SQL Injection

littlepigboy5 · December 14, 2015, 9:47pm

I have become very interested in SQL Injection, just for little fun stuff, but For sites that are protected against it, i.e when you type in a command, it, for lack of a better word, comments, it out so that the website is safe. Obviously the website is still vulnerable somehow, so how do, again, for lack of a better word, "pros", hack into websites that are protected against easy sql injection commands.

nanda · December 14, 2015, 10:12pm

As far as i'm aware if they properly sanitize their data inputs it's very difficult. If they've covered their bases then you just have to start looking for other vulnerabilities.

I'd be interested in hearing on someone with more experience though. I'm not a 'hacker' and have just messed around with it for uni related courses.

ivoadf1 · December 14, 2015, 10:14pm

Well if a site is protected the right way against SQL Injection there is no way around.

There are other ways to mess with the site, not just SQL Injection

littlepigboy5 · December 14, 2015, 10:14pm

I'm new to hacking too, what are "other vulnerabilities", what other kind of attaacks are there?

BGL · December 14, 2015, 10:14pm

It's not just the website front end that protects the database. Good database design and the use of stored procedures and parameters versus dynamic SQL also play a role. If a web text box is filtering out bad characters but there is another way to submit SQL to a badly designed and poorly protected DB you might find a way in. However by now any website worth its salt should not be vulnerable.

littlepigboy5 · December 14, 2015, 10:14pm

What are other ways to mess with a site?

anarekist · December 14, 2015, 10:15pm

this is a great video

littlepigboy5 · December 14, 2015, 10:15pm

What are other attacks, or vulnerabilities i could look for?

ivoadf1 · December 14, 2015, 10:16pm

Cross-site Scripting
Cross-site Request Forgery

nanda · December 14, 2015, 10:18pm

This ^.

littlepigboy5 · December 14, 2015, 10:18pm

What is this?

littlepigboy5 · December 14, 2015, 10:19pm

I have heard of xss but what is cross-site request forgery?

anarekist · December 14, 2015, 10:19pm

you create your own page that submits un-sanitized data

littlepigboy5 · December 14, 2015, 10:19pm

I am new to hacking, what does that mean?

anarekist · December 14, 2015, 10:20pm

well, you cant learn 'hacking' first until you learn how it even works first.

ivoadf1 · December 14, 2015, 10:22pm

if the site does not validate actions properly you can do things like for example:

http://example.com/transferFunds.php?amount=1500&destination=4673243243

Imagine sending this to a user that is logged in, he clicks the link and if the site is not protected against CSRF the operation will be successful

littlepigboy5 · December 14, 2015, 10:22pm

Definitely, i'm not trying to be an 11 spamming forums asking for people to ddos, i'm genuinely interested, so thanks for the info.

littlepigboy5 · December 14, 2015, 10:22pm

ok, that makes sense, i think i'm gonna spend the week learning php and sql, lol, any other languages?

ivoadf1 · December 14, 2015, 10:23pm

javascript, jquery

anarekist · December 14, 2015, 10:26pm

i respectfully request
dont hack me bro