SQL , often referred to as Structured Query Language,
is a database computer language designed for managing data in
relational database management systems (RDBMS), and originally based
upon relational algebra and calculus. Its scope includes data insert,
query, update and delete, schema creation and modification, and data
access control.
{Wikipedia Definition}
In a nutshell, SQL is the most user friendly Web Programming language highly used and appreciated.
SQL INJECTION:
"An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input."
- Web Application Security Consortium Glossary
OR It is a way by which people can exploit the user-friendliness of the server and use it to gain data access etc.
SQL website servers are generally saved as formats of .php or .asp or .aspx
SQL language is simply based upon certain codes which can be exploited easily unless and until taken care of.
If you get across a SQL server , look out for the following.
First of all you need to get to the administrator or login pages of a website.
{It may take time to find one , Will explain the ways to find the admin page later }
CHECKING FOR VULNERABILITIES:
First of all we need to find whether the server is vulnerable to SQL injection or not.
In the admin login page,
In the username enter a single character apostrophe that is '
and in the password field enter a single character equal that is =
press login.
If the page shows an error report like Internal Server Error or LANGUAGE NOT DEFINED , etc. , then the website is vulnerable to sql injection.
Now,
Open the source page of the website, {In firefox open the View column and click on page source}
look for something like
<form><input></input>
<input></input>
<input></input>
</form>
OR
SELECT * FROM members WHERE username = 'user' AND password = 'password'
Now here comes the Hack Exploit,
When in the main page , We type username in the username box , the script changes to "username='hellboyuser'"
Now the hack
Got to the main page and in the Username box type admin'--
what it means,
it will change the script to "username='admin'--'"
the two hashes -- in the script language means IGNORE THE REST, which mean the script will ignore the password area.
So
Coming back,
In the username type admin'-- and leave out the password field , press login and get access to the administrator page.
EXCEPTIONS:
Some website programmers know this hack so you may need to enter multiple passwords
Eg:
In the username type admin
In the password type 'or''='
also try out these attributes ,
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
' or 1=1#
Works fantastic.
This hack doesn't work on all websites and I prefer you not to try it on any legal website.
To find the vulnerable sites , go to google and search, inurl:/adminlogin.asp
this search brings out the admin login pages of many website,
try on own risk.
THIS PAGE IS FOR EDUCATIONAL PURPOSES ONLY.
TRY ON UR OWN
{Wikipedia Definition}
In a nutshell, SQL is the most user friendly Web Programming language highly used and appreciated.
SQL INJECTION:
"An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input."
- Web Application Security Consortium Glossary
OR It is a way by which people can exploit the user-friendliness of the server and use it to gain data access etc.
SQL website servers are generally saved as formats of .php or .asp or .aspx
SQL language is simply based upon certain codes which can be exploited easily unless and until taken care of.
If you get across a SQL server , look out for the following.
First of all you need to get to the administrator or login pages of a website.
{It may take time to find one , Will explain the ways to find the admin page later }
CHECKING FOR VULNERABILITIES:
First of all we need to find whether the server is vulnerable to SQL injection or not.
In the admin login page,
In the username enter a single character apostrophe that is '
and in the password field enter a single character equal that is =
press login.
If the page shows an error report like Internal Server Error or LANGUAGE NOT DEFINED , etc. , then the website is vulnerable to sql injection.
Now,
Open the source page of the website, {In firefox open the View column and click on page source}
look for something like
<form><input></input>
<input></input>
<input></input>
</form>
OR
SELECT * FROM members WHERE username = 'user' AND password = 'password'
Now here comes the Hack Exploit,
When in the main page , We type username in the username box , the script changes to "username='hellboyuser'"
Now the hack
Got to the main page and in the Username box type admin'--
what it means,
it will change the script to "username='admin'--'"
the two hashes -- in the script language means IGNORE THE REST, which mean the script will ignore the password area.
So
-
- SELECT * FROM members WHERE username = 'admin'--'|||||| AND password = 'password'
Coming back,
In the username type admin'-- and leave out the password field , press login and get access to the administrator page.
EXCEPTIONS:
Some website programmers know this hack so you may need to enter multiple passwords
Eg:
In the username type admin
In the password type 'or''='
also try out these attributes ,
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
' or 1=1#
Works fantastic.
This hack doesn't work on all websites and I prefer you not to try it on any legal website.
To find the vulnerable sites , go to google and search, inurl:/adminlogin.asp
this search brings out the admin login pages of many website,
try on own risk.
THIS PAGE IS FOR EDUCATIONAL PURPOSES ONLY.
TRY ON UR OWN
No comments:
Post a Comment