Tagged Questions
3
votes
3answers
81 views
SQL injection using letters and numbers?
I was wondering if it is at all possible for a hacker to perform an SQL injection attack using just letters and numbers. For example, let's take a look at this PHP code which uses regular expressions ...
1
vote
2answers
45 views
How to deal with MySQL's Errcode 13 when trying to write a shell
My attack machine is running Kali and the server is running CentOS 6.4 with DVWA.
I'm trying to write a shell through an SQL injection. The payload is
' UNION SELECT '', '<?PHP ...
6
votes
2answers
189 views
Backdoors after SQL injection?
I just found an injection vulnerability on a live site of a client. It looks like this:
$sql = "SELECT * FROM users_dl WHERE Username = '" . $Uname . "' AND Password = '" . $Pword . "'";
I ...
-5
votes
0answers
68 views
i find the admin page but can't use username and password that i found to deface [closed]
hi after find the sql injection bug in a site i use havij to find the tables and then i find admin table and user and pass. but i can't use them in admin page to log in.my real question is that how to ...
5
votes
4answers
443 views
A customers site had a big mysql injection attack on it, just want to learn from it
I created an online store for a friend of mine.
I created a system that shoots me an email any time there is a database error, that way if it is a bug in my code I can identify it and fix it. The ...
6
votes
3answers
1k views
Is there any SQL injection for this PHP login example?
I want to write a login form, and I got one example from the web.
I want to know, if there is any SQL injection for this code? If there is, what could the exploit's web form entry look like?
This is ...
6
votes
2answers
623 views
SQL Injection: Drop All Tables
I used some vulnerability scanners to check a site of mine, and an instance of blind SQL injection was returned. However, when I try to exploit this vulnerability by entering the following into the ...
1
vote
1answer
96 views
XSS MySQL Database Accessible?
I'd like to know if there is any danger of someone being able to access the database via XSS vulnerabilities on this page.
I have the following link. When you go to this link, the text I've enclosed ...
-2
votes
1answer
376 views
Admin area in my php website is vulnerable to sql injection without login [closed]
my website admin area is vulnerable to sql injection . I tried using havji and it hacked successfully to database. But how is this possible. without login it breaked into admin panel.
...
5
votes
1answer
387 views
My site just got hit with a SQL injection attack, how can I tell what they were doing?
So a page on my site (it's a PHP page that displays newsletter articles) was vulnerable to SQL injection and got hit. I discovered it because it was doing enough database queries to cause the CPU load ...
2
votes
1answer
283 views
SQL injecting a search form which uses boolean mode
I'm testing a web app and I could get Mysql errors by inserting ' in the search field:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the ...
0
votes
1answer
331 views
sql injection: use WHERE statement in address bar
How can i use "Where" statement during an sql-injection attack in address bar ?
for example:
... from+information_schema.TABLES+where+TABLE_SCHEMA+=+XXXX--
The code above does not work.
2
votes
1answer
250 views
Using mysql root account to execute root commands
Suppose that I have full root access to mysql databases, but not root user shell (linux). How can I use the full root access to mysql databases to execute root commands?
7
votes
3answers
585 views
Should IP addresses be validated to prevent SQL Injection?
In PHP I retrieve a user's IP address ($_SERVER['REMOTE_ADDR']) to use it in some MySQL queries, but I do not validate them to be true IP addresses.
Should I validate user IP addresses before using ...
1
vote
2answers
273 views
Strange Pharma Spam Site resulting from DAT file created by SQL Injection?
Working on cleaning up a site compromise for a client. Leaving aside that the site is using bunch of custom CodeIgniter code written by someone who had no concept of security, I've ran into a ...
