Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Download
Standard view
Full view
of .
Look up keyword
Like this
14Activity
0 of .
Results for:
No results containing your search query
P. 1
Hacking Tips by Shahzad Arain

Hacking Tips by Shahzad Arain

Ratings: (0)|Views: 267|Likes:

More info:

Published by: Shahzad Asghar Arain on Nov 18, 2008
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

12/10/2012

pdf

text

original

 
 
Newsletter:
 
How They Hack Your Website: Overview of Common Techniques
By John ConroyMar 5. 2008Tagged:google hacking hack security web cms web publishing xss 
We hear the same terms bandied about whenever a popularsite gets hacked. You know… SQL Injection, cross site scripting, thatkind of thing. But what do these things mean? Is hacking really asinaccessible as many of us imagine; a nefarious, impossibly technicaltwilight world forever beyond our ken?Not really.When you consider that you can go to Google right now and enter asearch string which will return you thousands of usernames andpasswords to websites, you realize that this dark science is really nomystery at all. You’ll react similarly when you see just how simple aconcept SQL Injection is, and how it can be automated with simpletools. Read on, to learn the basics of how sites and web contentmanagement systems are most often hacked, and what you can do toreduce the risk of it happening to you.
SQL
Injection
SQL Injection involves entering SQL code into web forms, eg. login
Stay Informed
 
Article Topics
·
·
·
·
·
·
·
·
Coming Events
Archives
·
·
·
·
·
CMSWire
Is published bySimpler MediaGroup.More » 
 
fields, or into the browser address field, to access and manipulate thedatabase behind the site, system or application.When you enter text in the Username and Password fields of a loginscreen, the data you input is typically inserted into an SQL command.This command checks the data you’ve entered against the relevanttable in the database. If your input matches table/row data, you’regranted access (in the case of a login screen). If not, you’re knockedback out.
SPONSORSHIP
CMSWire speaks to a specific audience of professionals and opinion makers focused on contentmanagement, publishing and collaboration.Advertise here.
The Simple SQL Injection Hack
In its simplest form, this is how the SQL Injection works. It’simpossible to explain this without reverting to code for just a moment.Don’t worry, it will all be over soon.Suppose we enter the following string in a Username field:
’ OR 1=1
The authorization SQL query that is run by the server, the commandwhich must be satisfied to allow access, will be something along thelines of:SELECT * FROM users WHERE username = ‘
USRTEXT 
’ AND password = ‘
PASSTEXT 
’ …where
USRTEXT 
and
PASSTEXT 
are what the user enters in the loginfields of the web form.So entering
`OR 1=1 —
as your username, could result in thefollowing actually being run:SELECT * FROM users WHERE username = ‘
’ OR 1=1 —
‘ANDpassword = ‘’ Two things you need to know about this:[‘] closes the [username] text field. ‘’ is the SQL convention for Commenting code, and everything afterComment is ignored. So the actual routine now becomes:
SELECT * FROM users WHERE username = ” OR 1=1
1 is always equal to 1, last time I checked. So the authorization
 
routine is now validated, and we are ushered in the front door to wreckhavoc.Let’s hope you got the gist of that, and move briskly on.
Brilliant! I’m gonna go hack me a Bank!
 Slow down, cowboy. This half-cooked method won’t beat the systemsthey have in place up at Citibank, evidently.But the process does serve to illustrate just what SQL Injection is allabout — injecting code to manipulate a routine via a form, or indeedvia the URL. In terms of login bypass via Injection, the hoary old
’ OR 1=1
is just one option. If a hacker thinks a site is vulnerable, thereare cheat-sheets all over the web for login strings which can gainaccess to weak systems. Here are a couple more common stringswhich are used to dupe SQL validation routines:username field examples:
admin’—
’) or (‘a’=’a
”) or (“a”=”a
hi” or “a”=”a
 

Activity (14)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
layyah2013 liked this
ConnectTwenty2 liked this
Elijah Hanson liked this
koninco liked this
hemanthnaidu.d liked this
irfanlk liked this
Tanjeeb liked this
aliks071 liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->