Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

SQL Injection

SQL Injection

By ghostghost | 20703 Reads |
0     0

So let’s start with, how to find vulnerable scripts/sites. GOOGLE. Google is the best place for an attack like SQL injection. Google can find anything that wants to be found and things that shouldn’t be found. There are all kinds of specially crafted search criteria you can use with google. Like intitle: allintitle: inurl: allinurl: allintext: allinlinks: “index of” filetype: So in other words typing some thing like: “robots.txt” “Disallow:” filetype:txt into google will give you a treasure chest of information. To help you find Pages containing login portals you could try typing some thing like allinurl:“exchange/logon.asp” or inurl:/admin/login.asp and inurl:login filetype:swf swf For more information on how to get google to help you hack check out. http://johnny.ihackstuff.com/index.php?module=prodreviews

So with google we will target logins. When looking for a login script to attack. You can just type something like login.asp or login.php or use some of the google api inurl:/admin/login.asp. Its pretty easy to find many many many sites with logins nowadays.

An Introduction to Sql Injection

SQL is short for Structured Query Language and is a Language that is used to communicate with an SQL Database. SQL communicates with a relational database, the most commonly used database out there. SQL uses queries to get information from tables within the database.

Find the login page for that website and test it. the greatest test string, and most simple is the ’ so find the login and see if entering the ’ (the apostraphe) into the username and password field. does it generate an error? nope. must be a failed site with no sql injections? think again. i normally would move to a different method if i were you, but i will tell you another string that can sometimes log you into the account without verification! try this ‘OR’1=1. try that string in the username & password inputs.

You need to knwo what this statement ‘OR’1=1 means. So let’s break it down. ’ OR ’ 1 = 1.

Due to shitty coding, putting an apostrophe will close the last string passed to the script that gets passed also to the database to check the username & password sequence.you should never allow things like apostrophe’s, spaces, or other wildcard character to be passed to a database entry or to any script in php or asp for that matter. the same thing could be said about cold fusion as well.

The OR statement is a sql syntax statement that means just what it says OR. So what it is saying when you enter the or statement is… check this username/password OR check the next statement.

This is the statement we passed to the script to pass to the database. 1=1. In any programming langauge this is sure to be a state that equals true. because 1 equals 1.

so now altogether. ‘OR’1=1. When you enter this into a login form to get passwd as a variable to the script then to the database, it is basically saying username=true&password=true. You can try different combinations.

For the examples below lets say the table name is HellBound with columns named: username, pass, year, with this info username nighthawk pass letmein year 2005 SELECT - The SELECT statement is used to select data from a table. To select all columns from say the “HellBound” table, use a * symbol instead of column names, like this: SELECT * FROM HellBound To select the columns named “username” and “passe”, use a SELECT statement like this: SELECT username,pass FROM HellBound FROM - This query selects the table name eg. ‘HellBound’ WHERE - This allows you to specify specific conditions that are to be met like: SELECT * FROM HellBound WHERE pass=‘night’ Note that I have used single quotes around the conditional values in the examples. SQL uses single quotes around text values(most database systems will also accept double quotes). Numeric values should not be enclosed in quotes like this example SELECT * FROM HellBound WHERE Year>2003 see that I used Greater than with the WHERE clause, the following operators can be used: = Equal <> Not equal

Greater than < Less than = Greater than or equal <= Less than or equal BETWEEN Between an inclusive range LIKE Search for a pattern Note: In some versions of SQL the <> operator may be written as != SELECT * FROM HellBound WHERE pass LIKE ‘O%’ That SQL statement will return passes that start with an ‘O’ A % sign can be used to define wildcards (missing letters in the pattern) both before and after the pattern. SELECT * FROM HellBound WHERE username LIKE ‘%a’ The following SQL statement will return usernames that end with an a The AND and OR join two or more conditions in a WHERE clause Use AND to display each user with the username equal to “nighthawk”, and pass to “letmein” example:SELECT * FROM HellBound WHERE username=‘nighthawk’ AND pass=‘letmein’ Use OR to display each person with the username equal to “nighthawk”, or the pass equal to “letmein” example:SELECT * FROM HellBound WHERE username=‘nighthawk’ OR pass=‘letmein’ The BETWEEN AND operator selects a range of data between two values Example :SELECT * FROM HellBound WHERE username BETWEEN ‘nighthawk’ AND ‘Mr_Cheese’ This statement would return all users Hellbound rows between nighthawk and Mr_Cheese The INSERT INTO statement is used to insert new rows into a table like: INSERT INTO HellBound VALUES (‘nighthawk’, ‘letmein’, 2005)So this will insert nighthawk into the username and letmein into the pass and 2005 into the year. To Insert Data in Specified Columns here is an example :INSERT INTO HellBound (username, pass) VALUES (‘nighthawk’, ‘letmein’) The UPDATE statement is used to modify the data in a table example: UPDATE HellBound SET pass = cracker WHERE username = nighthawk So that example will change nighthawks password from letmein to cracked The DELETE statement is used to delete rows in a table example : DELETE FROM HellBound WHERE Username = nighthawk So this will delete all rows from the nighthawk (username,pass,year) The SELECT INTO statement is most often used to create backup copies of tables or for archiving records. The following example makes a backup copy of the “HellBound” table : SELECT * INTO HellBound_backup FROM HellBound

The ALTER TABLE statement is used to add or drop columns in an existing table To add a column named Age in the HellBound table:ALTER TABLE HellBound ADD Age varchar(10) To drop the Age column in the HellBound table :ALTER TABLE HellBound DROP COLUMN Age Rember that Some database systems don’t allow the dropping of a column in a table You can use ALTER TABLE To renane a table like : ALTER TABLE HellBound RENAME Hell_Bound To delete a table use : DROP TABLE HellBound Rember this will also delete the table structure, attributes, and indexes What if we only want to get rid of the data inside a table, and not the table itself well you can use : TRUNCATE TABLE HellBound

This example shows how you can create a table named HellBound, with four columns. The column names will be UserName, Password, EMail, and Age:CREATE TABLE HellBound (UserName varchar,Password varchar,EMail varchar,Age int) you can specify a maximum length for columns like : CREATE TABLE HellBound (UserName varchar(30),Password varchar(30),EMail varchar(30),Age int(3))

ghost's avatar
ghost 18 years ago

Nice man, i had to use update recently and didnt know the syntax, to bad i bugged psychomarine to tell me before i found this XD

ghost's avatar
ghost 18 years ago

Awasome article.:oB):);)

Nubzzz's avatar
Nubzzz 18 years ago

awesome article

ranma's avatar
ranma 18 years ago

Sweet! thanks a lot!