One of the major problems with SQL is its poor security issues surrounding is the login and url strings.
First SEARCH the following Keywords in Google or any Search Engine:
admin\login.asp
login.asp
with these two search string you will have plenty of targets to chose from…choose one that is Vulnerable
INJECTION STRINGS: How to use it?
This is the easiest part…very simple
On the login page just enter something like
user:admin (you dont even have to put this.)
pass:’ or 1=1–
or
user:’ or 1=1–
admin:’ or 1=1–
Some sites will have just a password so
password:’ or 1=1–
There are many other strings involving for instance UNION table access via reading the error pages table structure thus an attack with this method will reveal eventually admin U\P paths.
The one I am interested in are quick access to targets
combo example:
admin:’ or a=a–
admin:’ or 1=1–
And so on. You don’t have to be admin and still can do anything you want. The most important part is example:’ or 1=1– this is our basic injection string
Now the only trudge part is finding targets to exploit. So I tend to search say google for login.asp or whatever
inurl:login.asp
index of:/admin/login.asp
like this: index of login.asp
result:
http://www3.google.com/search?hl=en&ie=ISO…G=Google+Search
17,000 possible targets trying various searches spews out plent more
After an hour or so you have a list of sites of potential targets like so
http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp
and so on. In a couple of hours you can build up quite a list because I don’t select all results or spider for log in pages.
Sit back and wait. Any target vulnerable will show up in the hits box. Now when it finds a target it will spew all the strings on that site as vulnerable. You have to go through each one on the site by cutting and pasting the string till you find the right one. But the thing is you know you CAN access the site. Really I need a program that will return the hit with a click on url and ignore false outputs. I am still looking for it. This will saves quite a bit of time going to each site and each string to find its not exploitable.
There you go you should have access to your vulnerable target by now
Another thing you can use the strings in the urls were user=? edit the url to the = part and paste ‘ or 1=1– so it becomes
user=’ or 1=1– just as quick as login process
There are lot of other variations of the Injection String which I cannot put on my blog because that is Illegal. If you are interested I can send it to you through Email. Just write in your email address in comment and I will send it to you as early as possible but you need to remain patient it may take 1 or 2 days.
Happy Hunting
