TheKingUnderTheHill Posted May 1, 2012 Share Posted May 1, 2012 Hey, so I've been looking into SQL Injection and I think i've got the hang of it test' or 1=1-- etc. But there is nowhere for me to test this knowledge, was wondering if anyone had, knew of, or could show me how to build a PHP login page to test this out on? Quote Link to comment Share on other sites More sharing options...
digip Posted May 2, 2012 Share Posted May 2, 2012 (edited) College Project for downloading a VM vulnerable to SQLi http://www.cis.syr.edu/~wedu/seed/lab_env.html PDF Instructions for VM setup: http://www.google.com/url?sa=t&rct=j&q=sql injection test virtual machine&source=web&cd=1&ved=0CEkQFjAA&url=http://www.cis.syr.edu/~wedu/seed/Labs/Attacks_SQL_Injection/SQL_Injection.pdf&ei=GIKgT5XsD8bfggeQtbn5DQ&usg=AFQjCNFuR0TSTqj9VB4cqPqUJFF8jPOBnw edit:PDF Link http://bit.ly/KtGzF2 Edited May 2, 2012 by digip Quote Link to comment Share on other sites More sharing options...
TheKingUnderTheHill Posted May 2, 2012 Author Share Posted May 2, 2012 Thanks for the help, really appreciated! Unfortunately the second link is invalid, cant believe I didnt think to use a VM before! Quote Link to comment Share on other sites More sharing options...
digip Posted May 2, 2012 Share Posted May 2, 2012 Thanks for the help, really appreciated! Unfortunately the second link is invalid, cant believe I didnt think to use a VM before! Try http://bit.ly/KtGzF2 for the PDF. Quote Link to comment Share on other sites More sharing options...
digininja Posted May 2, 2012 Share Posted May 2, 2012 Look at Iron Geeks site, he has a huge list of vulnerable software which includes vulnerable web apps to go for. Off the top of my head you can look at the Hackme range from Foundstone and Webgoat from OWASP. Also, my favourite, DVWA which you can get as a bootable image (perfect for a VM) which was written by a friend of mine and I've contributed little bits to. Quote Link to comment Share on other sites More sharing options...
TheKingUnderTheHill Posted May 4, 2012 Author Share Posted May 4, 2012 Brilliant! Thanks digininja! Sorry if I seem like im asking too many questions aha! Quote Link to comment Share on other sites More sharing options...
digininja Posted May 4, 2012 Share Posted May 4, 2012 I don't mind questions, I start to object when people don't say thanks and don't put effort in to do some research before hand or don't feedback afterwards. As long as you join in and don't expect to be spoon fed you'll get help Quote Link to comment Share on other sites More sharing options...
xero Posted June 14, 2012 Share Posted June 14, 2012 if you want to do some reading on the topic... i really enjoyed this book: SQL injection attacks and defense by justin clarke. and this blog: web security with chris shiflett. if your looking for tools i highly recomend... sql ninja and sqlmap Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted June 15, 2012 Share Posted June 15, 2012 (edited) if your looking for tools i highly recomend... sql ninja and sqlmap No doubt, they are good tools, but I would recommend learning SQL injection manually before attempting the tools. It helps you develop an understanding of how the tools work in general. I'd also recommend to buy the "Basics of Hacking and Penetration testing" book, to help you further. Edited June 15, 2012 by Infiltrator Quote Link to comment Share on other sites More sharing options...
ihackforfun Posted July 9, 2012 Share Posted July 9, 2012 No doubt, they are good tools, but I would recommend learning SQL injection manually before attempting the tools. It helps you develop an understanding of how the tools work in general. I'd also recommend to buy the "Basics of Hacking and Penetration testing" book, to help you further. I fully agree with you but there are some SQL Injection techniques that are very hard to do manually because they either require a lot of work (blind SQLi) or are time based attacks, here a good tool is the only solution ... Also when testing my own application I will always run any tool I can find (mostly just using default options) against it to make sure the script kiddies cannot get in easily ... Quote Link to comment Share on other sites More sharing options...
ghosthunter007 Posted July 12, 2012 Share Posted July 12, 2012 You want to get "The Web Application Hackers handbook vol1 and 2" You can get them in PDF off the net if you cant hit me up I will upload them to my site for download Quote Link to comment Share on other sites More sharing options...
ihackforfun Posted July 12, 2012 Share Posted July 12, 2012 You want to get "The Web Application Hackers handbook vol1 and 2" You can get them in PDF off the net if you cant hit me up I will upload them to my site for download I've been wondering, is the vol1 the predecessor of vol 2? And is it worthwhile to read both, I'm currently using the vol 2 to help me prepare for the SANS542 exam ... Sorry for this of topic reaction ;-) Quote Link to comment Share on other sites More sharing options...
Life like Opossum Posted July 25, 2012 Share Posted July 25, 2012 (edited) Here is an excelent tutorial for SQL injection that can be found on the Backtrack 5 forums. The author has a video on the manual and automated methods as well as full descriptions of each and copies of the code. Excelent learning reference. http://www.backtrack...ead.php?t=47186 Edited July 25, 2012 by Saelani Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted July 25, 2012 Share Posted July 25, 2012 (edited) The guys at the hackforums.net has great SQL Injection tutorials, you might want to check them as well. Edited July 25, 2012 by Infiltrator Quote Link to comment Share on other sites More sharing options...
WatskeBart Posted August 20, 2012 Share Posted August 20, 2012 Check out GameOver ;) To practice: XSS CSRF RFI & LFI BruteForce Authentication Directory/Path traversal Command execution SQL injection Contains: DVWA (Damn Vulnerable Web Application) OWASP WebGoat Ghost Mutillidae Zap-Wave OWASP Hacademic Challenges OWASP Vicnum WackoPicko OWASP Insecure Web App BodgeIT PuzzleMail WAVSEP Run it in you favorite VM software as Live CD Quote Link to comment Share on other sites More sharing options...
novatore Posted October 5, 2012 Share Posted October 5, 2012 hackthissite.org has various "games" set up for doing different types of hacks. Quote Link to comment Share on other sites More sharing options...
aPices Posted October 12, 2012 Share Posted October 12, 2012 (edited) What helped was learning SQL before trying to hack it. Install it in linux & windows, as each OS handles errors differently. Then the hacking should come naturally (or easier). Edited December 16, 2012 by aPices Quote Link to comment Share on other sites More sharing options...
digininja Posted October 12, 2012 Share Posted October 12, 2012 I'd fully agree with this. You can't attack something properly if you don't know how to use it Quote Link to comment Share on other sites More sharing options...
Raven997 Posted October 16, 2012 Share Posted October 16, 2012 anyone use this? http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10 Quote Link to comment Share on other sites More sharing options...
aPices Posted October 16, 2012 Share Posted October 16, 2012 anyone use this? http://www.irongeek....hp-owasp-top-10 I use this http://code.google.com/p/owaspbwa/ (includes Mutillidae) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.