SQL injection

Viewing 5 reply threads
  • Author
    Posts
    • #8228
      cyber.spirit
      Participant

      hi there
      I wanna try sql hacking and i have there choices

      Metasploitable
      De-ice.net
      My friend’s website

      Well, i wanna try all and i’m using Havij program as injector. But i think we need a url like this

      http://www.test.com/index.php?id=123

      But how can i find the url for metasploitable or de-ice.

      I think i can use google dorks to find the url for my friend’s site but how?

      I’ll be so thankful if you tell me.

    • #51923
      hurtl0cker
      Participant

      The Metasploitable & De-ice focuses on network-layer and application vulnerabilities.

      In your case, what you are looking at is Web apps vulnerabilities, some test beds could be found here:
      http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html

      take a look at this interesting SQLi primer:
      https://www.youtube.com/user/dhakkan3

      OWASP testing guide is a right place to start with testing web apps.
      https://owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

    • #51924
      MaXe
      Participant

      Havij is a script kiddie tool just like Pangolin is, except Havij is more widely used by script kiddies especially in the middle east. A pro tool, which can do a lot more, but is also a lot harder to use is sqlmap.

      However, using a tool only, without knowing what causes SQL Injection, how to fix it (in the code!) and how to test manually will not teach you anything, and thus you will always be a script kiddie unless you know  the cause, remediation and how to test all types of SQL Injection vulnerabilities manually.

      Sometimes the tools simply won’t work, and then you have to test manually as a penetration tester.

    • #51925
      cyber.spirit
      Participant

      @MaXe wrote:

      Havij is a script kiddie tool just like Pangolin is, except Havij is more widely used by script kiddies especially in the middle east. A pro tool, which can do a lot more, but is also a lot harder to use is sqlmap.

      However, using a tool only, without knowing what causes SQL Injection, how to fix it (in the code!) and how to test manually will not teach you anything, and thus you will always be a script kiddie unless you know  the cause, remediation and how to test all types of SQL Injection vulnerabilities manually.

      Sometimes the tools simply won’t work, and then you have to test manually as a penetration tester.

      Yup your totally right but I was at the middle of penetration testing and I had no time to see what sql injection is  how to work with sqlmap and so on. But now l am learning some other pentesting lessons I WILL LEARN sql injection after that thank you

    • #51926
      Jamie.R
      Participant

      hmm I would say learn SQL you may not have time but being pen tester I think is about being professional. Trying find a tool that you can just run and hope it works is just so wrong. You going to run a tools that you don’t really understand how it works and what is it doing. How do you know it wont break the database.

      I not saying you have to be a complete expert at it but least understand the basic behind SQL I don’t think learning the basic takes that much time.

      I also not sure any of the De-ice disk have SQL injection in them
      I would not recommend hitting you mates website

      If you want to try SQL DVWA has some in and Webgoat does they are pretty basic to find.

      I would agree with MaXE use SQLMAP but this does mean you have to understand SQL its not a click click win tool.

    • #51927
      cyber.spirit
      Participant

      @Jamie.R wrote:

      hmm I would say learn SQL you may not have time but being pen tester I think is about being professional. Trying find a tool that you can just run and hope it works is just so wrong. You going to run a tools that you don’t really understand how it works and what is it doing. How do you know it wont break the database.

      I not saying you have to be a complete expert at it but least understand the basic behind SQL I don’t think learning the basic takes that much time.

      I also not sure any of the De-ice disk have SQL injection in them
      I would not recommend hitting you mates website

      If you want to try SQL DVWA has some in and Webgoat does they are pretty basic to find.

      I would agree with MaXE use SQLMAP but this does mean you have to understand SQL its not a click click win tool.

      I agree with you man and will learn sql and sql injection too. yup password cracking is the only way to go for de-ice disk thomas told us in hacking dojo class too.

      sql is not that hard right but for some one like me who works and studies all the time, it is hard i should plan to make some free time to learn that. anyway thanks alot 

Viewing 5 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?