The Content Provided on HackClarify are Only for Security Awareness & Educational Purposes Only, Hackclarify is Not Responsible for any Harm Done!
Place Your Ads Here By Requesting Using The Contact Form
Add to Google Reader or Homepage Add to Netvibes Add to Yahoo! Subscribe in NewsGator Online Add to My AOL

SQL Injectioning? How does it Work?



A large number of websites are vulnerable to SQL injection attacks, I must say that its just the fault of the website admin, Who has designed it. I am going to discuss here that what is SQL injection and how it is accomplished. Now-a-days, many noobs find an SQL error in database by automated scanners and just exploit it for fun. But that is not a good act. Even i haven't used my skills for any bad purpose. This post is about those people who don't know that their website is actually vulnerable to such attack, also i am going to tell you that how its done and how to catch this vulnerability.Due to such vulnerability a Hacker can gain access to your website within a minute, Yes its true.

What is SQL Injection?
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.
In simple words I must say that hacker injects certain characters in the admin authentication area and gains access as admin.

How is basic SQL injection Accomplished?
Google is very helping in hacking, due to dork technique, Now you will think that what is dork?
Dork: A search enquiry to find a website specific to an attack type etc.
A few dorks are below, which are used to find, vulnerable site:
"inurl:admin.asp"
"inurl:login/admin.asp"
"inurl:admin/login.asp"
"inurl:adminlogin.asp"
(Note: I am not giving all dorks, due to the fact that i might go illegal, You may be just learning but we can't trust everyone.)

These dorks are pasted in the search bar of google.com. and then searched to find the website.

After finding the required target, injection is accomplished, like in the login fields of admin, as password following injections are inserted:
' or '1'='1
' or 'x'='x
(Google to get more, It would be illegal if i post here all.)

In simple words:
Username : Admin
Password : 'or'1'='1

Hit login and you are in, All the sites are not vulnerable and this is just for learning purpose, WiredHacks is not responsible for any harm or damage caused.


That was just a simple tutorial to give you basic information of SQL injection. There are more advanced techniques too. But some other day i will discuss.


How to check that your website is vulnerable?
Well, After reading the basics above you might have got the concept of SQL injection. But many tools are also available to scan your website or server for such errors in database, Note, When error occurs it means that website is vulnerable.
First Method:
Here is an online scanner:
http://webhosting.blackoutaio.com/~sqli/
For example, If you want to scan, www.website-yasar.com then put this in scanner bar:
inurl:php?=id+site:website-yasar.com
 If you get:

http://www.website-yasar.com/product.php?id='3 <== Success

Then it means that website is vulnerable and can be exploited easily by getting the number of colums.
(Note: catid, data, num is also used in addition to id. Simply replace id with your desired value in the dork of scanner.)
Here i got screen shot of a Website with dork "data" instead of "id" vulnerable to the attack it has scanned it overall and here are results:


Second Method:
Here is an automated scanner, Which is for newbies, Just click scan and take rest.
Go to this link to get detailed information on how to find SQL vulnerability in website.
To get Acunetix vulnerability scanner Trial version go here.


Hope, Now you might be aware of SQL injections. Futher information will be posted later.
 




Share your views...

3 Respones to "SQL Injectioning? How does it Work?"

Curtis Young said...

can u help me with sql injection im not a noob at it


September 25, 2012 at 10:11 PM
younas said...

hi bro i want to ask something dud how to send fake money to any bank account?????


February 4, 2013 at 3:53 PM
Blogger said...

Bluehost is ultimately one of the best web-hosting company with plans for any hosting requirements.


February 23, 2017 at 12:01 AM

Post a Comment

 

Google+

Supported/Suggested Browsers for our site
Fight Spam! Click Here!

Don't Copy Articles

Protected by Copyscape Plagiarism Detector
DMCA Protected

Expand HackClarify

Hacking Tips & Tricks

If HackClarify articles have helped you in learning then copy code below and give a small place to this image in your blog or website:

Attribution

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License. Dont Copy or Reproduce Articles.

© 2012 | Founded & Maintained by Samin Yasar | All Rights Reserved