 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
MYSQL Injections(In PHP) - Vulnerability Check |
 |
 Posted: Fri Jun 09, 2006 2:34 am |
 |
|
| Best18 |
| Beginner |
 |
|
| Joined: Jun 09, 2006 |
| Posts: 3 |
|
|
|
 |
|
 |
|
I have read alot on sql injections on the net regrding asp but what i want to know is php, hope you ppl can help me answer my questions:
1) From the net, it seems that sql injections is done be manipulating the URL or just putting some query in the field (e.g login form). But i heard that there is "MYSQL injections script", is it possible to make one?
2) How to know if a site is vulnerable to sql injections? Take this HYIP site as example: http://www.pi*******s.com
<< No real url-s please >> [[==waraxe==]] |
|
|
|
|
| Posted: Fri Jun 09, 2006 4:42 am |
|
|
| Chb |
| Valuable expert |
 |
|
| Joined: Jul 23, 2005 |
| Posts: 206 |
| Location: Germany |
|
|
|
|
|
|
1) Yes, it is possible to write a script, which tries automatically to do SQL-injection. But if you want to have such a script: Write it by your own.
2) Please read the rules and escpecially about URL-posting. |
|
|
|
|
| Posted: Fri Jun 09, 2006 9:51 am |
|
|
| Best18 |
| Beginner |
|
|
| Joined: Jun 09, 2006 |
| Posts: 3 |
|
|
|
|
|
|
|
Thx Chb for replying but isn't this a place to learn  ,anyone willing to tell me how to go abt starting the script. I know MYSQL and I know what Tables i'm going to updates, etc but i'm just wondering how to start the script  and how many scripts for that
<Sry abt the URL but i can't seems to find the rules LOL  ) |
|
|
|
|
|
|
|
|
| Posted: Fri Jun 09, 2006 3:16 pm |
|
|
| Chb |
| Valuable expert |
|
|
| Joined: Jul 23, 2005 |
| Posts: 206 |
| Location: Germany |
|
|
|
|
|
|
| Best18 wrote: | | Thx Chb for replying but isn't this a place to learn |
Did I say anything else?
| Quote: | | anyone willing to tell me how to go abt starting the script. |
Wow, you're a hacker because you know how to start a script... I'm sorry, but I prefer to tell you, how to learn what you're doing and not how to use some f*cking scripts. You should write the scripts. 
| Quote: | | I know MYSQL and I know what Tables i'm going to updates, etc but i'm just wondering how to start the script |
You don't need any scripts.
| Quote: | | <Sry abt the URL but i can't seems to find the rules LOL ) |
In the first forum of waraxe... There is a thread called "THE FORUM RULES". I don't know but maybe are there the rules.
Just my oppinion. |
|
|
|
|
|
Re: MYSQL Injections(In PHP) - Vulnerability Check |
|
| Posted: Fri Jun 09, 2006 6:48 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Best18 wrote: | I have read alot on sql injections on the net regrding asp but what i want to know is php, hope you ppl can help me answer my questions:
1) From the net, it seems that sql injections is done be manipulating the URL or just putting some query in the field (e.g login form). But i heard that there is "MYSQL injections script", is it possible to make one?
2) How to know if a site is vulnerable to sql injections? Take this HYIP site as example: http://www.pi*******s.com
<< No real url-s please >> [[==waraxe==]] |
First of all, that specific website seems to be very secure. Most of the various online game sites are secure - because there are too much script kidd0s, trying to take them down.
Next - MySql is hard to exploit RDBMS, compared to MSSQL, Oracle and PostgreSql. If you know table and column names, you are interested of, then still there can be problem with UNION support - if MySql has version < 4.x, you are out of luck.
Finally - those exploit scripts and other software. You can use them, if you want to do some mass defacement, but in case of one specific website I suggest manual working.
If you will find "blind" sql injection hole - without any visual feedback, then this is the case, when you have to write exploit script. In perl, in php, in any language you like. If you have found this kind of sql injection case and want help with exploitation - give me more details and I can show, how to write such script - in my case I prefer php CLI  |
|
|
|
|
|
|
|
|
| Posted: Sat Jun 10, 2006 3:03 am |
|
|
| Best18 |
| Beginner |
|
|
| Joined: Jun 09, 2006 |
| Posts: 3 |
|
|
|
|
|
|
|
If you know the site i posted, you'll know that many (MOST) such sites use the same script and hence will have the same database. The problem is some has did some precaution but some not, so may be using script will makes thing easier.
Hmm warexe, may i know how to go abt finding "blind" sql injection hole? 
And it's great if you can show me how to write scripts for such hole. What details do you need
| Quote: | | Did I say anything else? |
You said write it by your own |
|
|
|
|
| Posted: Sat Jun 10, 2006 10:29 pm |
|
|
| Chb |
| Valuable expert |
|
|
| Joined: Jul 23, 2005 |
| Posts: 206 |
| Location: Germany |
|
|
|
|
|
|
| Best18 wrote: |
| Quote: | | Did I say anything else? |
You said write it by your own |
Yes, because you would learn something at writing it. |
|
|
|
|
| Posted: Wed Sep 13, 2006 3:50 pm |
|
|
| trace |
| Regular user |
|
|
| Joined: May 17, 2006 |
| Posts: 8 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Sun Oct 08, 2006 9:44 pm |
|
|
| easy_management |
| Regular user |
|
|
| Joined: Nov 24, 2005 |
| Posts: 12 |
|
|
|
|
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 80
Members: 0
Total: 80
