Help.. SQL Injection.

sla.ckers.org is
ha.ckers sla.cking

How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack.

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

Help.. SQL Injection.

Posted by: narutoo

Date: June 18, 2011 01:40AM

I have a website : www.site.com/lol/ .

I was looking the code and i saw that lol is the same as lol.php. Then i looked again the code and i saw a code like this :

<form method="post" action="/lol.php">
<div class="buscbackg">
<input id="q" name="q" type="text" class="fields" />
</div>
<input type="image" src="/img/b_ir.jpg" style="width:33px;height:29px;float:right;" />
<div class="clear"></div>
</form>

so i thinked it must be www.site.com/lol.php?q=. I am correct? Because it doesnt work , i put www.site.com/lol.php?q=1 and work , if i put q=1' works again . I made an scann and it says that is vulnerable to SQL Injection on that area.

Help me please

Options: Reply•Quote

Re: Help.. SQL Injection.

Posted by: peann

Date: June 18, 2011 03:13PM

form method="post"

injection will be in postdata if exists

Options: Reply•Quote

Re: Help.. SQL Injection.

Posted by: thanggiangho

Date: June 18, 2011 10:10PM

when u ask, post link

Options: Reply•Quote

Re: Help.. SQL Injection.

Posted by: narutoo

Date: June 18, 2011 10:31PM

no problem man , http://www.racingclub.com.ar/resultados

Options: Reply•Quote

Re: Help.. SQL Injection.

Posted by: Plitvix

Date: June 20, 2011 03:05PM

site.com/lol.php?q=1' --> q is GET parameter.
Use Firefox + HackBar to make some POST requests.

Options: Reply•Quote

Go to: Forum List•Message List•Search•Log In

Sorry, only registered users may post in this forum.

Click here to login