Skip to main content

SQL Injections: from previous link

SQL Injections [At the Database Level]

The first step before SQL Injections is to test whether a site is vulnerable to SQL Injections or not. It can be achieved by giving some arbitrary input. If input results in an error message (other than user generated error message), it means site is vulnerable to SQL Injections. To find whether a sire is vulnerable to SQL injections try followings special characters in input:

‘ ; , ‘‘ % - *

Bypassing User Authentication:
An attacker can easily bypass Login Page without providing a valid user name & password. He just need to give:
' Or 1=1;-- (In the User Name text Box)
On submitting this page SQL query (at the server) becomes:
Select * from authentication where Name =' ' or 1=1; --
Note: MS SQL Server treats anything after; -- as comment so rest of the query will be ignored. What attacker has done here is without specifying a valid username & password he bypasses the Login page.
Telling you frankly even if site is vulnerable to SQL Injections most of the time it will not work. It depends on the way ASP Code is written. Key thing behind SQL Injection is your input should be according to ASP code to get desired result. Here I would like to suggest that you should try all the following possible combinations and more, which you can think.
1. ' Or 1=1; --
2. ' Or 1=1); --
3. ' any_bad_value
4. ‘ “
5. ‘ “or”
6.“ any_bad_value” ‘ etc.
Note: This explanation is just for understanding from this test scenario. This varies on your Web Application code.
Post a Comment

Popular posts from this blog

Compact and Repair an Access Database. Add Ref. to : AdoDb, Jro

< ?xml version="1.0" encoding="utf-8" ?>









using ADODB;
using JRO;
using System.Configuration;
using System.Data.OleDb;
using System.IO;

public class CompactAndRepairAccessDb : System.Windows.Forms.Form
{
private System.ComponentModel.Container components = null;
private JRO.JetEngine jro;
private System.Windows.Forms.Button btnConfirm;
private System.Windows.Forms.TextBox tbxOriginalDbSize;
private System.Windows.Forms.TextBox tbxCompactedDbSize;
private OleDbConnection cnn;

public CompactAndRepairAccessDb() {
InitializeComponent();

FileInfo fi = new FileInfo( ConfigurationSettings.AppSettings["PathOriginal"] );
int s = Convert.ToInt32( fi.Length/1000 );
this.tbxOriginalDbSize.Text = s.ToString() + " kb";
}

private void btnConfirm_Click(object sender, System.EventArgs e) {
// First close all instances of the database
// MUST HAVE EXCLUS…

Creating ISO images with Nero 5.5 Express

Mark Michaelis' Weblog - August, 2003: "Creating ISO images with Nero 5.5 Express

I recently set up an old computer for my son, Benjamin, as he keeps messing up my wifes desktop and then I have to figure out how to get it back to the way she wants it. Anyway, as part of doing this I didn't want my son putting CDs in and out of the computer as he tends to scratch them. Instead, I decided to create ISO images of them and have him use them directly from the computer using Daemon-Tools. The problem, was how to create ISO images? I had a copy of Nero Express 5.5 but it took me some time to figure out exactly how to get it to make ISO images. (If you happen to have the full version of Nero you can find instructions for creating ISO images here.)

Here are the steps for Nero Express 5.5:

1. Launch Nero Express 5.5 (yes there is a 6 version out there but I don't have it.)
2. Select the Copy Entire Disk option.
3. Click the More>> button.
4. Click the Configure…