Welcome, Guest. Please login or register.
Pages: [1]
  Print  
Author Topic: SQL Injection Tutorial  (Read 2968 times)
Spy
Administrator
Hero Member
*****

Karma: 70
Posts: 182



View Profile WWW
« on: October 15, 2010, 12:27:05 AM »

Hey all,

Today I thought I would write a tutorial on SQL Injection. Now if you want to get anywhere with your hacking carrier you need to have this skill.

What is SQL Injection?
SQL is a code injection technique that exploits a security flaw in the database layer of an application that uses a Structured Query Language. Basically it allows users to bypass if tests for user passwords and other inputs. It utilizes an old vulnerability in SQL's non-filtered escape characters.

So how does it work?
Imagine this SQL code embedded into a PHP function:
$result mysql_query"SELECT * FROM users WHERE name =  '" $username "'");
This code grabs a user's data from a database. The only problem is that you can still add more SQL query data onto the end of this query buy simply typing it onto the end of the original string.

How do I use it?
The first example I am going to provide is an example of making the application drop the database table simply by adding in a few extra things onto our $username variable.
You could set $username to Spy'; DROP TABLE users. So now our PHP code would look like this:
$result mysql_query"SELECT * FROM users WHERE name = 'Spy'; DROP TABLE users")

Example Codes
Have have posted some example codes for your knowledge below.

Code:
' or 1=1--
Use this to display all values in a table column (user password for example).

Code:
'; exec master..xp_cmdshell 'syscommand'--
Execute a system command using a SQL bypass (an example of syscommand would be 'ping localhost')

Final Notes
So in the end if there is no protection against SQL injection on a website, if you have access to a form that acceses a database you have almost limitless potential to run any SQL command you want. The world is your oyster or something like that.

Have fun!
Logged

Check yo dick for the HIV
LOOK!
I'm Owl City!
And i'm totally, 100% hetrosexual!

Pages: [1]
  Print  
 
Jump to: