Moonbat
03-27-2007, 02:22 PM
This is my little guide to SQL Injections:
Ah, here we go.
http://www.w*schools.com/sql/default.asp
You can learn all about SQL and what it's for here. I'm not gonna try to explain all of that, this is only for injections.
------------------------------------------------
Now, suppose you are at a site called www.candycanestotehmax.com (http://www.candycanestotehmax.com). You have to login to this site to see the candy canes. The login page is like this:
www.candycanestotehmax.com/login.php
Now you try logging in with a bogus name and password. The URL now becomes something like:
www.candycanestotehmax.com/login.php?user=johnny&password=nicetry
You obviously weren't able to log in. But now you want to see if the login is vulnerabel to SQL injection. Try playing around a bit with the URL.
www.candycanestotehmax.com/login.php?user=a'&password=*=*
OR
www.candycanestotehmax.com/login.php?user=*=*&password=*'
OR
Some other combanation, there should be apostrophes and/or equal statements (*=*) because these tend to confuse servers.
Anyways, you should see some wierd error, but if you don't, don't fret, there still could be a vulnerability (known as Blind SQL Injection).
-----------------------------------------------
Well now suppose you've found a vulnerablitly to SQL injections on candycanestotehmax.com. Break down the URL and convert it into SQL. When you see this URL:
www.candycanestotehmax.com/login.php?user=johnny&password=nicetry
It's actually sending two SQL queries, one for a username match and one for a passowrd match. It looks like this (let's assume the name of the table is "login"):
SELECT username FROM login WHERE username='johnny'
SELECT password FROM login WHERE password='nicetry'
But there is no username johnny or password nicetry in the database, so therefore you can't login. But now you know a vital piece of info: The table "login" contains all the usernames and passwords. It would be nice if we could view this table.
------------------------------------------
So we find somewhere where we can enter text, sometimes this is the login field, other times you actually have to enter it in the URL, usually after the ? in a php page. But assume you have to enter it in the login. In the username field, enter a command so you can view the usernames on the table "login".
SELECT username FROM login
This would display the list of usernames in the table login. You can go back and edit the injection so it shows you the passwords also.
------------------------------------------
Well, thanks for reading my tutorial, I hope you learn something:D
-Moonbat
Ah, here we go.
http://www.w*schools.com/sql/default.asp
You can learn all about SQL and what it's for here. I'm not gonna try to explain all of that, this is only for injections.
------------------------------------------------
Now, suppose you are at a site called www.candycanestotehmax.com (http://www.candycanestotehmax.com). You have to login to this site to see the candy canes. The login page is like this:
www.candycanestotehmax.com/login.php
Now you try logging in with a bogus name and password. The URL now becomes something like:
www.candycanestotehmax.com/login.php?user=johnny&password=nicetry
You obviously weren't able to log in. But now you want to see if the login is vulnerabel to SQL injection. Try playing around a bit with the URL.
www.candycanestotehmax.com/login.php?user=a'&password=*=*
OR
www.candycanestotehmax.com/login.php?user=*=*&password=*'
OR
Some other combanation, there should be apostrophes and/or equal statements (*=*) because these tend to confuse servers.
Anyways, you should see some wierd error, but if you don't, don't fret, there still could be a vulnerability (known as Blind SQL Injection).
-----------------------------------------------
Well now suppose you've found a vulnerablitly to SQL injections on candycanestotehmax.com. Break down the URL and convert it into SQL. When you see this URL:
www.candycanestotehmax.com/login.php?user=johnny&password=nicetry
It's actually sending two SQL queries, one for a username match and one for a passowrd match. It looks like this (let's assume the name of the table is "login"):
SELECT username FROM login WHERE username='johnny'
SELECT password FROM login WHERE password='nicetry'
But there is no username johnny or password nicetry in the database, so therefore you can't login. But now you know a vital piece of info: The table "login" contains all the usernames and passwords. It would be nice if we could view this table.
------------------------------------------
So we find somewhere where we can enter text, sometimes this is the login field, other times you actually have to enter it in the URL, usually after the ? in a php page. But assume you have to enter it in the login. In the username field, enter a command so you can view the usernames on the table "login".
SELECT username FROM login
This would display the list of usernames in the table login. You can go back and edit the injection so it shows you the passwords also.
------------------------------------------
Well, thanks for reading my tutorial, I hope you learn something:D
-Moonbat