Injection to change a users post
Injection to change a users post
Was curious since injection can be used to change alot in a database, but most references go to users and passwords. Is it possible to change a post in a forum using mysql injection? If so how much information would you need? As in location of the string in the database, what command string would have to be used to insert it. Etc.
\"The OS is detected as NetBSD (it will even run on your toaster).\"
- Still_Learning
- Fame ! Where are the chicks?!
- Posts: 1040
- Joined: 11 Jun 2008, 16:00
- 15
- Location: Trigger City
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
well, a post is technically the same as a username or password: an entry in a table.
what you need is the database scheme so you know the table names.....of course this is only easy for pre-made platforms like phpnuke, wordpress, etc...if the database structure is fully custom you can only guess.
and of course you need a flaw that can be exploited....so no changes on the suck-o posts for you...
what you need is the database scheme so you know the table names.....of course this is only easy for pre-made platforms like phpnuke, wordpress, etc...if the database structure is fully custom you can only guess.
and of course you need a flaw that can be exploited....so no changes on the suck-o posts for you...
Yeah, you need to find a vulnerability in the website. Start with malformed url's and move onto the forms, etc. The sql command will look something like this:
Code: Select all
UPDATE table SET column_name = "new content of the post" WHERE column_name = "old content of the post"
¯\_(ツ)_/¯ It works on my machine...
- Nerdz
- The Architect
- Posts: 1127
- Joined: 15 Jun 2005, 16:00
- 18
- Location: #db_error in: select usr.location from sucko_member where usr.id=63;
- Contact:
In fact, when you actually submit a value via an URL, your sending it to the script that will do the proper action...
So let's say in a login form you have in the background a script to does something similar to this
$row = "Select content from member where username='".$user."' and password='".$pass."';"
I know, double+single quote can be confusing...
So because this is a login form, it would be stupid to GET the info. Instead usually they use POST. If the site is lame, you can test the website with a single quote in both field(usr/pwd) and see the result. Juicy error message are welcome but... RARE.
Juicy: Error in: select content from member where username=''' and password=''';
So if you put this in the login field: '; update member set content='FUCKER' where username='nerdz';--
-- = Comment the rest of the command.
You can also mess with UNION when there stuff to be display. Have fun
So let's say in a login form you have in the background a script to does something similar to this
$row = "Select content from member where username='".$user."' and password='".$pass."';"
I know, double+single quote can be confusing...
So because this is a login form, it would be stupid to GET the info. Instead usually they use POST. If the site is lame, you can test the website with a single quote in both field(usr/pwd) and see the result. Juicy error message are welcome but... RARE.
Juicy: Error in: select content from member where username=''' and password=''';
So if you put this in the login field: '; update member set content='FUCKER' where username='nerdz';--
-- = Comment the rest of the command.
You can also mess with UNION when there stuff to be display. Have fun
Give a man a fish, you feed him for one day.
Learn a man to fish, you feed him for life.
Learn a man to fish, you feed him for life.
- floodhound2
- ∑lectronic counselor
- Posts: 2117
- Joined: 03 Sep 2006, 16:00
- 17
- Location: 127.0.0.1
- Contact:
- floodhound2
- ∑lectronic counselor
- Posts: 2117
- Joined: 03 Sep 2006, 16:00
- 17
- Location: 127.0.0.1
- Contact:
Nerdz wrote:$row = "Select content from member where username='".$user."' and password='".$pass."';"
I know, double+single quote can be confusing...
Code: Select all
$query = "SELECT content FROM member WHERE username='{$user}' AND password='{$pass}'";
I <3 MariaLara more than all of you
G-Brain wrote:Code: Select all
$query = "SELECT content FROM member WHERE username='{$user}' AND password='{$pass}'";
Your point being? =)
"The best place to hide a tree, is in a forest"
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
new whitepaper I found in the packetstorm RSS feed, fits into the topic so I thought I share it:
http://packetstormsecurity.org/papers/d ... ggling.pdf
enjoy...
http://packetstormsecurity.org/papers/d ... ggling.pdf
enjoy...
-
- cyber messiah
- Posts: 1201
- Joined: 30 Apr 2006, 16:00
- 17
- Location: 127.0.0.1
curly braces are basically for interpolating array elements and also object references inside double quotes. might be used for variables too,cats wrote:G-Brain wrote:Code: Select all
$query = "SELECT content FROM member WHERE username='{$user}' AND password='{$pass}'";
Your point being? =)
this would be okay too
Code: Select all
$query = "SELECT content FROM member WHERE username='$user' AND password='$pass'";