Follow us on Twitter!
It is the path of least resistance that makes rivers and men crooked. - Bj Palmer
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 13
Guests Online: 13
Members Online: 0

Registered Members: 82822
Newest Member: TheBunter
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

SQL injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-03-09 23:46
So, I decided to practice SQL on a random vulnerable site to see if I could actually do some kind of web hacking outside of this site.

First off, if anyone thinks this is a bad idea, then tell me now. But I'm merely doing this to practice, not to do anything malicious.

I found a vulnerable site, used ORDER BY and found the number of columns.

Then I tried the UNION statement... the only problem is, I dont know what to select from or how to find it. I tried google, but this is something that has stumped me. In general, how do you know what table to select from? Will it be in the source code somewhere? Do I just have to take wild guesses? Or should I try simpler injections to discover that information?

Any advice on this would be much appreciated.


Author

RE: SQL injection

clone4
Member



Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank:
Mad User
Posted on 09-03-09 00:02
sharline23 wrote:
So, I decided to practice SQL on a random vulnerable site to see if I could actually do some kind of web hacking outside of this site.

First off, if anyone thinks this is a bad idea, then tell me now. But I'm merely doing this to practice, not to do anything malicious.

I found a vulnerable site, used ORDER BY and found the number of columns.

Then I tried the UNION statement... the only problem is, I dont know what to select from or how to find it. I tried google, but this is something that has stumped me. In general, how do you know what table to select from? Will it be in the source code somewhere? Do I just have to take wild guesses? Or should I try simpler injections to discover that information?

Any advice on this would be much appreciated.


To answer your first question, no I think nobody minds, make sure you use proxy, just to be safe, but from my experience the best way to start of with sql injections is have your own mysql on apache, and then code and try injections locally.
The sql injection you are trying is fully called Blind sql injections, and guess why, because you donīt see the name of columns and/or tables. This however doesnīt mean that you canīt find out. One of the common ways is through error messages, if the coder was careless enough to actually print the error message you get from injection to the page, you are half way there, since with some injections you can force the script to print out the table/column names. If you have right privileges, you can try to access the schema table, which contains all data about all the tables within that database (for more info refer to this site http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/). Lastly it should never be 'wild' guessing, you try the common names for columns and tables(users/user,username/password etc..), look at POST and GET variables, it's quite common that those match the sql database names and just look around for any hints the programmer may have left(checking the source, comments etc). And lastly you can always write a sql injection bruteforcer (even though that a very last resortWink)


[img][/img]img164.imageshack.us/img164/5713/perlvl0.jpg

clone4.freehostia.com/ubuntu_3.png
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl



Edited by clone4 on 09-03-09 00:06
clone_4@hotmail.com
Author

RE: SQL injection

fashizzlepop
Member



Posts: 482
Location: Old folks home.
Joined: 08.04.08
Rank:
Moderate
Posted on 09-03-09 00:04
Have you done basic 21 yet. You should start there. It will make you learn what injections you need including how to find what tables to look for.

And no they aren't in the source.

EDIT: Little late but should still help.


"The definition of insanity is doing the same thing over and over again and expecting different results.”
~Albert Einstein~


csullivan.codeinspire.net/images/boomsig2.png

Edited by fashizzlepop on 09-03-09 00:05
fashizzlepop@gmail.com http://csullivan.codeinspire.net/
Author

RE: SQL injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 09-03-09 02:47
I'd say it's better to try on your own server, since you can never be too careful. Smile


Author

RE: SQL injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 09-03-09 05:03
Alright, thanks a lot guys. This really helped me to understand SQL better and i am going to code my own server now. B)


Author

RE: SQL injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 09-03-09 05:31
If you have right privileges, you can try to access the schema table


Just check to see what version of MySQL they're running and that'll tell you whether or not information_schema is present.

As far as knowing what to select, you select the number of columns. (union+all+select+1,2,3,4,5--) << Something like that. Whatever numbers are displayed on the page correspond with a column through which you can display information.