SQL Injection Walkthrough

1.0 Introduction When a machine has only port 80 opened, your most trusted vulnerability scanner cannot return anything useful, and you know that the admin always patch his server, we have to turn to web hacking. SQL injection is one of type of web hacking that require nothing but port 80 and it might just work even if the admin is patch-happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS. This article does not introduce anything new, SQL injection has been widely written and used in the wild. We wrote the article because we would like to document some of our pen-test using SQL injection and hope that it may be of some use to others. You may find a trick or two but please check out the "9.0 Where can I get more info?" 1.1 What is SQL Injection? 1.2 What do you need? 2.0 What you should look for? Everything between the <FORM> and </FORM> have potential parameters that might be useful (exploit wise).

SQL Injection Cheat Sheet Find and exploit SQL Injections with free Netsparker SQL Injection Scanner SQL Injection Cheat Sheet, Document Version 1.4 About SQL Injection Cheat Sheet Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL. Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself. Examples; (MS) means : MySQL and SQL Server etc. Table Of Contents Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks Ending / Commenting Out / Line Comments Line Comments Comments out rest of the query. -- (SM) DROP sampletable;-- # (M) DROP sampletable;# Line Comments Sample SQL Injection Attacks Username: admin'-- SELECT * FROM members WHERE username = 'admin'-- This is going to log you as admin user, because rest of the SQL query will be ignored. Inline Comments /*Comment Here*/ (SM) DROP/*comment*/sampletableDR/**/OP/*bypass blacklisting*/sampletableSELECT/*avoid-spaces*/password/**/FROM/**/Members /*!

SQL Injection Attacks by Example A customer asked that we check out his intranet site, which was used by the company's employees and customers. This was part of a larger security review, and though we'd not actually used SQL injection to penetrate a network before, we were pretty familiar with the general concepts. We were completely successful in this engagement, and wanted to recount the steps taken as an illustration. "SQL Injection" is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it's straightforward to create some real surprises. We'll note that this was a somewhat winding road with more than one wrong turn, and others with more experience will certainly have different -- and better -- approaches. We speculate that the underlying SQL code looks something like this: A standalone query of

SQL Injection Demo - Nazim's IIS Security Blog SQL injection seems to have faded from prominence lately and has become just a buzz word. To make things a little more real I put together a quick demo for it, to demonstrate that you don't necessarily have to go out of your way to make your web application exploitable. Here are the ingredients for this demo: ASP.NET application using System.Data.SqlClient to access a SQL database. SQLExpress (or any other db) with some tool to directly author to the database. CAUTION: This is a sample to demo SQLInjection and is hence insecure. Setting up the Database I used SQLExpress for my demo, but you can use whatever is available. Enable the sa account and gave it a password. Populate the tables with sample data. SELECT * FROM Users; SELECT * From Orders; Setting up a Web Application on your Server I used IIS 7.0 and ASP.NET 2.0, but you could use other tools as well. Make sure IIS is running and that you can access the default page. <! Make sure you can access the website from your local machine.