SQL Injection? oh and hi !

[l30x]

Hello I'm new here and I would appreciate some help. Once upon a time (two days ago) I downloaded a "hacking guide" app from Google Play. I realize this is probably the biggest noob move ever but I do wish to learn how to "hack", test website security, etc... On the app there was a tutorial on SQL injection. It showed me how to search for a site to try to test if it was vulnerable to SQL injection. Sorry if I'm not getting my terminology correct. I actually have no effing clue what SQL injection is; however, I do know how to easy directions. I eventually found a website vulnerable, at least I think, it showed the error when adding ' to the end. I found the number of columns (13) and found the weak column (2). I then found the version (5.0.77), database, and user. This is when the funky stuff kicked in. I followed the directions after that and it told me vaguely, find the admin related thing. I think I did, then I tried to find the column name by replace "mysql" or something with the Char that Hackbar spit out for me from the admin thing I found. Alas, It did not work and I could not find any tutorials better than that one, plus it seems as if everyone as their own different way of doing the injection. I have spent some time on this site and lurked around the forums a bit and found you guys to be insightful. Therefore, I am asking on the nooblet zone for help cause I am in-fact, a nooblet. Also a couple other questions, should I abandon this attempt at hacking this website? I'm breaking the law right? If I get into the website I do not intend to do anything, I just want to see if I can do it lol. Is this too over my head (I'm on basic 8 right now <--- stuck as a mofo, but that's besides the point)? Can anyone point me towards any tutorials or guides? What should I do research on? If this is super illegal or something tell me to abandon this project. God knows I do not need to be arrested. Also, if I get new found skillz in this subject matter where would I test it out? Random websites?

Thanks a ton for reading.

PS: The question every noob is asking, where do I start "hacking"/website security? I am also interested in malware and such.

PPS: The challenges are cool.

[limdis]

Awesome, you have a goal and you are pursing learning something. +1.
You are trying to attempt a live hack without having any idea what you are doing. This will land you in jail. -1.

So let's address a couple of things first:

Also a couple other questions, should I abandon this attempt at hacking this website? I'm breaking the law right?

Yes and yes. Why? See your minus 1.

So firstly we don't support illegal activity here. So we can't help you specifically with this site in particular. Now, as far as learning you want to slow down and learn what SQL is first before attempting to hack. What you are trying to do right now is the same as attempting to sprint before learning to walk.

Step 1: Drop whatever skiddie guide you have downloaded.
Step 2: Learn what SQL is and how it works. Get the basics down.

There is a ton of information out there and I trust you can find some of the basics based on how far you have gone so far. If you need some help let us know. We're glad to help those that are really trying to learn opposed to those who want to be a hacker over night.

[l30x]

-1 + 1 = 0 Okay than I got some work to do... How far a long in HTML should I get until I go to javascript and so on?

[occamsrzr]

Listen to limdis, he knows about what he's talking.

On top of SQL, there's quite a bit more you'll prolly wanna get down. At it's core, hacking is about knowing multiple technologies and how they can be used together to accomplish a goal that was otherwise unintended. It's "surfing" the boarders or boundries of two or more technologies.

Also, there are different types of hacking, that require knowledge in different areas. It seems that you're specifically focused on web hacking, which is just one of the different fields.

When it comes to web hacking, you'll want a pretty solid understanding of:

HTML
PHP (and other scripting languages)
Enough experence in programming in general (This will help you to infer from context how the application was written)
Apache or IIS (and to be really good, both)
*nix based OSs and even Windows (server 2003/2008 specifically, with IIS role)

Knowing just a handful of these technologies will limit you to only being able to "hack" those sites that use exactly those technologies.

On top of that, there's an immeasurable element to understanding how all those components interoperate.

To answer your question VERY simplistically, SQL injection is entering a SQL command into any input field that takes user input (an is unsanitized, ie doesn't filter characters like single quote, double quote, colon, semicolon etc) to "escape" the written code, invoking an unintended action on the part of the web developer.

-- Tue Feb 19, 2013 8:49 pm --

BTW, let my stipulate that I'm ONLY advocating doing this stuff hypothetically, or on your personal website (running on your localhost or a VM, speaking of which, get VirtualBox and a linux distro)

This will help you in learing all these technologies, like Apache and well...IIS will be a bit harder, but luckely, IIS is a build in component in Windows 7 (and XP iirc)

-- Tue Feb 19, 2013 8:54 pm --

-1 + 1 = 0 Okay than I got some work to do... How far a long in HTML should I get until I go to javascript and so on?

Build a website that uses all, or the majority of the tags (HTML 4, you don't REALLY have to go all out and use HTML 5)

Then go back andoptimize with Javascript. Then PHP. THose are atleast the basics. You can try playing around with VBscript after that if you want, that could help you with OOP.

After that, setup a MySQL DB and try to impliment that into your website. Doing all this will give you the added bonus of learning a littel linux. Personally, I prefer Debian based distros like Ubuntu (for ease of use) and BackTrack (just a quick and ready to go distro with a TON of tools preinstalled)