www.nimbuzzflood.forumotions.in
welcome to our forum reggisterd to get download and post authority be proudly good member of this forum wellcome 
digi clock
Latest topics
» flooder & add flood
Mon Oct 27, 2014 11:54 pm by amin742

» nimbuzz news
Thu Jul 03, 2014 4:17 am by prīñçÿ•p

» bombuzz for android
Thu Jul 03, 2014 4:14 am by prīñçÿ•p

» EheMBuzZ Dc All Client
Thu Jun 05, 2014 7:53 pm by amin742

» New Spy Bot Ids
Sun Dec 22, 2013 7:29 pm by narnia_kalayi@n.c

» bombotmod version 0.3
Sat Dec 21, 2013 3:03 pm by hanoman

» Windows 7 Ultimate SP1 x86 en-US USB3 IE10 Baseline
Sat Oct 19, 2013 9:57 pm by little_animator

» Microsoft Windows 8 1 Enterprise RTM (X86 X64) With Rollup-1 English DVD
Sat Oct 19, 2013 9:43 pm by little_animator

» Nuke Mobileserver [Ban bot] v7
Sat Oct 19, 2013 7:39 pm by little_animator

Top posters
Admin (200)
 
little_animator (105)
 
shahroze (19)
 
amin742 (15)
 
~~~_vampire_~~~ (8)
 
black~heart (6)
 
sheeshnag (4)
 
مرادالروح (4)
 
luckykhaN_ (4)
 
bhati** (4)
 

visitors

hack website using SQL injection a complete tutorial

View previous topic View next topic Go down

hack website using SQL injection a complete tutorial

Post by shahroze on Fri Apr 26, 2013 6:59 pm

WHAT IS SQL INJECTION?
SQL stands for Structured Query Language , and it is the language used by mostwebsite databases. SQL Injection is a technique used by hackers to add their own SQL to your site'sSQL to gain access to confidential information or to change or delete the data that keeps your website running. I'm going to talk about just one form of SQL Injection attack thatallows a hacker to log in as an administrator - even if he doesn't know the password.
Is your site vulnerable?
If your website has a login form for an administrator to log in, go to your site now, in the username field type the administrator user name.
In the password field, typeor paste this:
x' or ' a ' = ' a
If the website didn't let youlog in using this string youcan relax a bit; this article probably doesn't apply to you. However you might like to try this alternative:
x' or 1=1--
Or you could try pasting either or both of the above strings into both the login and password field. Or if you are familiar with SQL you could try a few other variations. A hacker who really wants to get access to your site will try many variations beforehe gives up.
If you were able to log in using any of these methods then get your web tech to read this article, and to read up all the othermethods of SQL Injection. The hackers and "skript kiddies" know all this stuff;your web techs need to know it too.
The technical stuff
If you were able to log in, then the code which generates the SQL for the login looks something like this:
$sql =
"SELECT * FROM users
"WHERE username = '" .$username .
"' AND password = '" .$password . "'";
When you log in normally, let's say using userid admin and password secret , what happens is the
admin is put in place of $username and secret is put in place of $password . The SQL that is generated then looks like this:
SELECT * FROM users WHERE username = ' admin ' and PASSWORD = ' secret '
But when you enter x' or ' a ' = ' a as the password, theSQL which is generated looks like this:
SELECT * FROM users WHERE username = ' admin ' and PASSWORD = ' x' or ' a ' = ' a
'
Notice that the string: x' or' a ' = ' a has injected an extra phrase into the WHERE clause: or ' a ' = ' a '
. This means that the WHERE is always true, andso this query will return a row contain the user's details.
If there is only a single user defined in the database, then that user'sdetails will always be returned and the system will allow you to log in. If you have multiple users, then one of those users will be returned at random.If you are lucky, it will be a user without administrationrights (although it might be a user who has paid to access the site ). Do you feel lucky?
How to defend against this type of attack
Fixing this security hole isn't difficult. There are several ways to do it. If you are using MySQL, for example, the simplest method is to
escape the username and password, using the
mysql_escape_string() or mysql_real_escape_string() functions, e.g.:
$userid = mysql_real_escape_string($userid);
$password = mysql_real_escape_string($password);
$sql =
"SELECT * FROM users
"WHERE username = '" .$username .
"' AND password = '" .$password . "'";
Now when the SQL is built, it will come out as:
SELECT * FROM users WHERE username = ' admin ' and PASSWORD = ' x\' or \' a \' = \' a
'
Those backslashes ( \ ) make the database treat the quote as a normal character rather than as a delimiter, so the database no longer interprets the SQL as having an OR in theWHERE clause.
This is just a simplistic example. In practice you will do a bit more than this as there are many variations on this attack. For example, you might structure the SQL differently, fetch the user using the user name only and then check manually that the password matchesor make sure you always use bind variables (the best defence against SQL injection and strongly recommended!). And you should always escape all incoming data using the appropriate functions from whatever language your website is written in - not just data that is being used for login.
There's more
This has just been a brief overview. There are manymore hacking techniques than SQL Injection; there are many more things that can be done just using SQLInjection. It is possible to directly change data, get access to confidential information, even delete your whole database — irrespective of whether the hacker can actually login — if your website isn't set up correctly.

for more info www.shahroze.com

shahroze
Member
Member

Posts : 19
Points : 37
Reputation : 0

Join date : 2013-04-09

View user profile

Back to top Go down

Re: hack website using SQL injection a complete tutorial

Post by Admin on Sat Apr 27, 2013 1:03 am


Admin
Full Modarator
Full Modarator

nimbuzz id : sando1122

Posts : 200
Points : 552
Reputation : 2

Join date : 2012-10-07
Age : 23
Location : india
Humor : :@:#$@!#$!@#@ beep

View user profile http://nimbuzzflood.forumotions.in

Back to top Go down

FORUM HAS BEEN DDOSED

Post by SPAM BOT on Sat May 04, 2013 1:45 am

download download download download download download download download download download download download download download download download download download download download download download download download download download download download download download download download download download download download download download download download

SPAM BOT
Guest


Back to top Go down

Re: hack website using SQL injection a complete tutorial

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum