (it is automatically destroyed after reading) and send me link to PM
- Let's SQL knowledge be with you
- 7. Janus] SQLi challenge #7 [hard] ----->
- Hi folks,
- Let's continue my serie of challenges. Credits for this challenge go to ajkaro. Black Hat
- ~~~ Tasks ~~~
- - display numbered list of all databases
- - at each database name show number of tables in that database
- - after each database display numbered list of tables in that database (start tables numbering with number 1 with each new database)
- - at each table name show number of records and columns in that table
- - after each table display numbered list of all columns in that table (start columns numbering with number 1 with each new table)
- - indent each level (databases/tables/columns) - see proof picture (example with database #2)
- ~~~ Site ~~~
- aHR0cDovL2luZHVzdHJpYWxpbXBsYXIuY29tLmJyL25vdGljaWFzLWxvb2sucGhwP25vdGljaWE9MQ==
- (Base64 decode it using online decoder like https://www.base64decode.org/)
- ~~~ Proof ~~~
- http://img4.hostingpics.net/pics/80747030c1.jpg
- ~~~ Rules ~~~
- - for each level of data (databases/tables/columns) use different colors (for example red/green/blue)
- - in your syntax you should iterate trough all three relevant tables: information_schema.schemata for data about databases / information_schema.tables for data about tables and information_schema.columns for data about columns. Other tricks are not allowed Cool
- - you may not use benchmark() Nono
- Post your syntax to https://privnote.com (it is automatically destroyed after reading) and send me link to PM
- Let's SQL knowledge be with you
- 8.[Janus] SQLi challenge #8
- Hi folks,
- Here is my challenge #8 of 10 for M"SQLi circle members (open to others too). Pirate
- ~~~ Tasks ~~~
- - display version with your name
- - display list of all tables in primary database with their number of columns
- - list should be sorted in descending columns/tables order
- - display number of columns in accurate graphics (see proof picture)
- ~~~ Site ~~~
- aHR0cDovL3d3dy5tZXJpZGlhbjQuY29tL25ld3MvP2dhbWU9MTA=
- (Base64 decode it using online decoder like https://www.base64decode.org/)
- ~~~ Proof ~~~
- http://img4.hostingpics.net/pics/45114240c6.jpg
- ~~~ Rules ~~~
- - you may not use benchmark()
- - your injection should work without knowing anything about database/tables/columns on that site
- Post your syntax to https://privnote.com (it is automatically destroyed after reading) and send me link to PM
- Let's SQL knowledge be with you
- 9. [Janus] SQLi challenge #9
- Hi folks,
- Here is my challenge #9 of 10 for M"SQLi circle members (open to others too). Pirate
- ~~~ Tasks ~~~
- - display top 5 tables with their records count
- - use colors
- ~~~ Site ~~~
- aHR0cHM6Ly93d3cubGluZGFrYW1taW5zLmNvbS9jaGVja291dC5waHA/Y2F0aWQ9MTEmY2hlY2tjaG9vc2VyPWNoZWNrb3V0JnNpZD1hZmJlNjk3Y2M2ZjBmNjRiMDEzMzEzYTY1NzIzMjE5Mw==
- (Base64 decode it using online decoder like https://www.base64decode.org/)
- ~~~ Proof ~~~
- http://img15.hostingpics.net/pics/92202691c5.jpg
- ~~~ Rules ~~~
- - union select
- - your injection should work without knowing anything about tables/records on that site
- Post your syntax to https://privnote.com (it is automatically destroyed after reading) and send me link to PM
- Let's SQL knowledge be with you
- 10. [Janus]SQLi challenge #10 [hard]
- Hi folks,
- Here is my final challenge (#10 of #10 for M"SQLi circle members (open to others too)). Pirate Possible other challenges from me WILL NOT be part of Mensa SQLi circle competition any more.... I finished my obligation, waiting for challenges from other M"SQLi members... I expect your revenge Devlish
- Credits for some parts of this challenge go again to ajkaro. Thanx man for all your help and inspiration Black Hat
- ~~~ Tasks ~~~
- - display version with your name
- - display list of all tables in primary database, sorted descending by number of columns where column name starts with letter j or a or n or u or s
- - at tables where such columns exist, graphically display number of them and display them in sorted list in descending order (see proof picture)
- ~~~ Site ~~~
- aHR0cDovL3d3dy50cnVjb3JlcGlsYXRlcy5jb20vdHJhaW5lcnMucGhwP3BhZ2VfaWQ9MjU=
- (Base64 decode it using online decoder like https://www.base64decode.org/)
- ~~~ Proof ~~~
- http://img15.hostingpics.net/pics/111243challenge10.jpg
- ~~~ Rules ~~~
- - use DIOS. group_concat, order by, group by, html table commands may not be part of your syntax
- - use pure SQL (no javascript or anything else)
- - your injection should work without knowing anything about databases/tables/columns at that site
- - your solution should be generic (it should work at different SQLi vulnerable sites (WAF excluded))
- Post your syntax to https://privnote.com (it is automatically destroyed after reading) and send me link to PM
- Let's SQL knowledge be with you
Add Comment
Please, Sign In to add comment