SQL is a widely known database programming language. Most databases are running this. In the past, SQLi worked by passing malicious code into the login field of a site. Examples could be:
' or '1'='1
' or 'x'='x
'or 0=0 --
It would look like this:
Username: Admin
Password: " or 0=0 --
Today, it's much more different. The URL bar is commonly used by hackers. By inserting malicious string at the end of parameters, hackers exploit the database to return with the tables. One way, to see if a site is vulnerable to SQLi, is by inserting a " ' " (without quotes) behind the statement. Here's a picture:
There's actually tools to make the hackers life much easier. Some might say, it's only skids who use tools, but that's not true. Even professionals use tools. I'd recommend Havij or SQLMap. Havij is easy to use and come with a great GUI. There's a free and a paid version. If you want, I'll post a download link to the paid. That's all for now. Thanks for reading! Hope you learned something!
Ingen kommentarer:
Send en kommentar