SQLi Practice?

Discuss the many weaknesses of browser security and ways to mitigate the threat

SQLi Practice?

Post by Aeneid45 on Sat May 18, 2013 11:10 pm
([msg=75668]see SQLi Practice?[/msg])

Hi guys, I've recently taken an interest is SQL injections. Is there any way to legally practice this? Also, what do you all recommend for starting? I understand that there are a lot of different kinds of attacks, but I'm not quite sure where/how to start...

Thanks in advance!
Aeneid45
New User
New User
 
Posts: 13
Joined: Thu May 16, 2013 1:38 pm
Blog: View Blog (0)


Re: SQLi Practice?

Post by lucky 0xD on Sun May 19, 2013 4:38 am
([msg=75670]see Re: SQLi Practice?[/msg])

http://www.securitytube.net/user/Audi

This is a decent set of tutorials. A basic understanding of how databases work would be helpful. There is a safe link to download a little virtual environment to practice in as you work through. There are 20 odd tutorials.
lucky 0xD
New User
New User
 
Posts: 18
Joined: Fri Feb 08, 2013 4:51 am
Blog: View Blog (0)


Re: SQLi Practice?

Post by Aeneid45 on Sun May 19, 2013 11:47 am
([msg=75676]see Re: SQLi Practice?[/msg])

lucky 0xD wrote:http://www.securitytube.net/user/Audi

This is a decent set of tutorials. A basic understanding of how databases work would be helpful. There is a safe link to download a little virtual environment to practice in as you work through. There are 20 odd tutorials.


Thank you! Just what I need!

EDIT: Hmmm, videos aren't working...

EDIT: Working now! I hate flash when it doesn't work....
Last edited by Aeneid45 on Mon May 20, 2013 9:07 am, edited 1 time in total.
Aeneid45
New User
New User
 
Posts: 13
Joined: Thu May 16, 2013 1:38 pm
Blog: View Blog (0)


Re: SQLi Practice?

Post by -Ninjex- on Sun May 19, 2013 4:24 pm
([msg=75687]see Re: SQLi Practice?[/msg])

Aeneid45 wrote:Hi guys, I've recently taken an interest is SQL injections. Is there any way to legally practice this? Also, what do you all recommend for starting? I understand that there are a lot of different kinds of attacks, but I'm not quite sure where/how to start...

Thanks in advance!



Honestly, imo the best way to learn is to recreate the issue.
Build a site, and do not sanitize the text on input, then on your site, try some tricky SQLi commands.
Then maybe sanitize a little bit, but not use something like mysql real escape.
Try some SQLi commands again, and see what you can do.
After you pull off some stuff, you can go to your SQL command line, and enter in the code you used to pull off the attack, and see how it works.

I say this because, you will gain the knowledge of how to prevent the attack, and why it is actually working. Opposed to just entering commands, and hoping that the SQLi command will execute.

Try to get you a server, and look up examples of vulnerable SQL code.

Best of luck!
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1221
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: SQLi Practice?

Post by Aeneid45 on Mon May 20, 2013 9:06 am
([msg=75702]see Re: SQLi Practice?[/msg])

-Ninjex- wrote:
Aeneid45 wrote:Hi guys, I've recently taken an interest is SQL injections. Is there any way to legally practice this? Also, what do you all recommend for starting? I understand that there are a lot of different kinds of attacks, but I'm not quite sure where/how to start...

Thanks in advance!



Honestly, imo the best way to learn is to recreate the issue.
Build a site, and do not sanitize the text on input, then on your site, try some tricky SQLi commands.
Then maybe sanitize a little bit, but not use something like mysql real escape.
Try some SQLi commands again, and see what you can do.
After you pull off some stuff, you can go to your SQL command line, and enter in the code you used to pull off the attack, and see how it works.

I say this because, you will gain the knowledge of how to prevent the attack, and why it is actually working. Opposed to just entering commands, and hoping that the SQLi command will execute.

Try to get you a server, and look up examples of vulnerable SQL code.

Best of luck!


Thank you! I was considering that option, although now that the above link works, I'll be playing a bit with that.

Unfortunately, I do not have the knowledge to build a site, i'll have to learn...I guess I have a new project now!
Aeneid45
New User
New User
 
Posts: 13
Joined: Thu May 16, 2013 1:38 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests