Showing posts with label Injection. Show all posts
Showing posts with label Injection. Show all posts

SQL Injection Tutorial: All common SQL injection problems and Solutions

Posted by Hemant at Friday, October 18, 2013 on Friday, 18 October 2013
Hello,
    Today an tutorial for you what covers most problems while doing SQL injection and solutions to them. Probably every person who has looked at tutorials to hack a website have noticed that there are too much SQL tutorials. Almost every forum has 10 tutorials and blogs 5 tutorials about SQL injection, but actually those tutorials are stolen from somewhere else and the author doesn't probably even know why does SQL injection work. All of those tutorials are like textbooks with their ABC's and the result is just a mess. Everyone are writing tutorials about SQL, but nobody covers the problems what will come with that attack.

What is the cause of most problems related to SQL injection?

Webdevelopers aren't always really dumb and they have also heard of hackers and have implemented some security measures like WAF or manual protetion. WAF is an Web application firewall and will block all malicous requests, but WAF's are quite easy to bypass. Nobody would like to have their site hacked and they are also implementing some security, but ofcourse it would be false to say that if we fail then it's the servers fault. There's also a huge possibility that we're injecting otherwise than we should.
Read more »
Pin It

Labels: , , , , , 0 comments

MSSQL Injection Cheat Sheet

Posted by Hemant at Wednesday, July 17, 2013 on Wednesday, 17 July 2013

Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query.

Misc Tips
In no particular order, here are some suggestions from pentestmonkey readers.
From Dan Crowley:
From Jeremy Bae:
Tip about sp_helpdb – included in table above.
From Trip:
List DBAs (included in table above now):
select name from master..syslogins where sysadmin = ’1′
From Daniele Costa:
Tips on using fn_my_permissions in 2005, 2008 – included in table above.
Also:
To check permissions on multiple database you will have to use the following pattern.
USE [DBNAME]; select permission_name FROM fn_my_permissions (NULL, ‘DATABASE’)
Note also that in case of using this data with a UNION query a collation error could occur.
In this case a simple trick is to use the following syntax:
select permission_name collate database_default FROM fn_my_permissions (NULL, ‘DATABASE’)
Read more »
Pin It

Labels: , , , , , 0 comments
Subscribe to: Posts (Atom)

Hey Guys I am making a Penetration Testing Linux Distro & I need a name for it could u plzz suggest me one ... so far following are the suggestions I got