Penetration Testing mailing list archives
Re: sql injection: url or form based?
From: FocusHacks <focushacks () gmail com>
Date: Fri, 10 Feb 2006 11:05:27 -0600
As a general rule, URL (GET based, technically) is easier to do. If the application you're trying to exploit seems to put all the variabled in the URL line, then often times you can go ahead and use GET-based SQL Injection. Forms use POST most of the time. Most web-based languages (perl, PHP, ASP etc) can determine whether the variable was sent from a GET or a POST request. Programmers often-times reference only POSTed variables to avoid people messing with things via the URL. To test, view the source of a forms-based web application and get all the variable names. Then, find the FORM ACTION="bar.php" tag and call that action URL with your variables on the command-line like: http://foo.example.com/bar.php?user=johndoe&email=johndoe () baz net If you fill in all the variables needed (even the HIDDEN ones) on the URL line, and it doesn't respond like it would if you just filled out the form directly, then you will likely have trouble doing a GET injection. To do a forms injection, you copy the HTML of the form to your local computer or to some of your own server space and you make sure the FORM ACTION is an absolute url (i.e. change FORM ACTION="bar.php" to FORM ACTION="http://foo.example.com/bar.php") Then, start putting your SQL injection magic in the input boxes to start off with, or you can one up that and even try making the hidden form elements pass SQL injection if you wish. The sky is the limit. Just keep in mind that when you're doing this, the URL that your form is hosted from and your computer's IP Address will often be stored in the logs on the host you're testing, so make sure you have permission to do the testing. On 2/10/06, johnny Mnemonic <security4thefainthearted () hotmail com> wrote:
I see many references to manipulation of SQL backend databases through both URL based and Forms based SQL injection but I'm wondering what are the essentials differences between both methods and when to use one over the other. Thanks. _________________________________________________________________ Get cheap fares online with MSN Travel http://www.msn.com.sg/travel/ ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
-- http://www.FocusHacks.com - The Ford Focus Modification Site! ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- sql injection: url or form based? johnny Mnemonic (Feb 10)
- Re: sql injection: url or form based? FocusHacks (Feb 10)
- Re: sql injection: url or form based? Bernhard Finkbeiner (Feb 10)
- Re: sql injection: url or form based? Brian Rectanus (Feb 11)
- Re: sql injection: url or form based? Bernhard Finkbeiner (Feb 10)
- Re: sql injection: url or form based? dork (Feb 10)
- Re: sql injection: url or form based? AdamT (Feb 10)
- <Possible follow-ups>
- RE: sql injection: url or form based? Evans, Arian (Feb 10)
- RE: sql injection: url or form based? Kyle Quest (Feb 10)
- RE: sql injection: url or form based? LAROUCHE Francois (Feb 13)
- Re: sql injection: url or form based? FocusHacks (Feb 10)