We're not done with SQL injection yet.
The setup here is very similar to the last one, but this time just a news display page and a login page:
The source code and database structure are here:
Directory listing is also on for convenience:
The challenge: determine the admin user's password.
You win one book of your choice (out of two) of books donated to the UA Computer Security Club by No Starch Press!
You also get your name mentioned as the winner of the contest. We'll probably list the top three.
Note: If you have been a recent winner of a contest, you can still be aknowledged as the winner of this one but you can't win the prize. We want to share the wealth, you see.
Please respect the contest server. It's not a DoS contest. If your solution involves making multiple requests or connections to the server, that's fine, but please do them sequentially unless your solution requires them to be concurrent (in which case, please be kind).
Pretty much, if you know something wasn't intended and you know it may negatively impact the server, don't do it.
The contest is intended for University of Arizona students and faculty. If you aren't from the UA, you are welcome to give it a try, but you won't be credited with winning the contest and non-UA IP addresses are subject to blocking if they are abusive.
Send your victory reports and questions (and requests for hints) to contests -at- uacompsec.org.
No winner yet.
Solutions will be made available after the contest has ended.