vulnerable or not?

[Mrgood]

i just joined the forum to learn some SQLi. I have read the tutorial made by ande but I still can't get any result. I have seen also this topic and when u said the site is vulnerable i tried to hack it too. No results at all. I tried to add many things to the link after =1 etc and nothing happened. My question is, how did u do that? Any clues that can help me with SQLi? I understand how SQL and queries work and that's not the problem. Maybe i am doing something wrong.

I didn't want to make another topic so i wrote here.

[Phage]

i just joined the forum to learn some SQLi. I have read the tutorial made by ande but I still can't get any result. I have seen also this topic and when u said the site is vulnerable i tried to hack it too. No results at all. I tried to add many things to the link after =1 etc and nothing happened. My question is, how did u do that? Any clues that can help me with SQLi? I understand how SQL and queries work and that's not the problem. Maybe i am doing something wrong.

I didn't want to make another topic so i wrote here.

Simple answer learn SQL and then you will understand it.

[Mrgood]

yes but what does time based sqli mean? Exactly, I know what does it mean but how to use it? have you got any tutorials or clues fo it?

[Daemon]

yes but what does time based sqli mean? Exactly, I know what does it mean but how to use it? have you got any tutorials or clues fo it?

Let me introduce you to your new best friend:

GOOGLE


This friend is like god, it knows EVERYTHING!!!! Including what SQLi is 

[Mrgood]

that was the simplest answer;) i have already looking for it. I am just asking if u know any good tutorial about time based sqli

[bubzuru]

that was the simplest answer;) i have already looking for it. I am just asking if u know any good tutorial about time based sqli

i agree google is your best friend but i like hacker con vids
there are a few nice SQLi defcon videos. use your best friend to find them.

DEFCON 16: Time-Based Blind SQL Injection using heavy queries http://www.youtube.com/watch?v=N8baNkyhRBM

[Mrgood]

I've already got the whole database structure but i have used The Mole. I know almost everything but passwords are in sha1 and i can't crack them.
Can you please give me the clue how to add/delete a record? (i know google is my best friend) I asked him, i have read almost every link connected on several result pages.

It should take max 1 min to help me i guess:) (less than writing about 'google is the best')
what should i add to ...page=news&id=2 to add or delete the record.

I know that:

Code: [Select]

[+] Found separator: " ' "
[+] Found DBMS: Mysql
[+] Found comment delimiter: "#"
Also i know that "id" is in the "maindb2" database and "news_update" table. Lets say i would like to add or delete an user in "user" table in the same database.

The mole gave me many info but i cant change anything using this tool.
Is there any way to get database root password using sqli?

[relax]

have you read this?
http://www.securiteam.com/securityreviews/5DP0N1P76E.html

[Mrgood]

...id=2; UPDATE news_update SET content = 'hacked' WHERE id='1'"#
why it doesnt work? i have mysql syntax error but everything should be ok with " ' " as separator and # as delimiter

[Mrgood]

I have also tried to do the same without " ' " signs and page loaded with error but nothing happened at all

[Mrgood]

i really dont like to write like this and i feel very embarassed but i want to ask you again. Please help with that sqli insert command

[bubzuru]

give more info then , the injection query can change alot from script to script , even if they do basically the same thing, what script are you trying to inject ?? maybe make a new thread.

[techb]

give more info then , the injection query can change alot from script to script , even if they do basically the same thing, what script are you trying to inject ?? maybe make a new thread.

Yes, make a new thread, this is getting really off topic.

/