SQL INJECTION

WHAT IS SQL?

  • Most websites use a database to store data.
  • Most data stored in it(usernames, passwords ..etc.)
  • Web application reads, updates and inserts data in the database.
  • Interaction with DB done using SQL.

WHY ARE THEY SO DANGEROUS

1. They are everywhere.

2. Give access to the database –> sensitive data.

3. Can be used to read local files outside www root.

4. Can be used to log in as admin and further exploit the system.

5. Can be used to upload files.

DISCOVERING SQLi in POST

  • Try to break the page.
  • Using ‘and’, ‘order by’ or  “’”.
  • Testing text boxes and URL parameters on the form.

http://target.com/page.php?something=something

Pre-Configure about Metasplitable2:

Following is a very useful error message.

So let’s modify the input on password box. We can login with a wrong password now.

Bypassing Authentication.

Ethical Hacking - Web Penetration Testing(8)的更多相关文章

  1. Ethical Hacking - Web Penetration Testing(13)

    OWASP ZAP(ZED ATTACK PROXY) Automatically find vulnerabilities in web applications. Free and easy to ...

  2. Ethical Hacking - Web Penetration Testing(10)

    SQL INJECTION SQLMAP Tool designed to exploit SQL injections. Works with many DB types, MySQL, MSSQL ...

  3. Ethical Hacking - Web Penetration Testing(6)

    REMOTE FILE INCLUSION Similar to local file inclusion. But allows an attacker to read ANY file from ...

  4. Ethical Hacking - Web Penetration Testing(1)

    How to hack a website? An application installed on a computer. ->web application pen-testing A co ...

  5. Python Ethical Hacking - WEB PENETRATION TESTING(1)

    WHAT IS A WEBSITE Computer with OS and some servers. Apache, MySQL ...etc. Cotains web application. ...

  6. Python Ethical Hacking - WEB PENETRATION TESTING(2)

     CRAWING DIRECTORIES Directories/folders inside the web root. Can contain files or other directories ...

  7. Ethical Hacking - Web Penetration Testing(12)

    XSS VULNS XSS - CROSS SITE SCRIPTING VULNS Allow an attacker to inject javascript code into the page ...

  8. Ethical Hacking - Web Penetration Testing(11)

    SQL INJECTION Preventing SQLi Filters can be bypassed. Use a blacklist of commands? Still can be byp ...

  9. Ethical Hacking - Web Penetration Testing(9)

    SQL INJECTION Discovering SQLi in GET Inject by browser URL. Selecting Data From Database Change the ...

随机推荐

  1. Android学习笔记主题(Theme)资源文件

    安卓的主题资源文件,可以用于对Android应用的美化. styles文件是主题资源文件. 定义一个主题资源格式如下: <resources> <!-- Base applicati ...

  2. 【01JMeter基础】测试计划

    测试计划 整个脚本的集合根目录,所有线程组集合的承载,可以添加线程组.测试片段.非测试元件.配置元件.监听器.定时器.前置/后置处理起器.断言等 一.用户自定义变量 可以使用在所有的线程组中,通过${ ...

  3. Ubuntu U盘启动出现“Failed to load ldlinux.c32”解决

    最后用ultraISO软碟通,刻录映像时写入方式选择”RAW”,成功解决!!!

  4. 2020年最新78道JVM面试题总结(含答案解析和思维导图)

    前言 关于JVM系列面试知识点总结了一个思维导图,分享给大家 1.java中会存在内存泄漏吗,请简单描述. 会.自己实现堆载的数据结构时有可能会出现内存泄露. 2.64 位 JVM 中,int 的长度 ...

  5. <前端 js 实现 代码雨 >

    前端  js 实现 代码雨: <!DOCTYPE html> <html lang="en"> <head> <meta charset= ...

  6. 观察者模式(Observer Pattern)(二):HeadFirst中的气象站的实现

    1 观察者模式的原理,首先由一个主题,当主题发送变化的时候,通知该主题的订阅者 按照上面的分析我们来进行设计 1.抽象主题Subject public interface Subject { publ ...

  7. django drf 10大请求序列化方法

    ## 整体单改 路由层.模型层.序列化层不需要做修改,只需要处理视图层:views.py ```python"""1) 单整体改,说明前台要提供修改的数据,那么数据就需要 ...

  8. 微信小程序之页面跳转(tabbar跳转及页面内跳转)

    一.简介 微信小程序页面主要分为tabbar页面和应用内页面,这两种页面的跳转方式不同 二.tabBar页面跳转 tabBar 是底部导航栏页面,如下图 在app.json中的配置如下: 跳转方式如下 ...

  9. linux主机连接sftp报错received unexpected end-of-file from SFTP server

    SFTP 连接主机失败,提示信息如下: 登陆目标主机,编辑查看 /etc/ssh/sshd_config 文件,找到 Subsystem 关键字 替换为 Subsystem sftp internal ...

  10. vue的生命函数周期以及钩子函数的详解

      首先我们先附上官网的图 图中展现出的是vue整个生命周期以及钩子函数 1- beforeCreate(创建前) 2- created(创建完成) 3- beforeMount(挂载前) 4- mo ...