Author Topic: SQL Injection  (Read 63427 times)

0 Members and 1 Guest are viewing this topic.

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Re: SQL Injection
« Reply #15 on: February 05, 2012, 08:49:08 pm »
l33tas did you try to break the first SELECT statement by throwing a -1 instead of a 1 so for example 
Code: [Select]
: SELECT * FROM `table_test` WHERE straipsnio_id = '-1' UNION ALL SELECT 1,2,3,concat(table_name) FROM `information_schema.TABLES` WHERE table_schema=database(),5,6,7,8,9,10
~Factionwars

Offline l33tas

  • NULL
  • Posts: 2
  • Cookies: 0
    • View Profile
Re: SQL Injection
« Reply #16 on: February 06, 2012, 02:19:55 pm »
I get error: #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '5,6,7,8,9,10 LIMIT 0, 30' at line 1
mb my MySQL db dont understand concat( table_name )? or all db must execute this function?
But if I try SELECT concat(table_name) FROM `tables` WHERE table_schema='test_table' its works fine..
« Last Edit: February 06, 2012, 06:58:19 pm by l33tas »

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: SQL Injection
« Reply #17 on: February 11, 2012, 09:08:26 am »
Videos are shit. You do not learn SQL injection without knowing SQL... this way you can learn few commands and that's it! Only if you know SQL you can make queries and inject them... ugh.

Learn SQL and ONLY THEN learn how to inject!

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: SQL Injection
« Reply #18 on: February 11, 2012, 05:25:31 pm »
I try this tutorial.. and have problem.
First: when you try write http://evilzone.org/index.php?id=17+ORDER+BY+5 or http://evilzone.org/index.php?id=17+UNION+ALL+SELECT+1,2,3 you get nothing.. I solved this problem with ...?id=17' UNION ALL SELECT 1,2,3# but if you write in url in my case # dont works so I change it to %23. like ?id=17' UNION ALL SELECT 1,2,3%23.
Second: when I try this ?id=17+UNION+ALL+SELECT+1,2,concat(table_name)+FROM+information_schema.tables+WHERE+table_schema=database() its dont work.. I try in MySQL and its gives this error: #1109 - Unknown table 'table_test' in information_schema
in my case Sql query is : SELECT * FROM `table_test` WHERE straipsnio_id = '1' UNION ALL SELECT 1,2,3,concat(table_name) FROM `information_schema.TABLES` WHERE table_schema=database(),5,6,7,8,9,10
any solution?

Your SQL query is invalid:
Code: [Select]
SELECT * FROM `table_test` WHERE straipsnio_id = '1' UNION ALL SELECT 1,2,3,concat(table_name) FROM `information_schema.TABLES` WHERE table_schema=database(),5,6,7,8,9,10
That is not a valid SQL query. I think you mean:
Code: [Select]
SELECT * FROM `table_test` WHERE straipsnio_id = '1' UNION ALL SELECT 1,2,3,concat(table_name),5,6,7,8,9,10 FROM `information_schema.TABLES` WHERE table_schema=database()
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline D4rk0rD

  • /dev/null
  • *
  • Posts: 14
  • Cookies: -2
  • Java Developer
    • View Profile
Re: SQL Injection
« Reply #19 on: March 27, 2012, 02:57:05 pm »
Interesting article , Best way to master SQL injection is learning sql first and study whats happen behind the scene when we injecting .

you can download a SQL manual on MySql site , Thats good  manual to familiar with SQL .
The focused mind can pierce through stone.

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Re: SQL Injection
« Reply #20 on: March 27, 2012, 03:01:23 pm »
Interesting article , Best way to master SQL injection is learning sql first and study whats happen behind the scene when we injecting .

you can download a SQL manual on MySql site , Thats good  manual to familiar with SQL .

Also the way php/asp/python etc. Vreates and executes the querys
~Factionwars

Offline dataspy

  • Peasant
  • *
  • Posts: 99
  • Cookies: 16
    • View Profile
Re: SQL Injection
« Reply #21 on: March 27, 2012, 08:42:28 pm »
Awesome tutorial, thanks!!!!

I have to mess with this more, I was already doing all the preventive measures recommended in this tutorial but even when I take prevntive measures away I still can't break my code, I'm gonna have to do a lot more studying!!!

example of some code I was trying to break (my dad owns a limousine company, I wrote this for him to keep track of maintenance on the vehicles)

SearchRecords2.php (redirects to VewRecords.php below)
Code: [Select]
<a href=\"ViewRecord.php?MaintenanceRecordID=$Row[MaintenanceRecordID]\" target=\"_blank\">View</a>

ViewRecords.php
Code: [Select]
// assign vars
$MaintenanceRecordID = mysqli_real_escape_string($Con, trim($_GET['MaintenanceRecordID']));

if((!empty($MaintenanceRecordID)) && (is_numeric($MaintenanceRecordID)))
{
    // query to database
    $Query = "SELECT
        MaintenanceRecords.MaintenanceRecordID,
        MaintenanceRecords.MaintenanceRecordDate,
        MaintenanceRecords.MaintenanceRecordNotes,
        Vehicles.VehicleNumber,
        MaintenanceJobs.MaintenanceJob
        FROM MaintenanceRecords
        LEFT JOIN Vehicles ON Vehicles.VehicleID = MaintenanceRecords.VehicleID
        LEFT JOIN MaintenanceJobs ON MaintenanceJobs.MaintenanceJobID = MaintenanceRecords.MaintenanceJobID
        WHERE MaintenanceRecords.MaintenanceRecordID = '$MaintenanceRecordID'";
       
    // result from $query
    $Result = mysqli_query($Con, $Query) or die(mysqli_error($Con));

when I took away mysqli_real_escape_string, is_numeric, and the '' for the var, I still couldn't inject :(

oh well something to play with later :)
« Last Edit: March 27, 2012, 08:49:33 pm by dataspy »
The only people for me are the mad ones, the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn, like fabulous yellow roman candles exploding like spiders across the stars.
-Kerouac

Offline D4rk0rD

  • /dev/null
  • *
  • Posts: 14
  • Cookies: -2
  • Java Developer
    • View Profile
Re: SQL Injection
« Reply #22 on: March 30, 2012, 05:29:40 pm »
Get sql manuals from this link :

http://dev.mysql.com/doc/refman/5.5/en/

This is english manuals you can download from other languages also . just check around site  ;) .
The focused mind can pierce through stone.

