What is SQL Injection?SQL injection is Common and famous method of hacking at present . Using this method an unauthorized person can access the database of the website. Attacker can get all details from the Database.
How It Works?SQL Injection Injects A Code Into The Mysql Database Which Gets Passed The Site Security Login.
What an attacker can do?- ByPassing Logins
- Accessing secret data
- Modifying contents of website
- Shutting down the My SQL server
Tips :- Dont try this on .gov or .edu sites.
- Dont try this on sites that look really adv.
- Try on sites that don't record false login's.
- Make sure it does not say powered by and then a company name, such a Pearson.
- Use a proxy if think you might get caught.
SQL Injection List:http://www.fileserve.com/file/hwgs3UJ/SQL_Infection_Exploit.rar
Step By Step Tutorial:-Step 1: Finding Vulnerable Website: Use Google Search Engine. We can find the Vulnerable websites(hackable websites) using
Google Dork list...
Step 2: Search in Google:
inurl:adminlogin.asp
Step 3: Copy the above command and paste in the google search engine box...
Step 4: So Start from the first website. if you find a website ending with
adminlogin.asp Now enter the website...
Step 5: At the username type in "Admin" or "Administrator" and at the password type:
1'or'1'='1
Done...!
Tips: The first string is the most important one. Many of the times it will say login failed but keep on trying with different strings...
Note: This technique will work only on low secured websites, not on every website.
How to protect you own websites from SQL injection?Filter out character like ' " - / \ ; NULL, etc. in all strings from:
- Input from users
- Parameters from URL
- Values from cookie