Welcome to The Forum

Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to

existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile

and so much more. This message will be removed once you have signed in.

Active Hackers

The best community of active hackers. This community has been working in hacking for more than 10 years.

 

Hacker Forum

Hacker from all countries join this community to share their knowledge and their hacking tools

    Hacking Tools

    You can find thousands of tools shared by hackers. RAT's, Bot's, Crypters FUD, Stealers, Binders, Ransomware, Mallware, Virus, Cracked Accounts, Configs, Guides, Videos and many other things.

      PRIV8

      Become a Priv8 user and access all parts of the forum without restrictions and without limit of download. It only costs 100 dollars, and it will last you for a lifetime.

      Read Rules

      In this community we follow and respect rules, and they are the same for everyone, regardless of the user's rank. Read the rules well not to be prohibited.

      F B I

      SQL Injection

      Recommended Posts

      Spoiler

      SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.

      Look at the following example which creates a SELECT statement by adding a variable (txtUserId) to a select string. The variable is fetched from user input (getRequestString):
      Example
       

      Quote

      txtUserId = getRequestString("UserId");
      txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

      The rest of this chapter describes the potential dangers of using user input in SQL statements.
      SQL Injection Based on 1=1 is Always True

      Look at the example above again. The original purpose of the code was to create an SQL statement to select a user, with a given user id.

      If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this:

      UserId:

      Then, the SQL statement will look like this:
       

      Quote

      SELECT * FROM Users WHERE UserId = 105 OR 1=1;

      The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.

      Does the example above look dangerous? What if the "Users" table contains names and passwords?

      The SQL statement above is much the same as this:
       

      Quote

      SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;

      A hacker might get access to all the user names and passwords in a database, by simply inserting 105 OR 1=1 into the input field.

      SQL Injection Based on ""="" is Always True

      Quote

      uName = getRequestString("username");
      uPass = getRequestString("userpassword");



       

      Quote

      sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"'

      Result

      Quote

      SELECT * FROM Users WHERE Name ="John Doe" AND Pass ="myPass"

      A hacker might get access to user names and passwords in a database by simply inserting " OR ""=" into the user name or password text box:

      The code at the server will create a valid SQL statement like this:

      Quote

      SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""

      The SQL above is valid and will return all rows from the "Users" table, since OR ""="" is always TRUE.

      SQL Injection Based on Batched SQL Statements 

      Most databases support batched SQL statement.

      A batch of SQL statements is a group of two or more SQL statements, separated by semicolons.

      The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.

      Example

      Quote

      SELECT * FROM Users; DROP TABLE Suppliers

      Look at the following example:

      Example

      Quote

      txtUserId = getRequestString("UserId");
      txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

      And the following input:

      User id: 105; DROP TABLE Suppliers

      The valid SQL statement would look like this:

      Result

      Quote

      SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;

      Use SQL Parameters for Protection

      To protect a web site from SQL injection, you can use SQL parameters.

      SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.

      ASP.NET Razor Example

      Quote

      txtUserId = getRequestString("UserId");
      txtSQL = "SELECT * FROM Users WHERE UserId = @0";
      db.Execute(txtSQL,txtUserId);

      Note that parameters are represented in the SQL statement by a @ marker.

      The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.

      Another Example

      Quote

      txtNam = getRequestString("CustomerName");
      txtAdd = getRequestString("Address");
      txtCit = getRequestString("City");
      txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
      db.Execute(txtSQL,txtNam,txtAdd,txtCit);

      Examples

      The following examples shows how to build parameterized queries in some common web languages.

      SELECT STATEMENT IN ASP.NET:

      Quote

      txtUserId = getRequestString("UserId");
      sql = "SELECT * FROM Customers WHERE CustomerId = @0";
      command = new SqlCommand(sql);
      command.Parameters.AddWithValue("@0",txtUserID);
      command.ExecuteReader();

      INSERT INTO STATEMENT IN ASP.NET:

      Quote

      txtNam = getRequestString("CustomerName");
      txtAdd = getRequestString("Address");
      txtCit = getRequestString("City");
      txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
      command = new SqlCommand(txtSQL);
      command.Parameters.AddWithValue("@0",txtNam);
      command.Parameters.AddWithValue("@1",txtAdd);
      command.Parameters.AddWithValue("@2",txtCit);
      command.ExecuteNonQuery();

      INSERT INTO STATEMENT IN PHP:

      Quote

      $stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City)
      VALUES (:nam, :add, :cit)");
      $stmt->bindParam(':nam', $txtNam);
      $stmt->bindParam(':add', $txtAdd);
      $stmt->bindParam(':cit', $txtCit);
      $stmt->execute();

       

       

      Share this post


      Link to post
      Share on other sites

      Yep, some basics.

