Thread Rating:
  • 1 Vote(s) - 3 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Mysql Injection Tutorial
#13
Are prepared statements a completely bulletproof defense for all types of SQL injections? Some guides say they are.
Reply
#14
(04-03-2017, 04:20 PM)betsyjackson Wrote:  Are prepared statements a completely bulletproof defense for all types of SQL injections? Some guides say they are.

No, not at all. You have to properly use prepared statements.
Lets say we have a query that selects a certain post based on id.

Normal mysqli (procedural)
PHP Code:
mysqli_query("$con"SELECT post_titlepost_contentpost_time FROM posts WHERE id '$id'); 


Proper usage of PDO
In PDO you have to use placeholders, either named or posiitional and later define the placeholders.
PHP Code:
$stmt $pdo->prepare("SELECT post_title, post_content, post_time FROM posts WHERE id = :id");
$stmt->execute(array(":id" => $id)); 

Bad usage of PDO
PHP Code:
$stmt $pdo->prepare("SELECT post_title, post_content, post_time FROM posts WHERE id = '$id'");
$stmt->execute(); 

The idea of a native prepared statement is smart and simple: query and data are sent to the server separated from each other, and thus there is no chance for them to interfere. Which makes injection impossible.
But make no mistake, prepared statements can be poorly used and still be vulnerable to certain injection typses.

Sorry for the late reply, hope you understand it a little better now.
Reply
#15
(04-29-2017, 10:46 AM)deviant Wrote:  
(04-03-2017, 04:20 PM)betsyjackson Wrote:  Are prepared statements a completely bulletproof defense for all types of SQL injections? Some guides say they are.

No, not at all. You have to properly use prepared statements.
Lets say we have a query that selects a certain post based on id.

Normal mysqli (procedural)
PHP Code:
mysqli_query("$con"SELECT post_titlepost_contentpost_time FROM posts WHERE id '$id'); 


Proper usage of PDO
In PDO you have to use placeholders, either named or posiitional and later define the placeholders.
PHP Code:
$stmt $pdo->prepare("SELECT post_title, post_content, post_time FROM posts WHERE id = :id");
$stmt->execute(array(":id" => $id)); 

Bad usage of PDO
PHP Code:
$stmt $pdo->prepare("SELECT post_title, post_content, post_time FROM posts WHERE id = '$id'");
$stmt->execute(); 

The idea of a native prepared statement is smart and simple: query and data are sent to the server separated from each other, and thus there is no chance for them to interfere. Which makes injection impossible.
But make no mistake, prepared statements can be poorly used and still be vulnerable to certain injection typses.

Sorry for the late reply, hope you understand it a little better now.

Since you seem pretty knowlegable on the subject, do you know if MariaDB is exploitable in the same manner as MySQL, and are they resistant to injection in similar ways?

Or would learning to exploit MariaDB require a different style of injection and knowlege base?
Reply
#16
havij and sqli dumper are good tools for noobs on sql hacking.
Reply
#17
(04-29-2017, 12:06 PM)Anonysteve Wrote:  ....do you know if MariaDB is exploitable in the same manner as MySQL, and are they resistant to injection in similar ways?

Or would learning to exploit MariaDB require a different style of injection and knowlege base?

They are no exception:
https://www.cvedetails.com/vulnerability...riadb.html
Reply
#18
(04-29-2017, 12:23 PM)1tspeter Wrote:  havij and sqli dumper are good tools for noobs on sql hacking.

No, tools aren't good. It's for lazy people and i wouldn't recommend it to anyone as you won't know what exactly happens on the background. Tools simply can't compare to the human mind, they can't bypass hard WAFs.

Tools are time-consuming, nothing more. I would understand it if exploiting time-based blind injections or something like that, but only then.
Reply
#19
good thread ty for information Heart
Reply
#20
can anyone write a tutorial on this one http://thehackernews.com/2017/06/wordpre...ction.html
Reply
#21
no one ever taught me how to do this and so many guide just go over the top. this is perfect
Reply
#22
High quality shit here. finally. thanks
Reply
#23
This content was removed.
Reply
#24
thanks for the info man every little bit helps I wanna be a pro haxer
Reply
 


Possibly Related Threads...
Thread Author Replies Views Last Post
  [TUTORIAL] Seller In The Middle guide, make money on Bitify $Working Method Crusherguzz 3 396 09-08-2018, 04:01 AM
Last Post: Sticky
  SQLI Dumper + Custom HQ DORKS [Tutorial] GangMember 24 8,469 08-23-2018, 06:52 PM
Last Post: ausardevendra
  [Tutorial] How to crack MD5 hashes & identify hashes Bat 3 305 08-19-2018, 07:53 PM
Last Post: heyxm9iue
  Manuals for Everything (Python/Java/MYSQL/HTML/Black magic/Create Bomb Atomic and Mor mrdarkbr 0 178 07-21-2018, 12:50 AM
Last Post: mrdarkbr
  [Tutorial] How To Make High Quality Private Combos muhammadyousuf289 1 514 07-17-2018, 05:46 AM
Last Post: hhhlll555



Users browsing this thread: 1 Guest(s)