Welcome to The Forum

Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to

existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile

and so much more. This message will be removed once you have signed in.

Active Hackers

The best community of active hackers. This community has been working in hacking for more than 10 years.

 

Hacker Forum

Hacker from all countries join this community to share their knowledge and their hacking tools

    Hacking Tools

    You can find thousands of tools shared by hackers. RAT's, Bot's, Crypters FUD, Stealers, Binders, Ransomware, Mallware, Virus, Cracked Accounts, Configs, Guides, Videos and many other things.

      PRIV8

      Become a Priv8 user and access all parts of the forum without restrictions and without limit of download. It only costs 100 dollars, and it will last you for a lifetime.

      Read Rules

      In this community we follow and respect rules, and they are the same for everyone, regardless of the user's rank. Read the rules well not to be prohibited.

      F B I

      SQL Injection

      Recommended Posts

      Spoiler

      SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.

      Look at the following example which creates a SELECT statement by adding a variable (txtUserId) to a select string. The variable is fetched from user input (getRequestString):
      Example
       

      Quote

      txtUserId = getRequestString("UserId");
      txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

      The rest of this chapter describes the potential dangers of using user input in SQL statements.
      SQL Injection Based on 1=1 is Always True

      Look at the example above again. The original purpose of the code was to create an SQL statement to select a user, with a given user id.

      If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this:

      UserId:

      Then, the SQL statement will look like this:
       

      Quote

      SELECT * FROM Users WHERE UserId = 105 OR 1=1;

      The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.

      Does the example above look dangerous? What if the "Users" table contains names and passwords?

      The SQL statement above is much the same as this:
       

      Quote

      SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;

      A hacker might get access to all the user names and passwords in a database, by simply inserting 105 OR 1=1 into the input field.

      SQL Injection Based on ""="" is Always True

      Quote

      uName = getRequestString("username");
      uPass = getRequestString("userpassword");



       

      Quote

      sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"'

      Result

      Quote

      SELECT * FROM Users WHERE Name ="John Doe" AND Pass ="myPass"

      A hacker might get access to user names and passwords in a database by simply inserting " OR ""=" into the user name or password text box:

      The code at the server will create a valid SQL statement like this:

      Quote

      SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""

      The SQL above is valid and will return all rows from the "Users" table, since OR ""="" is always TRUE.

      SQL Injection Based on Batched SQL Statements 

      Most databases support batched SQL statement.

      A batch of SQL statements is a group of two or more SQL statements, separated by semicolons.

      The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.

      Example

      Quote

      SELECT * FROM Users; DROP TABLE Suppliers

      Look at the following example:

      Example

      Quote

      txtUserId = getRequestString("UserId");
      txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

      And the following input:

      User id: 105; DROP TABLE Suppliers

      The valid SQL statement would look like this:

      Result

      Quote

      SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;

      Use SQL Parameters for Protection

      To protect a web site from SQL injection, you can use SQL parameters.

      SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.

      ASP.NET Razor Example

      Quote

      txtUserId = getRequestString("UserId");
      txtSQL = "SELECT * FROM Users WHERE UserId = @0";
      db.Execute(txtSQL,txtUserId);

      Note that parameters are represented in the SQL statement by a @ marker.

      The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.

      Another Example

      Quote

      txtNam = getRequestString("CustomerName");
      txtAdd = getRequestString("Address");
      txtCit = getRequestString("City");
      txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
      db.Execute(txtSQL,txtNam,txtAdd,txtCit);

      Examples

      The following examples shows how to build parameterized queries in some common web languages.

      SELECT STATEMENT IN ASP.NET:

      Quote

      txtUserId = getRequestString("UserId");
      sql = "SELECT * FROM Customers WHERE CustomerId = @0";
      command = new SqlCommand(sql);
      command.Parameters.AddWithValue("@0",txtUserID);
      command.ExecuteReader();

      INSERT INTO STATEMENT IN ASP.NET:

      Quote

      txtNam = getRequestString("CustomerName");
      txtAdd = getRequestString("Address");
      txtCit = getRequestString("City");
      txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
      command = new SqlCommand(txtSQL);
      command.Parameters.AddWithValue("@0",txtNam);
      command.Parameters.AddWithValue("@1",txtAdd);
      command.Parameters.AddWithValue("@2",txtCit);
      command.ExecuteNonQuery();

      INSERT INTO STATEMENT IN PHP:

      Quote

      $stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City)
      VALUES (:nam, :add, :cit)");
      $stmt->bindParam(':nam', $txtNam);
      $stmt->bindParam(':add', $txtAdd);
      $stmt->bindParam(':cit', $txtCit);
      $stmt->execute();

       

       

      Share this post


      Link to post
      Share on other sites

      Yep, some basics.

      Later on you'll need to hit some things more aggressively to really get between those Databases cheeks  $$$$$$

      >:)

       

      Hidden Content

        Give reaction to this post to see the hidden content.

      Share this post


      Link to post
      Share on other sites
      Guest
      This topic is now closed to further replies.

