Help with SQL Injection (not a mission)

[Skyraz]

Hey guys.
My teacher has given me a challenge to try and crack into a website using SQL injections.
Now im having a bit of trouble with it.

I have 2 ways of doing this.
1. Brute Force (since he didn't set up any way to prevent it)
2. SQL injection.

Now, he told me i have to work out a password for one particular user, but he said bonus points if i get at-least 5 others.

I found a weakness, when i created my own account and go to profile, it has my details in the fields already and you can view the password in the source.

Code: Select all

<td class=label>*User name</td>

<td class=data><INPUT size=20 name=username id=username maxlength=10 value='Smirks'> (between 4 and 10 alphanumeric characters)</td>

</tr>



<tr>

<td class=label>*Password</td>

<td class=data><INPUT type=password size=20 name=thepassword id=thepassword maxlength=12 value=hawks27> (between 6 and 12 alphanumeric characters)</td>


Okay, so i figured all i have to do was get into the account, even if i didnt know the password.
So i looked around and found a form that would allow me to type in my email and it would send the user and pass to the email address.
So i tried some basic injection

First i tried a simple

Code: Select all

'

to see if it would respond. and i got this

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1

Next, i tried a random email (Johnnnnnnnny@gmail.com) and i got this;

The email address: johnnnnnny@gmail.com, does not exist in the Email DataBase.

next i tried to evalute it to become true with a simple

Code: Select all

'or'1'='1

and i got this

Your ID and Password has been sent to: 'or'1'='1.

This is where i got confused. I didnt think it would pass the SQL injection as the Email. I thought my teacher might of put that line of code in the database to try and stop that certain injection, so i tried the a=a and a few others to no avail.

Figuring i would come back to that later, i tried doing the same thing with the user and pass fields. But had no luck with 1=1 or a=a. So i wanted to try

Code: Select all

password:'or1=1--

but it was to long for the user and pass field. So i used firebug to increase the length of user and pass fields and used the Injection, but still no luck.

Btw this is not an assignment, he just wanted to teach us a little about the other side of databases.
If you can please atleast give me a hint first or put me in the right direction. I would like to work it out myself but not sure what to try next.

Thanks

[tremor77]

Try using the form to submit your sql injection in a different manner... combine sql hack with XSS. Recreate the form locally on your PC in HTML and attempt to pass values to it that way.

Are the form values being sent via POST or GET? This could be handy information to determine your approach.

Look up UNION Hacks, and also consider ways in which you will receive results, not all sql injection hacks just log you into an account, sometimes you need to obtain 'pre' information like a table listing or schema.. consider what types of things can be spit out in error messages...

[Skyraz]

Try using the form to submit your sql injection in a different manner... combine sql hack with XSS. Recreate the form locally on your PC in HTML and attempt to pass values to it that way.

Are the form values being sent via POST or GET? This could be handy information to determine your approach.

Look up UNION Hacks, and also consider ways in which you will receive results, not all sql injection hacks just log you into an account, sometimes you need to obtain 'pre' information like a table listing or schema.. consider what types of things can be spit out in error messages...

I used SQL injections that tried to find letters of the database, but what ever injection i use, it just tells me it sent a email to <whatever sql injection i used>
I tried xss (have to read up on it a bit more) but apart from the simple Alert scripts, nothing worked.

i found a form that if i type in the user name,it will send to the email associated with it. So i mucked around with it and just pressed 'send' with nothing in the field, and it told me that it sent the password to Sarah_Smith@gmail.com.
But using sql injection to skip sarah and use the next email in database, but like i mentioned above, it would just tell me that the password got sent to email called<whatever injection i used>

He uses POST, and i discovered the database name is 'Emai'
and server info:Apache/2.2.14 (EL) Port 80

Fustrating but fun.

[mpour]

hi guys
i 've a problem to inject to a website. when i use "union select...." it shows me an error.

...

-- tgoe

[centip3de]

hi guys
i 've a problem to inject to a website. when i use "union select...." it shows me an error.

removed

HTS does not support nor condone illegal activities. What you're asking for is illegal by definition, thus, you will get no help here.