SQLI

Well maybe the title is a bit click bait — SQL injection itself can’t directly inject all the way to an RDP account takeover xD Actually the initial goal was just to download anime on moesubs.com, but when opening the website there was a URL that looked very suspicious: https://moesubs.com/?hal=dlrilisan&id=591 so I tried checking with ' and the site returned an error. After the error I balanced it using an SQL comment --+- and the page returned to normal, okay let’s continue …

Well, this post was made because the Surabaya Hacker Link challenges have been updated and many people were curious about this challenge but hadn’t solved it yet and suggested making a video tutorial, but since I can’t make a video, I’ll just write it here instead, updated challenges It explains that we have to save John’s website and then we will be given a Telegram group link (flag). initial appearance of the shl challenge page