      • Similar Content

        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. HatVenom
          HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.
          Features
              Support for most common executable formats like elf, macho, pe.
              Support for most common architectures like x64, x86, aarch64, armle, mipsle, mipsbe.
              Ability to modify shellcode by changing pre-defined offsets.
          Basic functions
          There are all HatVenom basic functions that can be used to generate a payload, covert data, or inject shellcode.
              ip_bytes(ip) – Converts IP address to bytes allowed by the shellcode.
              port_bytes(port) – Converts numeric port to bytes allowed by the shellcode.
              string_bytes(string) – Converts a string to bytes allowed by the shellcode.
              generate(file_format, arch, shellcode, offsets={}) – Generates payload for specified target and with specified shellcode.
              generate_to(file_format, arch, shellcode, offsets={}, filename=’a.out’) – Generates payload for specified target and with specified shellcode and saves it to the specified file.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. jSQL Injection is a lightweight application used to find database information from a distant server. It is free, open-source, and cross-platform (Windows, Linux, Mac OS X).
          It is also part of the official penetration testing distribution Kali Linux and is included in other distributions like Pentest Box, Parrot Security OS, ArchStrike, or BlackArch Linux.
          This software is developed using great open-source libraries like Spring, Spock, and Hibernate, and it uses the platform Travis CI for continuous integration.
          Each program update is tested with Java version 8 through 13 in the cloud, against various MySQL, PostgreSQL, and H2 databases. Source code is open to pull requests and to any contribution on multi-threading, devops, unit and integration tests, and optimization.
          Features
              Automatic injection of 23 kinds of databases: Access, CockroachDB, CUBRID, DB2, Derby, Firebird, H2, Hana, HSQLDB, Informix, Ingres, MaxDB, Mckoi, MySQL{MariaDb}, Neo4j, NuoDB, Oracle, PostgreSQL, SQLite, SQL Server, Sybase, Teradata and Vertica     Multiple injection strategies: Normal, Error, Blind and Time     SQL Engine to study and optimize SQL expressions     Injection of multiple targets     Search for administration pages     Creation and visualization of Web shell and SQL shell     Read and write files on the host using injection     Bruteforce of password’s hash     Code and decode a string Changelog jSQL Injection v0.85
              Compliance to Java 17
              Switch to native HttpClient

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
          The sqlmap project is sponsored by Netsparker Web Application Security Scanner.
          Features implemented in sqlmap include:
              Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB database management systems.
              Full support for five SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query and stacked queries.
              Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
              It is possible to provide a single target URL, get the list of targets from Burp proxy or WebScarab proxy requests log files, get the whole HTTP request from a text file or get the list of targets by providing sqlmap with a Google dork which queries Google search engine and parses its results page. You can also define a regular-expression based scope that is used to identify which of the parsed addresses to test.
              Tests provided GET parameters, POST parameters, HTTP Cookie header values, HTTP User-Agent header value and HTTP Referer header value to identify and exploit SQL injection vulnerabilities. It is also possible to specify a comma-separated list of specific parameter(s) to test.
              Option to specify the maximum number of concurrent HTTP(S) requests (multi-threading) to speed up the blind SQL injection techniques. Vice versa, it is also possible to specify the number of seconds to hold between each HTTP(S) request. Others optimization switches to speed up the exploitation are implemented too.
              HTTP Cookie header string support, useful when the web application requires authentication based upon cookies and you have such data or in case you just want to test for and exploit SQL injection on such header values. You can also specify to always URL-encode the Cookie.
              Automatically handles HTTP Set-Cookie header from the application, re-establishing of the session if it expires. Test and exploit on these values is supported too. Vice versa, you can also force to ignore any Set-Cookie header.
              HTTP protocol Basic, Digest, NTLM and Certificate authentications support.
              HTTP(S) proxy support to pass by the requests to the target application that works also with HTTPS requests and with authenticated proxy servers.
              Options to fake the HTTP Referer header value and the HTTP User-Agent header value specified by user or randomly selected from a textual file.
              Support to increase the verbosity level of output messages: there exist seven levels of verbosity.
              Support to parse HTML forms from the target URL and forge HTTP(S) requests against those pages to test the form parameters against vulnerabilities.
              Granularity and flexibility in terms of both user’s switches and features.
              Estimated time of arrival support for each query, updated in real time, to provide the user with an overview on how long it will take to retrieve the queries’ output.
              Automatically saves the session (queries and their output, even if partially retrieved) on a textual file in real time while fetching the data and resumes the injection by parsing the session file.
              Support to read options from a configuration INI file rather than specify each time all of the switches on the command line. Support also to generate a configuration file based on the command line switches provided.
              Support to replicate the back-end database tables structure and entries on a local SQLite 3 database.
              Option to update sqlmap to the latest development version from the subversion repository.
              Support to parse HTTP(S) responses and display any DBMS error message to the user.
              Integration with other IT security open source projects, Metasploit and w3af.
              More…
          Changelog v1.5.4
              Fixes #4625


          Hidden Content
          Give reaction to this post to see the hidden content.