This is the wrong way... Try testing the first way you tried. The 1/2 of the challenge is no big deal. Read again the posts from the beggining this might help.

SPOILER:SQL Challenge 1 very similiar

xyberz09, that is about 70% correct - good job.

As BuRNeD says, this is similar to the first SQL, so you have to think about merging the first SQL solution and more to complete this part of the challenge


SPOILER:think what could be added after the "or" in your SQL

@BuRNeD: I've already completed the first SQL challenge. That's was wayyyy too easy. And I think I've also completed 1/2 of this chall

(I get this text: Logged in as us3r.



Due to some unexplained break-ins recently to this site, we have added an extra feature to prove you are the owner of this account.)

So I guess I'm doing something wrong after I log in :|



@t0mmy9: You're asking me to merge the 1st SQL solution and something more for this chall. I get that. But my question is do I have to do this is the while logging in or after that?





PS: By thew way, It's getting a little confusing as to where to inject the malicious SQL. At the login prompt? When I'm logged in as us3r? Or when I logout and login again as admin?

Yeh it is supposed to be confusing.


SPOILER:its all from the login box

Yes its a normal sql injection, and you can add your select-query with UNION.