Hi, first of all thanks for such a great material/testbed to learn sql injections ! So useful to have sources, can modify all parameters: g/p/c, and inject in insert, update too... The challenges are nice too but i'm learning and facing a great problem now with the challenge #4... It' s said : "In this challenge, no output from the query is shown, but verbose errors are shown.
Your objective is to find the table of social security numbers present in the database and extract its information WITHOUT blind SQL injection techniques." The problem is without blind sql injection techniques... as i suppose i can't use timing or other some kinds of things, and the only channel-back to me is in the error messages returned, i try to include the result of the injection in error messages, by kind of techniques i find/rode on the net, like this link : http://www.notsosecure.com/folder2/2010/06/29/mysql-exploitation-with-error-messages/
Anyway i'm going crazy nuts. so would you please tell me the results (only hte result it'll take you 2 minutes :D) and i'll be happy, because with previously used techniques, i'm able to find/dump the data, but can't figure out what you were taking about with error messages. I'm already trying to find a solution, trying to inject at run time and not on a parser error, to generate some kind of dynamic statement where the error message will contain the results of my injection...but can't succeed atm. Thanks for your help !
Regards.