Re: sql injection: url or form based?

From: Bernhard Finkbeiner (bf@on-web.de)
Date: Fri Feb 10 2006 - 13:30:19 EST

• Next message: Vipul Kumra: "Windows equivalent of TCP Replay?"
• Previous message: AdamT: "Re: sql injection: url or form based?"
• In reply to: FocusHacks: "Re: sql injection: url or form based?"
• Next in thread: Brian Rectanus: "Re: sql injection: url or form based?"
• Reply: Brian Rectanus: "Re: sql injection: url or form based?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

As far as I know you can also use tools that can manipulate
HTTP-Headers. They just include
GET:...
and
POST:...
lines that you can edit with this tools.

> As a general rule, URL (GET based, technically) is easier to do. If
> the application you're trying to exploit seems to put all the
> variabled in the URL line, then often times you can go ahead and use
> GET-based SQL Injection.
>
> Forms use POST most of the time. Most web-based languages (perl,
> PHP, ASP etc) can determine whether the variable was sent from a GET
> or a POST request. Programmers often-times reference only POSTed
> variables to avoid people messing with things via the URL.
>
> To test, view the source of a forms-based web application and get all
> the variable names. Then, find the FORM ACTION="bar.php" tag and
> call that action URL with your variables on the command-line like:
>
> http://foo.example.com/bar.php?user=johndoe&email=johndoe@baz.net
>
> If you fill in all the variables needed (even the HIDDEN ones) on the
> URL line, and it doesn't respond like it would if you just filled out
> the form directly, then you will likely have trouble doing a GET
> injection.
>
> To do a forms injection, you copy the HTML of the form to your local
> computer or to some of your own server space and you make sure the
> FORM ACTION is an absolute url (i.e. change FORM ACTION="bar.php" to
> FORM ACTION="http://foo.example.com/bar.php")
>
> Then, start putting your SQL injection magic in the input boxes to
> start off with, or you can one up that and even try making the hidden
> form elements pass SQL injection if you wish.
>
> The sky is the limit.
>
> Just keep in mind that when you're doing this, the URL that your form
> is hosted from and your computer's IP Address will often be stored in
> the logs on the host you're testing, so make sure you have permission
> to do the testing.
>
> On 2/10/06, johnny Mnemonic <security4thefainthearted@hotmail.com>
wrote:
> > I see many references to manipulation of SQL backend databases
> > through both URL based and Forms based SQL injection but I'm
> > wondering what are the essentials differences between both methods
> > and when to use one over the other.
> > Thanks.
> >
> > _________________________________________________________________
> > Get cheap fares online with MSN Travel
> > http://www.msn.com.sg/travel/
> >
> >
> > -------------------------------------------------------------------
> >----------- Audit your website security with Acunetix Web
> > Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on attacking applications
> > on your website. Up to 75% of cyber attacks are launched on
> > shopping carts, forms, login pages, dynamic content etc. Firewalls,
> > SSL and locked-down servers are futile against web application
> > hacking. Check your website for vulnerabilities to SQL injection,
> > Cross site scripting and other web attacks before hackers do!
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> > -------------------------------------------------------------------
> >------------
>
> --
> http://www.FocusHacks.com - The Ford Focus Modification Site!
>
> ---------------------------------------------------------------------
>--------- Audit your website security with Acunetix Web Vulnerability
> Scanner:
>
> Hackers are concentrating their efforts on attacking applications on
> your website. Up to 75% of cyber attacks are launched on shopping
> carts, forms, login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers are futile against web application hacking. Check
> your website for vulnerabilities to SQL injection, Cross site
> scripting and other web attacks before hackers do! Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ---------------------------------------------------------------------
>----------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Vipul Kumra: "Windows equivalent of TCP Replay?"
• Previous message: AdamT: "Re: sql injection: url or form based?"
• In reply to: FocusHacks: "Re: sql injection: url or form based?"
• Next in thread: Brian Rectanus: "Re: sql injection: url or form based?"
• Reply: Brian Rectanus: "Re: sql injection: url or form based?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:29 EDT