      Later on you'll need to hit some things more aggressively to really get between those Databases cheeks  $$$$$$

      >:)

       

      Hidden Content

        Give reaction to this post to see the hidden content.

      Share this post


      Link to post
      Share on other sites
      Guest
      This topic is now closed to further replies.

      • Similar Content

        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Learn how to use sqlmap for professional engagements with the most in-depth sqlmap course.
          What you'll learn
              What sqlmap is and how it's used to test web applications for SQL injection vulnerabilities
              How to create a home lab environment to safely and legally attack web applications with SQL injections
              Find and exploit your first SQL injections with sqlmap
              Learn, in-depth, all of the options that sqlmap offers
              How to enumerate vulnerable database information (such as database names, schema, tables, and data within those tables)
              How sqlmap code is structured and how to find what you're looking for (ie: payloads and settings)
              How to manipulate headers, parameters, methods, data, cookies, and more
              How to configure targets via URLs, logfile, bulkfiles, and request files (from Burp/ZAP)
              How to configure proxies and Tor to use sqlmap anonymously
              How to modify requests on the fly with simple Python scripts
              How to identify WAFs and manually as well as automatically bypass them (with tamper scripts)
              How to troubleshoot common sqlmap errors and overcome issues
              Understand how (and when) to use --level and --risk, and how it affects results (this is important!)
              How to use regular and advanced takeover options and techniques to take control of back-end databases and servers
              How to run sqlmap as an API server and client
              How to fingerprint, enumerate, and takeover
          Requirements
              Experience with SQL (you should know what SQL is)
              Experience working with web applications (you should understand how apps use databases)
              Experience working with databases (at least a high-level understanding of how databases work)
              Knowledge of different database engines (ie: you should know what MySQL means)
              Knowledge of the different SQL injection techniques
              Fluent in English
          Description
          About the course:
          Learn how to use sqlmap in-depth for professional engagements, and help support open-source in the process. 40% of every sale will be donated to the sqlmap project to help support its development.
          sqlmap is the most powerful and widely used SQL injection tool, and for good reason. It packs an impressive array of features and options specifically crafted to fingerprint, enumerate, and takeover databases as well as underlying systems. In this course, we take a look at all of that. We start by looking at the sqlmap project, including how the source code repository is structured, where to find important files such as configuration and payload files, and how to set up a home lab environment to safely and legally practice what we're learning. Then, we explore every single option that sqlmap offers with examples and explanations of how and when to use the option(s). We learn tips & tricks to see what sqlmap is doing under the hood and to troubleshoot when we come across issues. Once we've covered sqlmap's options and features, we tie it all together by running through scenarios. This is when we get to see how those options can be used together or on their own to achieve our pentest or bug bounty objectives.
          The course also includes sections dedicated to specific topics such as bypassing WAFs and evading security controls, and how to run sqlmap as an API.
          -----------------------
          Instructor
          My name is Christophe Limpalair, and I have helped thousands of individuals pass IT certifications, learn how to use the cloud, and develop secure applications. I got started in IT at the age of 11 and unintentionally fell into the world of cybersecurity. Fast-forward to today, and I've co-founded a fast-growing cybersecurity community, Cybr, that also provides training resources.
          As I developed a strong interest in programming and cloud computing, my focus for the past few years has been training thousands of individuals in small, medium, and large businesses (including Fortune 500) on how to use cloud providers (such as Amazon Web Services) efficiently, and how to develop more secure applications.
          I've taught certification courses such as the AWS Certified Developer, AWS Certified SysOps Administrator, and AWS Certified DevOps Professional, as well as non-certification courses such as Introduction to Application Security (AppSec), SQL Injection Attacks, Introduction to OS Command Injections, Lambda Deep Dive, Backup Strategies, and others.
          Working with individual contributors as well as managers, I realized that most were also facing serious challenges when it came to cybersecurity.
          Digging deeper, it became clear that there was a lack of training for AppSec specifically. As we explore in the course, SQL injection vulnerabilities can be absolutely devastating when exploited, but preventing SQL injections is actually quite simple. So my goal with this course is to help you get started on your journey of learning the tools, techniques, and concepts to properly find injection vulnerabilities in your own applications (or your client's).
          It's time to take security into our own hands and to learn how to build more secure software in order to help make the world a safer place! Join me in the course, and we'll do just that!
          I welcome you on your journey to learning more about sqlmap, and I look forward to being your instructor!
          Who this course is for:
              Web pentesters
              Application Security Engineers
              Web Developers
              Bug Bounty Hunters
              DevSecOps Engineers
              Security Researchers
              Database administrators
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Description
          What is sql injection?
          A SQL injection is an attack in which the attacker sends a specially crafted SQL query (statement), to a database server and modifies the database as desired. An SQL injection occurs when user input is improperly sanitized before being used in an SQL query.
          The vulnerability can be exploited by providing input via the user interface, or through hidden fields; however, if user input is used for parameters such as a name or an id, those parameters should be validated as well to make sure that no invalid input is used.
          SQL Injection: How does it work?
          In a vulnerable server, a parameter that is supplied by the user can be modified by the attacker in order to run arbitrary SQL code or commands on the back-end database. There are multiple ways of performing this kind of attack.
          What’s in this course
          In this course you will learn how to do SQL injection using a real world example. It’s a course for beginners who never did SQL injection before. After completing this course you will be able to detect if a website is vulnerable to SQL injection, be able to get data from the web apps database and compromise a database.
          Who this course is for:
          Beginner Ethical Hackers
          Requirements
              Basic Linux knowledge

