This is my little guide to SQL Injections:
Ah, here we go.
[URL=http://www.w*schools.com/sql/default.asp]http://www.w*schools.com/sql/default.asp[/URL]
You can learn all about SQL and what it's for here. I'm not gonna try to explain all of that, this is only for injections.
------------------------------------------------
Now, suppose you are at a site called [URL=http://www.candycanestotehmax.com]www.candycanestotehmax.com[/URL]. You have to login to this site to see the candy canes. The login page is like this:
Code:
www.candycanestotehmax.com/login.php
Now you try logging in with a bogus name and password. The URL now becomes something like:
Code:
www.candycanestotehmax.com/login.php?user=johnny&password=nicetry
You obviously weren't able to log in. But now you want to see if the login is vulnerabel to SQL injection. Try playing around a bit with the URL.
Code:
www.candycanestotehmax.com/login.php?user=a'&password=*=*
OR
Code:
www.candycanestotehmax.com/login.php?user=*=*&password=*'
OR
Some other combanation, there should be apostrophes and/or equal statements (*=*) because these tend to confuse servers.
Anyways, you should see some wierd error, but if you don't, don't fret, there still could be a vulnerability (known as Blind SQL Injection).
-----------------------------------------------
Well now suppose you've found a vulnerablitly to SQL injections on candycanestotehmax.com. Break down the URL and convert it into SQL. When you see this URL:
Code:
www.candycanestotehmax.com/login.php?user=johnny&password=nicetry
It's actually sending two SQL queries, one for a username match and one for a passowrd match. It looks like this (let's assume the name of the table is "login"):
Code:
SELECT username FROM login WHERE username='johnny'
SELECT password FROM login WHERE password='nicetry'
But there is no username johnny or password nicetry in the database, so therefore you can't login. But now you know a vital piece of info: The table "login" contains all the usernames and passwords. It would be nice if we could view this table.
------------------------------------------
So we find somewhere where we can enter text, sometimes this is the login field, other times you actually have to enter it in the URL, usually after the ? in a php page. But assume you have to enter it in the login. In the username field, enter a command so you can view the usernames on the table "login".
Code:
SELECT username FROM login
This would display the list of usernames in the table login. You can go back and edit the injection so it shows you the passwords also.
------------------------------------------
Well, thanks for reading my tutorial, I hope you learn something
-Moonbat