How to hack by SQL

Posted on May 23, 2009
Filed Under How To | Tags: SQL |

This appeared to be an entirely custom application, and we had no prior knowledge of the application nor access to the source code: this was a “blind” attack. A bit of poking showed that this server ran Microsoft’s IIS 6 along with ASP.NET, and this suggested that the database was Microsoft’s SQL server: we believe that these techniques can apply to nearly any web application backed by any SQL server.

The login page had a traditional username-and-password form, but also an email-me-my-password link; the latter proved to be the downfall of the whole system.

When entering an email address, the system presumably looked in the user database for that email address, and mailed something to that address. Since my email address is not found, it wasn’t going to send me anything.

So the first test in any SQL-ish form is to enter a single quote as part of the data: the intention is to see if they construct an SQL string literally without sanitizing. When submitting the form with a quote in the email address, we get a 500 error (server failure), and this suggests that the “broken” input is actually being parsed literally. Bingo.

http://www.unixwiz.net/techtips/sql-injection.html

Comments

• Event & New Update

  Sign up to receive breaking news and other site updates!

• Recent Posts

  • Five Best Startup Management Tools
  • Change the registration information in Windows Vista and XP
  • Google Goggles Searches by Sight
  • Google Public DNS Aims to Speed Up Your Browsing
  • Gmail Now Lets You Add and Send Attachments Offline
  • JavaScript, graphics performance improvements on tap for IE9
  • Google Chrome OS available as free VMWare download
  • Teach Yourself How to Code
  • Taking the black art out of SQL tuning
  • How to Recover Your Firefox Master Password

• Most Viewed

  • 10 Tech Whizzes Under 20(385 views)
  • Googe App Engine - Run yo...(258 views)
  • SharePoint 2010(258 views)
  • Google Wave Developer Pre...(226 views)
  • Powerful and Userful CSS ...(205 views)
  • 40 Professional Icon Sets(197 views)
  • Google offers JavaScript ...(167 views)
  • 20 Websites That Made Me ...(166 views)
  • How to hack by SQL(162 views)
  • Google Voice’s Secret Wea...(157 views)

• Tags

  css design develpers firefox Flash gmail google google-app-engine html iphone java Jira microsoft new product new technology php seo sharepoint skype SQL technology-trend tips web web-development Wifi Window

• Categories

  • Collection
  • Fun
  • How To
  • News
  • Review
  • Uncategorized

• Archives

  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • July 2009
  • June 2009
  • May 2009

• About

  HD Techblog is a collection of knowledge about Information Technology from HD Expertise. We, HD engineers, contribute many different topics from small technical things like programming tips to broad view such as technology trends, business review. Our aim is to help you to find useful knowledge for your work from our expertise.