|
EH-Net
|
|
May 20, 2013, 06:55:14 AM
|
 Show Posts
|
|
Pages: [1] 2 3 ... 58
|
|
2
|
Ethical Hacking Discussions and Related Certifications / Web Applications / Re: SQL Injection into an INSERT statement.
|
on: May 15, 2013, 07:27:41 AM
|
You know what eyenit0, I suggest you start MySQL Workbench (free!) and try to directly write SQL code there first (without going through PHP code). This way, you will be able to test SQL without the PHP layer. For example, start with something like this: INSERT INTO txtcomment (id,comment) VALUES (10, '<A comment>'); Then replace the <A comment> (but leave the single quotes there) with what you would normally use for SQL injection. For example: -- Deleting the row containing the username 'bob' from the user table
-- Code to do this is: DELETE FROM user WHERE username='bob'
-- So the injection code would be: comment'); DELETE FROM user WHERE username='bob'; --
-- Note: There is a space at the very end of the SQL injection code!!!
INSERT INTO txtcomment (id,comment) VALUES (10, 'comment'); DELETE FROM user WHERE username='bob'; -- '); As you can see: comment'); DELETE FROM user WHERE username='bob'; -- Would be your SQLi code (including the space at the end) Then, once it works in SQL Workbench, try to do the same thing through PHP. MySQL will often give you more meaningful error messages and you don't have to worry about PHP... Does this make sense? |
|
|
|
|
3
|
Ethical Hacking Discussions and Related Certifications / Web Applications / Re: SQL Injection into an INSERT statement.
|
on: May 13, 2013, 07:10:44 AM
|
Hi eyenit0, Is your 'id' column of type Integer? If it's the case, your problem is your single quotes. Change from (having single quotes around the 'id' column) INSERT INTO txtcomment (id,comment) VALUES ('" . $_POST['id'] . "','" . $_POST['comment']. "') to (no single quotes) INSERT INTO txtcomment (id,comment) VALUES (" . $_POST['id'] . ",'" . $_POST['comment']. "') You only put single quotes around CHAR, VARCHAR and DATE data types... Let me know if it works! |
|
|
|
|
7
|
EH-Net / Greetings / Re: hi
|
on: May 07, 2013, 08:12:48 AM
|
|
Welcome nighturchin!
Feel free to post your questions here. What exactly are you interested in? Do you work in IT? Are you still at school?
|
|
|
|
|
8
|
Ethical Hacking Discussions and Related Certifications / GPEN - GIAC Certified Penetration Tester / Re: Attempting GPEN This Week
|
on: May 07, 2013, 08:09:09 AM
|
For me, I self-studied by taking the Offensive-Security course "Penetration Testing with Backtrack". It was the best preparation. All I had to study after was some Windows based tools and read about laws and ethics. I barely used my notes in the exam and with no prior experience, I passed with a good score. Honestly, I realized that playing with the tools covered in the exam is by far the best way of learning. You don't have to go too deep with each tool, but knowing how they works is key to being successful with this exam. But since you were pretty close on your first attempt, you'll be good next time!  |
|
|
|
|
9
|
Ethical Hacking Discussions and Related Certifications / OSCP - Offensive Security Certified Professional / Re: OSCP submission prior to exam
|
on: April 17, 2013, 01:05:39 PM
|
The few I'd heard from, who benefited from the lab report, said they had shown, through their exam report, too, that they were VERY close to getting a final box, which would've passed them, so their report details kind of 'proved' that they had the proper knowledge and just weren't able to finish things off. That is true. The EXAM report needs to be done properly. Like you said, if you are very close, they may give you some points for your efforts and knowledge. However, if we talk about the STUDENT LAB report, you don't need it to pass the OSCP certification. Offensive-Security mentioned that if you fail the exam but you have give them you student lab report, you will still be able to claim 40 CPE. |
|
|
|
|
12
|
Ethical Hacking Discussions and Related Certifications / General Certification / Re: CEH
|
on: April 16, 2013, 07:43:51 AM
|
For me, CEH help me study the main high level areas of information security. It was more a goal for me than anything else. Also, we have to be careful here about the advice we give on any given certification. Some seems quite easy to achieve when you have lots of experience, but in my case, it was the first certification I studied for. And since I was totally new to this field, I found it quite difficult (btw, I self studied for it). But today, I would pass it with any study... So maybe that's why many people here think it's kind of a "low" cert. Too many people on this forum are very good...  So bottom line for me, this cert didn't help me get a job at all and now with the other certifications I have, I really don't need it anymore. But that being said, it was my first achievement in this field and I worked very hard for it, so I am still happy I did it. Last thing, almost everyone in this field knows about it, even these "CISSP" guys. I believe it is known more than OSCP... |
|
|
|
|
Loading...
|
News Items and General Discussion About EH-Net : selling usa normal cc with good balance!!!
