Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Thanks maluc
Posted by: rsnake
Date: September 02, 2006 12:01PM

Alright, here's your forum :) Use it wisely!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Thanks maluc
Posted by: maluc
Date: September 03, 2006 11:53PM

weeee.. how nice ^^

i dont actually know much about SQL injection passed the ' or 1=1-- and basic syntax. So i'll prolly be asking more questions here than reporting my findings _-_

-maluc

Options: ReplyQuote
Re: Thanks maluc
Posted by: rsnake
Date: September 04, 2006 01:43PM

Once upon a time I was going to creat the SQL injection cheat sheet, but I got about a day into it and it got overwhelming very quickly, because of how many variations there were, and the differences in syntaxes between the various databases. Many times it's the interaction between the front end code and the database tier that causes the filters interactions... it's just such a complex topic I'm having a difficult time finding a route to tackle the issue.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Thanks maluc
Posted by: Blah
Date: September 19, 2006 06:46PM

Always funreading about SQL injections :)
Reading is the word because im really a lurker :D
*lurk*lurk*

Options: ReplyQuote
Re: Thanks maluc
Posted by: rsnake
Date: September 19, 2006 07:12PM

Oh, don't lurk... lurking is less fun.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Thanks maluc
Posted by: pheusion
Date: October 12, 2006 10:29AM

SQL Inj Question:

I am just becoming familiar with the ' OR 1=1 type of injections... and have only tested on testing frameworks: IE MightySeek

I also have WebGoat installed and ' OR 1=1-- /* is what got me into the admin panel, my question is...

Is this really wide spread? I have SQL experience (Only since Ora 8i and OSS based RDBMs) and have never heard of anything like this. Granted I'm more of a DBA than a coder, but I would have imagined I would have heard of this before looking into SQL Injections...

It seems that so many sites are vuln to XSS, what are the chanches I am going to be able to use ' OR 1=1 in th wild?

Options: ReplyQuote
Re: Thanks maluc
Posted by: maluc
Date: October 12, 2006 10:59AM

i'll be the first to admit i'm a noob at SQL injection.. so i'm not really a good choice to answer questions. I know i asked for this forum category, but i was hoping for a 'if you build it, they will come' effect .. and i could just lurk and learn.

but i can answer on occurence. Since i test a lott of variables while looking for XSS holes .. i've come across many SQL injections. Now, i'm not sure how to assess their vulnerability .. and also it may be illegal to test .. but i've seen quite a few ODBC errors, blank pages, or timed out pages thanks to inserting an ' .. or occaionally a )

And the 'or 1=1-- you can find in the wild too but any content management software is going to at the least, protect the login form. Invision, however, had an SQL injection up until v1.3final in the autologin feature http://www.milw0rm.com/exploits/1036 <--shows the injected string, in the comments.

I'm not near uber enough at SQL injections though, so take this with a grain of salt

-maluc

Options: ReplyQuote
Re: Thanks maluc
Posted by: rsnake
Date: October 12, 2006 11:01AM

I've only found a few (probably around 50 total) vulnerable SQL injections in all the time I have been doing application testing. There are a few reasons for this.

1) primarily I test with double quotes and lots of SQL queries use single quotes.
2) generally I'm looking for reflected information and even when I do find SQL query errors I'm generally more interested in how the data is reflected back
3) I don't go searching for it as that actually _is_ hacking and could get you into much more serious trouble as you have the potential of really damaging the database if you don't know what you're doing
4) many systems use a database access layer to use as a single choke point for all this sort of activity, so if they fix it once, they fix it forever
5) Many SQL queries are far more complex than the simple select statement so simple strings like that have a very low probability of returning valid data that the system will know what to do anything with

So to answer your question that exact string has a very low chance of success but not zero. You're better off looking for common applications (like PHPNuke) used everywhere and attempting to find one vulnerability in the software by looking at the source and going after it rather than guessing. This is partly why XSS is reported far more often than SQL injection - it's just way more prevolant.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Thanks maluc
Posted by: pheusion
Date: October 12, 2006 11:33AM

Thanks for the info guys...

Options: ReplyQuote
Re: Thanks maluc
Posted by: digi7al64
Date: October 12, 2006 07:07PM

Interesting a Microsoft audit found that around 7 out of 10 database driven sites are vunerable to SQL injections.

In relation to how many "public" sites are actually vunerable you would suprised at how many have multiple vunerablities that exist within their system that allow you to either
> escalate user priveleges,
> create users accounts(MS) on the machine,
> bypass login systems and create new files (allowing shell commands)
> deface entire portions of the site, and
> delete tables, sp and so on.

Finally from a legal standpoint, searching for a reflective xss using say ";<>{}'-moo" or something similar is fine, but once you start entering 'or 1=1-- there are reasonable legal grounds with documented cases to assume you are trying to "hack" the system.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Thanks maluc
Posted by: Anonymous User
Date: October 13, 2006 08:43PM

Sql injection flaws are widespread, take a look at scripts that prints out profiles, news, presentations whatever. Look for urls like this: index.php?id=34 or index.php?username=rsnake

It is much more likely that those querys are NOT protected than the login query, because many php developers know what sql injection is, and they know how to protect themselves from it, by using addslashes(). But most of the time, they're not hackers, they don't read a lot of papers. Therefore, they basically does not protect the $_GET['id'], because they don't know it's possible to hack the database with it.

Sql injection flaws are widespread, all it takes is magic_qoutes off, selfwritten software and the admin not being an active hacker. :)

Options: ReplyQuote


Sorry, only registered users may post in this forum.