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: SQL Injection
« Reply #23 on: March 30, 2012, 09:56:16 pm »
Interesting article , Best way to master SQL injection is learning sql first and study whats happen behind the scene when we injecting .

you can download a SQL manual on MySql site , Thats good  manual to familiar with SQL .


I disagree, learning PHP alongside SQL(MySQL) is the best way. Then study the concept(s) of SQL injection vulnerabilities.




Awesome tutorial, thanks!!!!

I have to mess with this more, I was already doing all the preventive measures recommended in this tutorial but even when I take prevntive measures away I still can't break my code, I'm gonna have to do a lot more studying!!!

example of some code I was trying to break (my dad owns a limousine company, I wrote this for him to keep track of maintenance on the vehicles)

SearchRecords2.php (redirects to VewRecords.php below)
Code: [Select]
<a href=\"ViewRecord.php?MaintenanceRecordID=$Row[MaintenanceRecordID]\" target=\"_blank\">View</a>

ViewRecords.php
Code: [Select]
// assign vars
$MaintenanceRecordID = mysqli_real_escape_string($Con, trim($_GET['MaintenanceRecordID']));

if((!empty($MaintenanceRecordID)) && (is_numeric($MaintenanceRecordID)))
{
    // query to database
    $Query = "SELECT
        MaintenanceRecords.MaintenanceRecordID,
        MaintenanceRecords.MaintenanceRecordDate,
        MaintenanceRecords.MaintenanceRecordNotes,
        Vehicles.VehicleNumber,
        MaintenanceJobs.MaintenanceJob
        FROM MaintenanceRecords
        LEFT JOIN Vehicles ON Vehicles.VehicleID = MaintenanceRecords.VehicleID
        LEFT JOIN MaintenanceJobs ON MaintenanceJobs.MaintenanceJobID = MaintenanceRecords.MaintenanceJobID
        WHERE MaintenanceRecords.MaintenanceRecordID = '$MaintenanceRecordID'";
       
    // result from $query
    $Result = mysqli_query($Con, $Query) or die(mysqli_error($Con));

when I took away mysqli_real_escape_string, is_numeric, and the '' for the var, I still couldn't inject :(

oh well something to play with later :)

Your code cant be injected to do any harm because the PHP script checks if the MaintenanceRecordID is numeric or not. However you can do things like MaintenanceRecordID=123e31 and you will most likely get a overflow problem, but it wont cause more than an error message.




Get sql manuals from this link :

http://dev.mysql.com/doc/refman/5.5/en/

This is english manuals you can download from other languages also . just check around site  ;) .


Not sure how this will help must people..
« Last Edit: March 30, 2012, 09:59:35 pm by ande »
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline Droaxenius

  • /dev/null
  • *
  • Posts: 5
  • Cookies: 0
    • View Profile
Re: SQL Injection
« Reply #24 on: April 10, 2012, 12:49:21 pm »
Again and awesome tutorial ande.  ;)


Keep up the quality!

Offline Conch

  • Serf
  • *
  • Posts: 44
  • Cookies: 8
  • ls -a /dev/null | grep Conch
    • View Profile
Re: SQL Injection
« Reply #25 on: June 25, 2012, 03:18:05 pm »
Amazing tutorial, very informative.

Thanks!

Offline Phage

  • VIP
  • Overlord
  • *
  • Posts: 1280
  • Cookies: 120
    • View Profile
Re: SQL Injection
« Reply #26 on: June 25, 2012, 11:22:40 pm »
I must say that this is a HQ tutorial. I will expect nothing less from an admin. You made it very clear what you are saying and i understood it all. But i do have a lot of experience in SQLi so i dont know how it looks from a newbie.

HQ and great tutorial!

Regards
Narraz
« Last Edit: June 25, 2012, 11:22:55 pm by Narraz »
"Ruby devs do, in fact, get all the girls. No girl wants a python, but EVERY girl wants rubies" - connection

"It always takes longer than you expect, even when you take into account Hofstadter’s Law."

Offline Horny Cat

  • NULL
  • Posts: 1
  • Cookies: -1
  • i'm Here... cauza i wanna learn !
    • View Profile
Re: SQL Injection
« Reply #27 on: June 30, 2012, 02:31:31 pm »
euhh i'm a very bigenner in hacking lol, but i'm good at coding, so my problem is that i can't find tergets (i mean website where i can apply what you just teach as here) any ideas !!??
Teach me... and i'll be grateful !

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: SQL Injection
« Reply #28 on: June 30, 2012, 02:56:47 pm »
well if you're good at coding, why not make a testlab yourself? just a thought...

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Re: SQL Injection
« Reply #29 on: July 17, 2012, 12:38:22 pm »
euhh i'm a very bigenner in hacking lol, but i'm good at coding, so my problem is that i can't find tergets (i mean website where i can apply what you just teach as here) any ideas !!??
Do you know PHP ?, learn how to create before destruction. And also, we do not say you have to practice it on other person's sites because that is illegal.
~Factionwars