Injection to change a users post

[FaoX]

Was curious since injection can be used to change alot in a database, but most references go to users and passwords. Is it possible to change a post in a forum using mysql injection? If so how much information would you need? As in location of the string in the database, what command string would have to be used to insert it. Etc.

[Still_Learning]

good question



*awaits answer*

[bad_brain]

well, a post is technically the same as a username or password: an entry in a table.
what you need is the database scheme so you know the table names.....of course this is only easy for pre-made platforms like phpnuke, wordpress, etc...if the database structure is fully custom you can only guess.
and of course you need a flaw that can be exploited....so no changes on the suck-o posts for you...

[FaoX]

well is there any exploration testing I could use, anyway to through commands at the server to find out more of the structure of the database?

[Gogeta70]

Yeah, you need to find a vulnerability in the website. Start with malformed url's and move onto the forms, etc. The sql command will look something like this:

Code: Select all

UPDATE table SET column_name = "new content of the post" WHERE column_name = "old content of the post"

[FaoX]

This may sound lame but the only injection ive ever known was through url, just adding commands to the url. How would i send those commands to the database? >.<;;;

ps thanks for the help in the past gogetta

[bad_brain]

either through a browser request or through an input form on the site...."guestbooks" for example can be very dangerous (I think bad input sanitization of guestbooks are the #1 reason of hacked sites )

[Nerdz]

In fact, when you actually submit a value via an URL, your sending it to the script that will do the proper action...

So let's say in a login form you have in the background a script to does something similar to this

$row = "Select content from member where username='".$user."' and password='".$pass."';"

I know, double+single quote can be confusing...

So because this is a login form, it would be stupid to GET the info. Instead usually they use POST. If the site is lame, you can test the website with a single quote in both field(usr/pwd) and see the result. Juicy error message are welcome but... RARE.

Juicy: Error in: select content from member where username=''' and password=''';

So if you put this in the login field: '; update member set content='FUCKER' where username='nerdz';--

-- = Comment the rest of the command.

You can also mess with UNION when there stuff to be display. Have fun

[floodhound2]

Nice follow up fellas, B_B , N3rd and G-man. Hell I am getting a bit glittery wanting to learn more. . .

Hum ...

[Nerdz]

I am not N3rd!

[floodhound2]

Damn my fault I did it again! So sorry Nerdz

[G-Brain]

$row = "Select content from member where username='".$user."' and password='".$pass."';"

I know, double+single quote can be confusing...

Code: Select all

$query = "SELECT content FROM member WHERE username='{$user}' AND password='{$pass}'";

[ayu]

Code: Select all

$query = "SELECT content FROM member WHERE username='{$user}' AND password='{$pass}'";

Your point being? =)

[bad_brain]

new whitepaper I found in the packetstorm RSS feed, fits into the topic so I thought I share it:

http://packetstormsecurity.org/papers/d ... ggling.pdf

enjoy...

[pseudo_opcode]

Code: Select all

$query = "SELECT content FROM member WHERE username='{$user}' AND password='{$pass}'";

Your point being? =)

curly braces are basically for interpolating array elements and also object references inside double quotes. might be used for variables too,

this would be okay too

Code: Select all

$query = "SELECT content FROM member WHERE username='$user' AND password='$pass'";