Jump to content


Photo
- - - - -

SQL Injection


  • Please log in to reply
4 replies to this topic

#1 5imp7y

5imp7y

    Hakker addict

  • Binrev Financier
  • 507 posts
  • Country:
  • Gender:Male
  • Location:PA again....

Posted 16 December 2011 - 03:08 AM

I know very little on the topic. Can someone just explain to me what it is. I tryed to read up on it, not to attempt it, but learn what heppened to this site that i loath. Game hackers got hacked, i just thought it was funny. They spoke of somthing about sql injection and their servers were all sorts of messed up. I dont really want to do it, moreso want to know what it does? hi' 1=1 -- ??

#2 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 403 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 16 December 2011 - 06:33 PM

First you need to understand a little bit about databases. SQL is the language of databases.

Creating malformed queries in the database can give you results that you're not supposed to get.



http://en.wikipedia....i/SQL_injection

A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer. SQL injection is a code injection technique that exploits a security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Using well designed query language interpreters can prevent SQL injections. In the wild, it has been noted that applications experience, on average, 71 attempts an hour.[1] When under direct attack, some applications occasionally came under aggressive attacks and at their peak, were attacked 800-1300 times per hour.[2]



#3 Powermaniac7

Powermaniac7

    mad 1337

  • Members
  • 138 posts
  • Country:
  • Gender:Male

Posted 17 December 2011 - 05:47 AM

Wikipedia is so helpful these days, disappointing how schools tell you not to use Wikipedia because anyone can't edit it/type it. So can anyone make a web page stupid teachers.

Hmm this helps answer my exact same question on this subject and is an interesting topic.

That makes me wonder is using Java through the website address bar consider to be SQL injection or can it be used for this hypothetically because there was a modification for Facebook using it when I was on there. Wouldn't go near that site any more though.

#4 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 403 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 17 December 2011 - 12:57 PM

Wikipedia is indeed great for technical information. Stuff like history, i wouldn't trust as much. But as far as finding tech info, wiki is great.

what kind of javascript were you putting in the address bar? Sounds like cross site scripting

#5 TheFunk

TheFunk

    SUP3R 31337

  • Binrev Financier
  • 187 posts
  • Country:
  • Gender:Male

Posted 18 December 2011 - 01:56 PM

Afterm4th did a good job of explaining SQL Injection, but I'm going to dumb it down some, so that if anyone from the Nubie HQ forums (like myself) decides to tread into the deeper waters they'll have a reference to go by ;)

SQL, as Afterm4th stated is the language of databases. There are several database types out there (MySQL, Oracle, etc) but the important thing to know is that to get information from your database, you or a script you wrote, needs to send a query asking for said info. Injection is the process of taking this query, and malforming it in such a way as to confuse the database and have it hand over more information or perform a different operation than what it was supposed to. This type of attack is especially dangerous because anything from user credentials and passwords to credit-card information and social security numbers could be stored in a single database.

Hopefully this was informative...so anyone have some snow yet? :coffee:




BinRev is hosted by the great people at Lunarpages!