Post Tue Apr 11, 2006 10:30 pm

Example 1: Winners

See Original Announcement at

The competition for this Trinity-themed CRACK THE HACKER challenge was intense. We received over 50 entries, and many had very solid answers. I've picked the five best, which certainly wasn't an easy task. Of these five seriously smart dudes, the top two winners will receive a copy of my Counter Hack book.

While lots of you got the right answer, several folks asked about that IP address. While it is indeed registered to someone in the Netherlands and houses a variety of different web servers, it is also the home of little ol', my own web site.

Also, many people were confused by the second set of user input:

irsfile.asp?username='test'+UNION+SELECT+name,1,'1',1,'1' sobjects+WHERE+xtype+=+'U';--

With this input, Trinity is using a UNION statement to merge the results of the built-in database query with a SELECT statement of her own. Trinity's own SELECT statement is asking for the "name" field (followed by a bunch of 1's to make the UNION between the original ASP's SELECT and Trinity's SELECT parallel with the same number and type of fields). But she's getting the "name" from the irs_dbase...sysobjects file. In a Microsoft SQL Server database, the [database_name]..sysobjects file is a metadata table holding information about the structure of the database itself, including the names of tables and columns. It doesn't hold user names; it contains data about the database. The xtype='U' simply means that Trinity wants to retrieve user-defined table names from the metadata. So, by running this command, Trinity is looking for the name of tables in the database. She can then query those tables to get more information.

Each winner did a solid job, and I'd like to congratulate them on their prowess. They took on the role of Agent Smith and nailed the technical details of the case. In fact, they assumed the role of Agent Smith a bit too easily, if you ask me. Perhaps these guys aren't quite what they seem?  ; )

The winners are:

Raul Siles... whose answer is here. His very detailed analysis is simply wonderful, and quite educational. I very much enjoyed reading it, and strongly recommend it to you if you want to learn more about SQL Injection against web applications using Microsoft SQL Server databases. Raul does a great job of documenting how the attack worked, with nice references for more information. EXCELLENT JOB!

Joe Klein... whose answer is here. His answer is technically right-on, and quite fun.

The runners up (sorry, no book this time!) are:

Mike Poor... whose answer is here. Mr. Poor's answer made me laugh out loud. He had the best answer to the first and second questions! Spot on.

Mike Luedke... whose answer is here. Mr. Luedke had a very nice technical answer to the "ping" question.  I also like the part about his reference to the "ancient" security guy, Ed Skoudis.  ; )

Camillo Särs... whose answer is here.  Amazingly, Mr. Särs even manages to sneak in a few Dilbert references into his response. Nice!

Good work, folks. Please stay tuned for another challenge, in the July/August timeframe. In the mean time, enjoy your countless viewings of Matrix Reloaded.