.

SQL injection

<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Sat Feb 16, 2013 3:36 pm

SQL injection

hi there
I wanna try sql hacking and i have there choices

Metasploitable
De-ice.net
My friend's website

Well, i wanna try all and i'm using Havij program as injector. But i think we need a url like this

www.test.com/index.php?id=123

But how can i find the url for metasploitable or de-ice.

I think i can use google dorks to find the url for my friend's site but how?

I'll be so thankful if you tell me.
ICS Academy Network Security Certified
<<

hurtl0cker

User avatar

Jr. Member
Jr. Member

Posts: 73

Joined: Thu Nov 18, 2010 10:09 am

Location: WWW

Post Sat Feb 16, 2013 5:50 pm

Re: SQL injection

The Metasploitable & De-ice focuses on network-layer and application vulnerabilities.

In your case, what you are looking at is Web apps vulnerabilities, some test beds could be found here:
http://blog.taddong.com/2011/10/hacking ... tions.html

take a look at this interesting SQLi primer:
https://www.youtube.com/user/dhakkan3

OWASP testing guide is a right place to start with testing web apps.
https://owasp.org/images/5/56/OWASP_Tes ... ide_v3.pdf
Last edited by hurtl0cker on Sat Feb 16, 2013 5:56 pm, edited 1 time in total.
“Knowing is not enough; we must apply. Willing is not enough: we must do.”
- Bruce Lee
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sun Feb 17, 2013 1:38 am

Re: SQL injection

Havij is a script kiddie tool just like Pangolin is, except Havij is more widely used by script kiddies especially in the middle east. A pro tool, which can do a lot more, but is also a lot harder to use is sqlmap.

However, using a tool only, without knowing what causes SQL Injection, how to fix it (in the code!) and how to test manually will not teach you anything, and thus you will always be a script kiddie unless you know  the cause, remediation and how to test all types of SQL Injection vulnerabilities manually.

Sometimes the tools simply won't work, and then you have to test manually as a penetration tester.
I'm an InterN0T'er
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Fri Apr 19, 2013 2:26 am

Re: SQL injection

MaXe wrote:Havij is a script kiddie tool just like Pangolin is, except Havij is more widely used by script kiddies especially in the middle east. A pro tool, which can do a lot more, but is also a lot harder to use is sqlmap.

However, using a tool only, without knowing what causes SQL Injection, how to fix it (in the code!) and how to test manually will not teach you anything, and thus you will always be a script kiddie unless you know  the cause, remediation and how to test all types of SQL Injection vulnerabilities manually.

Sometimes the tools simply won't work, and then you have to test manually as a penetration tester.


Yup your totally right but I was at the middle of penetration testing and I had no time to see what sql injection is  how to work with sqlmap and so on. But now l am learning some other pentesting lessons I WILL LEARN sql injection after that thank you
ICS Academy Network Security Certified
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Fri Apr 19, 2013 5:36 am

Re: SQL injection

hmm I would say learn SQL you may not have time but being pen tester I think is about being professional. Trying find a tool that you can just run and hope it works is just so wrong. You going to run a tools that you don't really understand how it works and what is it doing. How do you know it wont break the database.

I not saying you have to be a complete expert at it but least understand the basic behind SQL I don't think learning the basic takes that much time.

I also not sure any of the De-ice disk have SQL injection in them
I would not recommend hitting you mates website

If you want to try SQL DVWA has some in and Webgoat does they are pretty basic to find.

I would agree with MaXE use SQLMAP but this does mean you have to understand SQL its not a click click win tool.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Fri Apr 19, 2013 6:49 am

Re: SQL injection

Jamie.R wrote:hmm I would say learn SQL you may not have time but being pen tester I think is about being professional. Trying find a tool that you can just run and hope it works is just so wrong. You going to run a tools that you don't really understand how it works and what is it doing. How do you know it wont break the database.

I not saying you have to be a complete expert at it but least understand the basic behind SQL I don't think learning the basic takes that much time.

I also not sure any of the De-ice disk have SQL injection in them
I would not recommend hitting you mates website

If you want to try SQL DVWA has some in and Webgoat does they are pretty basic to find.

I would agree with MaXE use SQLMAP but this does mean you have to understand SQL its not a click click win tool.


I agree with you man and will learn sql and sql injection too. yup password cracking is the only way to go for de-ice disk thomas told us in hacking dojo class too.

sql is not that hard right but for some one like me who works and studies all the time, it is hard i should plan to make some free time to learn that. anyway thanks alot 
Last edited by cyber.spirit on Fri Apr 19, 2013 6:51 am, edited 1 time in total.
ICS Academy Network Security Certified

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software