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
          The sqlmap project is sponsored by Netsparker Web Application Security Scanner.
          Features implemented in sqlmap include:
              Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB database management systems.
              Full support for five SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query and stacked queries.
              Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
              It is possible to provide a single target URL, get the list of targets from Burp proxy or WebScarab proxy requests log files, get the whole HTTP request from a text file or get the list of targets by providing sqlmap with a Google dork which queries Google search engine and parses its results page. You can also define a regular-expression based scope that is used to identify which of the parsed addresses to test.
              Tests provided GET parameters, POST parameters, HTTP Cookie header values, HTTP User-Agent header value and HTTP Referer header value to identify and exploit SQL injection vulnerabilities. It is also possible to specify a comma-separated list of specific parameter(s) to test.
              Option to specify the maximum number of concurrent HTTP(S) requests (multi-threading) to speed up the blind SQL injection techniques. Vice versa, it is also possible to specify the number of seconds to hold between each HTTP(S) request. Others optimization switches to speed up the exploitation are implemented too.
              HTTP Cookie header string support, useful when the web application requires authentication based upon cookies and you have such data or in case you just want to test for and exploit SQL injection on such header values. You can also specify to always URL-encode the Cookie.
              Automatically handles HTTP Set-Cookie header from the application, re-establishing of the session if it expires. Test and exploit on these values is supported too. Vice versa, you can also force to ignore any Set-Cookie header.
              HTTP protocol Basic, Digest, NTLM and Certificate authentications support.
              HTTP(S) proxy support to pass by the requests to the target application that works also with HTTPS requests and with authenticated proxy servers.
              Options to fake the HTTP Referer header value and the HTTP User-Agent header value specified by user or randomly selected from a textual file.
              Support to increase the verbosity level of output messages: there exist seven levels of verbosity.
              Support to parse HTML forms from the target URL and forge HTTP(S) requests against those pages to test the form parameters against vulnerabilities.
              Granularity and flexibility in terms of both user’s switches and features.
              Estimated time of arrival support for each query, updated in real time, to provide the user with an overview on how long it will take to retrieve the queries’ output.
              Automatically saves the session (queries and their output, even if partially retrieved) on a textual file in real time while fetching the data and resumes the injection by parsing the session file.
              Support to read options from a configuration INI file rather than specify each time all of the switches on the command line. Support also to generate a configuration file based on the command line switches provided.
              Support to replicate the back-end database tables structure and entries on a local SQLite 3 database.
              Option to update sqlmap to the latest development version from the subversion repository.
              Support to parse HTTP(S) responses and display any DBMS error message to the user.
              Integration with other IT security open source projects, Metasploit and w3af.
              More…
          Changelog v1.5.9
              Minor refactoring

          Hidden Content
          Give reaction to this post to see the hidden content.