; SQL injections- -'
Submitted by Karen N. Johnson on Sun, 01/04/2007 - 00:25.
SQL injections. I recounted my first experience testing with SQL injections last weekend at IWST. About a year and a half ago, I had read an article about SQL injections and tried a drop table command. Within seconds, the DBA came to my desk glaring at me and I learned what I did had caused some serious damage. (I was working in test not prod.)
One of the challenges experimenting with SQL injections is having a website to test. Generically testing against public sites to learn more about SQL injections is both poor form and potentially illegal so finding somewhere to learn is a challenge.
I found a site with a pod cast on SQL injections, show notes, and a hosted website built solely for hacking. A safe playground for learning; check out the hack me site.
In addition to practice time, I’ve been reading up on specific characters in terms of working with SQL injections. Characters that signify the start of a SQL command such as the single quote or the semi-colon.
And characters that instruct the database to comment out or ignore characters after following the special chars. Chars like the # (pound sign), --'(space space single quote) or * / (asterisk slash) are some.
Different databases use different characters to signal so you need to know the specific database type (SQL server, MySQL, etc.)
The more you know about the site and the schema, the more you can go after tables specifically. This means trying to learn without having a site you're currently testing can be a bit of a dead end.
Ultimately, I’d like to build a little notepad file with a dozen or so injections. I could carry around the notepad file on my flash drive like a utility application and then modify the generic injections to suit the site and schema I’m working with. I suppose this ideal SQL injection test file would have notes on the characters that apply to each database type too so I could be ready to signal a new SQL statement, comment out text, and use wildcards.
(Thanks to Dan Kuykendall for the hack me site. I have somewhere to practice without a glaring DBA.)
One of the challenges experimenting with SQL injections is having a website to test. Generically testing against public sites to learn more about SQL injections is both poor form and potentially illegal so finding somewhere to learn is a challenge.
I found a site with a pod cast on SQL injections, show notes, and a hosted website built solely for hacking. A safe playground for learning; check out the hack me site.
In addition to practice time, I’ve been reading up on specific characters in terms of working with SQL injections. Characters that signify the start of a SQL command such as the single quote or the semi-colon.
And characters that instruct the database to comment out or ignore characters after following the special chars. Chars like the # (pound sign), --'(space space single quote) or * / (asterisk slash) are some.
Different databases use different characters to signal so you need to know the specific database type (SQL server, MySQL, etc.)
The more you know about the site and the schema, the more you can go after tables specifically. This means trying to learn without having a site you're currently testing can be a bit of a dead end.
Ultimately, I’d like to build a little notepad file with a dozen or so injections. I could carry around the notepad file on my flash drive like a utility application and then modify the generic injections to suit the site and schema I’m working with. I suppose this ideal SQL injection test file would have notes on the characters that apply to each database type too so I could be ready to signal a new SQL statement, comment out text, and use wildcards.
(Thanks to Dan Kuykendall for the hack me site. I have somewhere to practice without a glaring DBA.)