SQL Injection? oh and hi !

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

SQL Injection? oh and hi !

Post by l30x on Tue Feb 19, 2013 10:40 pm
([msg=73903]see SQL Injection? oh and hi ![/msg])

Hello I'm new here and I would appreciate some help. Once upon a time (two days ago) I downloaded a "hacking guide" app from Google Play. I realize this is probably the biggest noob move ever but I do wish to learn how to "hack", test website security, etc... On the app there was a tutorial on SQL injection. It showed me how to search for a site to try to test if it was vulnerable to SQL injection. Sorry if I'm not getting my terminology correct. I actually have no effing clue what SQL injection is; however, I do know how to easy directions. I eventually found a website vulnerable, at least I think, it showed the error when adding ' to the end. I found the number of columns (13) and found the weak column (2). I then found the version (5.0.77), database, and user. This is when the funky stuff kicked in. I followed the directions after that and it told me vaguely, find the admin related thing. I think I did, then I tried to find the column name by replace "mysql" or something with the Char that Hackbar spit out for me from the admin thing I found. Alas, It did not work and I could not find any tutorials better than that one, plus it seems as if everyone as their own different way of doing the injection. I have spent some time on this site and lurked around the forums a bit and found you guys to be insightful. Therefore, I am asking on the nooblet zone for help cause I am in-fact, a nooblet. Also a couple other questions, should I abandon this attempt at hacking this website? I'm breaking the law right? If I get into the website I do not intend to do anything, I just want to see if I can do it lol. Is this too over my head (I'm on basic 8 right now <--- stuck as a mofo, but that's besides the point)? Can anyone point me towards any tutorials or guides? What should I do research on? If this is super illegal or something tell me to abandon this project. God knows I do not need to be arrested. Also, if I get new found skillz in this subject matter where would I test it out? Random websites?

Thanks a ton for reading.

PS: The question every noob is asking, where do I start "hacking"/website security? I am also interested in malware and such.

PPS: The challenges are cool.
l30x
New User
New User
 
Posts: 2
Joined: Fri Feb 08, 2013 10:27 pm
Blog: View Blog (0)


Re: SQL Injection? oh and hi !

Post by limdis on Tue Feb 19, 2013 11:09 pm
([msg=73904]see Re: SQL Injection? oh and hi ![/msg])

Awesome, you have a goal and you are pursing learning something. +1.
You are trying to attempt a live hack without having any idea what you are doing. This will land you in jail. -1.

So let's address a couple of things first:
l30x wrote:Also a couple other questions, should I abandon this attempt at hacking this website? I'm breaking the law right?

Yes and yes. Why? See your minus 1.

So firstly we don't support illegal activity here. So we can't help you specifically with this site in particular. Now, as far as learning you want to slow down and learn what SQL is first before attempting to hack. What you are trying to do right now is the same as attempting to sprint before learning to walk.

Step 1: Drop whatever skiddie guide you have downloaded.
Step 2: Learn what SQL is and how it works. Get the basics down.

There is a ton of information out there and I trust you can find some of the basics based on how far you have gone so far. If you need some help let us know. We're glad to help those that are really trying to learn opposed to those who want to be a hacker over night. 8-)
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1350
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: SQL Injection? oh and hi !

Post by l30x on Tue Feb 19, 2013 11:32 pm
([msg=73905]see Re: SQL Injection? oh and hi ![/msg])

-1 + 1 = 0 Okay than I got some work to do... How far a long in HTML should I get until I go to javascript and so on?
l30x
New User
New User
 
Posts: 2
Joined: Fri Feb 08, 2013 10:27 pm
Blog: View Blog (0)


Re: SQL Injection? oh and hi !

Post by occamsrzr on Tue Feb 19, 2013 11:45 pm
([msg=73906]see Re: SQL Injection? oh and hi ![/msg])

Listen to limdis, he knows about what he's talking.

On top of SQL, there's quite a bit more you'll prolly wanna get down. At it's core, hacking is about knowing multiple technologies and how they can be used together to accomplish a goal that was otherwise unintended. It's "surfing" the boarders or boundries of two or more technologies.

Also, there are different types of hacking, that require knowledge in different areas. It seems that you're specifically focused on web hacking, which is just one of the different fields.

When it comes to web hacking, you'll want a pretty solid understanding of:

HTML
PHP (and other scripting languages)
Enough experence in programming in general (This will help you to infer from context how the application was written)
Apache or IIS (and to be really good, both)
*nix based OSs and even Windows (server 2003/2008 specifically, with IIS role)

Knowing just a handful of these technologies will limit you to only being able to "hack" those sites that use exactly those technologies.

On top of that, there's an immeasurable element to understanding how all those components interoperate.

To answer your question VERY simplistically, SQL injection is entering a SQL command into any input field that takes user input (an is unsanitized, ie doesn't filter characters like single quote, double quote, colon, semicolon etc) to "escape" the written code, invoking an unintended action on the part of the web developer.

-- Tue Feb 19, 2013 8:49 pm --

BTW, let my stipulate that I'm ONLY advocating doing this stuff hypothetically, or on your personal website (running on your localhost or a VM, speaking of which, get VirtualBox and a linux distro)

This will help you in learing all these technologies, like Apache and well...IIS will be a bit harder, but luckely, IIS is a build in component in Windows 7 (and XP iirc)

-- Tue Feb 19, 2013 8:54 pm --

l30x wrote:-1 + 1 = 0 Okay than I got some work to do... How far a long in HTML should I get until I go to javascript and so on?


Build a website that uses all, or the majority of the tags (HTML 4, you don't REALLY have to go all out and use HTML 5)

Then go back andoptimize with Javascript. Then PHP. THose are atleast the basics. You can try playing around with VBscript after that if you want, that could help you with OOP.

After that, setup a MySQL DB and try to impliment that into your website. Doing all this will give you the added bonus of learning a littel linux. Personally, I prefer Debian based distros like Ubuntu (for ease of use) and BackTrack (just a quick and ready to go distro with a TON of tools preinstalled)
occamsrzr
Experienced User
Experienced User
 
Posts: 58
Joined: Wed Aug 24, 2011 10:28 pm
Blog: View Blog (0)



Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests