Website injection?

General technological topics without their own forum go here

Website injection?

Post by AnonLeft on Tue Nov 13, 2012 4:10 pm
([msg=70824]see Website injection?[/msg])

Hello, I hack mostly for fun not any evil reasons, mostly white hat hacking.

i was wondering if there was any other form of website injection, I normally use SQL injection methods to aquire and edit information from databases ect. but is there any newer or any other methods of accessing databases info.
i dont want the method that requires an admin password i just want some ideas, programs, better SQL inject. programs, or any other method you know of thanks you :D

*sql inection doesnt work very well against modern bedsites... :(

-- Tue Nov 13, 2012 4:11 pm --

Currently i use the program Havij.
AnonLeft
New User
New User
 
Posts: 6
Joined: Wed Nov 07, 2012 7:41 pm
Blog: View Blog (0)


Re: Website injection?

Post by WallShadow on Tue Nov 13, 2012 4:31 pm
([msg=70825]see Re: Website injection?[/msg])

perhaps null byte injection or the google login page lookup vulnerability is something for you?
User avatar
WallShadow
Contributor
Contributor
 
Posts: 594
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: Website injection?

Post by not_essence2 on Tue Nov 13, 2012 5:14 pm
([msg=70830]see Re: Website injection?[/msg])

Well, there's a plethora of other types of injections, like XSS, CSRF, etc. Used correctly, they can lead to the admin's password, or just changing another user's settings and such, if you don't want the admin password.
Search up OWASP on google. It's a "security project", a sort of Wikipedia on computer security. Go to the Attack category, and there's a big list of various types of vulnerabilities and how to exploit them (but, as it is a security project, it usually focuses more on protecting against them).
not_essence2
Poster
Poster
 
Posts: 189
Joined: Fri Sep 14, 2012 6:09 pm
Blog: View Blog (0)


Re: Website injection?

Post by centip3de on Tue Nov 13, 2012 5:38 pm
([msg=70833]see Re: Website injection?[/msg])

not_essence2 wrote:Well, there's a plethora of other types of injections, like XSS, CSRF, etc. Used correctly, they can lead to the admin's password, or just changing another user's settings and such


Eh? I'm not sure I would call CSRF an injection of sorts, as you're not actually injecting anything into the site. Instead, you're just putting malicious code into what would normally be code of some sort. Also, unless the admin directly views the page that you've injected XSS into (or viewed a page that had you're CSRF code in it), I highly doubt you'll be able to get their password. It's not like XSS = SQL_DATABASE_ACCESS(TRUE).

To the OP: I'd drop the program usage, and just stick with doing it yourself (although you can make your own program to do it) as you tend to learn more that way.
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1409
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: Website injection?

Post by not_essence2 on Tue Nov 13, 2012 6:26 pm
([msg=70834]see Re: Website injection?[/msg])

True, it's more of SE than injection. Never mind me, I'm always slipping up on words. But it is still a good method.
As for program usage, you would still learn something if you code programs yourself, but they'd have to be flexible, as partial security measures could be put in place.
not_essence2
Poster
Poster
 
Posts: 189
Joined: Fri Sep 14, 2012 6:09 pm
Blog: View Blog (0)


Re: Website injection?

Post by centip3de on Tue Nov 13, 2012 6:36 pm
([msg=70835]see Re: Website injection?[/msg])

not_essence2 wrote:True, it's more of SE than injection. Never mind me, I'm always slipping up on words. But it is still a good method.
As for program usage, you would still learn something if you code programs yourself, but they'd have to be flexible, as partial security measures could be put in place.


Well, types of XSS still are definitely a form of injection (you're injection HTML/Javascript INTO the site's HTML), though other types aren't (for instance, putting Javascript in the URL bar, and then coaxing the other person to click on your link). Also, I suppose, one could see CSRF as a type of injection... But it's still somewhere in the gray area. Don't be so quick to doubt yourself.

Also, if you code your own programs, they are flexible by nature. If you want your web-scraper to become a disassembler, it can, because YOU made it.
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1409
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: Website injection?

Post by not_essence2 on Tue Nov 13, 2012 7:10 pm
([msg=70836]see Re: Website injection?[/msg])

So the conclusion here is that coding your own programs is a win-win situation?
not_essence2
Poster
Poster
 
Posts: 189
Joined: Fri Sep 14, 2012 6:09 pm
Blog: View Blog (0)


Re: Website injection?

Post by AnonLeft on Tue Nov 13, 2012 7:13 pm
([msg=70838]see Re: Website injection?[/msg])

Thanks for the feedback guys i def look into it! :D
AnonLeft
New User
New User
 
Posts: 6
Joined: Wed Nov 07, 2012 7:41 pm
Blog: View Blog (0)


Re: Website injection?

Post by centip3de on Tue Nov 13, 2012 7:36 pm
([msg=70840]see Re: Website injection?[/msg])

not_essence2 wrote:So the conclusion here is that coding your own programs is a win-win situation?


Exactly that.
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1409
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: Website injection?

Post by not_essence2 on Wed Nov 14, 2012 6:26 pm
([msg=70863]see Re: Website injection?[/msg])

What about the method used in Realistic 1? Editing files and hoping that the server isn't protected against doctored sites by the user with a******* paths?
not_essence2
Poster
Poster
 
Posts: 189
Joined: Fri Sep 14, 2012 6:09 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests