Follow us on Twitter!
Society leans ever heavily on computers, if you have the power to take out computers you can take out society. - cubeman372
Sunday, April 20, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 24
Guests Online: 24
Members Online: 0

Registered Members: 82843
Newest Member: hx47
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

SQL - Stored Procedures


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-06-08 00:54
I have a question about SQL injections and stored procedures. Normally I say that one can hack everything, itís just a matter of will and resourcesí.

1) But how would you go about hacking stored procedures. I mean would I have to attack the server straight on, or go through the application?
2) And how hard would it be, on a scale from 1-10?

I know how the program and the stored procedures are written have a lot to say, but for this, letís say itís not a total idiot that have made the code. My knowledge on this area is limited and there for my questions might not be asked correctly, but I think you know where Iím going with this.



Author

RE: SQL - Stored Procedures


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-06-08 07:07
Therma wrote:
I have a question about SQL injections and stored procedures. Normally I say that one can hack everything, itís just a matter of will and resourcesí.

1) But how would you go about hacking stored procedures. I mean would I have to attack the server straight on, or go through the application?
2) And how hard would it be, on a scale from 1-10?

I know how the program and the stored procedures are written have a lot to say, but for this, letís say itís not a total idiot that have made the code. My knowledge on this area is limited and there for my questions might not be asked correctly, but I think you know where Iím going with this.


I think the best way to figure it out would be to set up something similar to it at home, or on a network. Then test it out. Since I don't know much about SQL Stored Procedures, I can't really help you. For me the best way to learn is trial and error, maybe you could try the same.


Author

RE: SQL - Stored Procedures


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-06-08 09:15
@Feralas
Yeah, that was also my next step, but since Iím a programmer Iím always looking for the easiest way Smile. And Iím not really sure how I would do it, and canít really find anything decent about on the net, so far. But guess I will have to break out the old computers and make a network.

If anyone else should have any input on this, please let me know.



Author

RE: SQL - Stored Procedures


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-06-08 09:42
SQL injection can also affect stored procedures..

Have a look at this article..
http://palisade.p. . .rocedures/

There are also plenty of other articles discussing this on google.

If you want to try it at home you will need an SQL server. Preferably, get comfortable with the syntax for writing stored procedures before installing the SQL server of choice.

Your best bet would be to start off injecting the stored procedure by calling it directly from a sql server client. Then move onto writing a web page or application which calls the stored procedure and inject it through that.

There are plenty of examples of SQL injection which also affect stored procedures, so start with reading some articles and set up a test environment based on the scenarios you have been shown. Once you can see how the injection is happening, write some of your own stored procedures and try and inject them.

Once you have figured out how to inject the stored procedures, rewrite them in a way which prevents injection and try your queries again until it is secure.

There you have it.. a beginners guide to injecting stored procedures.
Author

RE: SQL - Stored Procedures


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-06-08 11:55
Great link, thanks a lot..