Thread Rating:
  • 1 Vote(s) - 3 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Mysql Injection Tutorial
#13
Are prepared statements a completely bulletproof defense for all types of SQL injections? Some guides say they are.
Reply
#14
(04-03-2017, 04:20 PM)betsyjackson Wrote:  Are prepared statements a completely bulletproof defense for all types of SQL injections? Some guides say they are.

No, not at all. You have to properly use prepared statements.
Lets say we have a query that selects a certain post based on id.

Normal mysqli (procedural)
PHP Code:
mysqli_query("$con"SELECT post_titlepost_contentpost_time FROM posts WHERE id '$id'); 


Proper usage of PDO
In PDO you have to use placeholders, either named or posiitional and later define the placeholders.
PHP Code:
$stmt $pdo->prepare("SELECT post_title, post_content, post_time FROM posts WHERE id = :id");
$stmt->execute(array(":id" => $id)); 

Bad usage of PDO
PHP Code:
$stmt $pdo->prepare("SELECT post_title, post_content, post_time FROM posts WHERE id = '$id'");
$stmt->execute(); 

The idea of a native prepared statement is smart and simple: query and data are sent to the server separated from each other, and thus there is no chance for them to interfere. Which makes injection impossible.
But make no mistake, prepared statements can be poorly used and still be vulnerable to certain injection typses.

Sorry for the late reply, hope you understand it a little better now.
Reply
#15
(04-29-2017, 10:46 AM)deviant Wrote:  
(04-03-2017, 04:20 PM)betsyjackson Wrote:  Are prepared statements a completely bulletproof defense for all types of SQL injections? Some guides say they are.

No, not at all. You have to properly use prepared statements.
Lets say we have a query that selects a certain post based on id.

Normal mysqli (procedural)
PHP Code:
mysqli_query("$con"SELECT post_titlepost_contentpost_time FROM posts WHERE id '$id'); 


Proper usage of PDO
In PDO you have to use placeholders, either named or posiitional and later define the placeholders.
PHP Code:
$stmt $pdo->prepare("SELECT post_title, post_content, post_time FROM posts WHERE id = :id");
$stmt->execute(array(":id" => $id)); 

Bad usage of PDO
PHP Code:
$stmt $pdo->prepare("SELECT post_title, post_content, post_time FROM posts WHERE id = '$id'");
$stmt->execute(); 

The idea of a native prepared statement is smart and simple: query and data are sent to the server separated from each other, and thus there is no chance for them to interfere. Which makes injection impossible.
But make no mistake, prepared statements can be poorly used and still be vulnerable to certain injection typses.

Sorry for the late reply, hope you understand it a little better now.

Since you seem pretty knowlegable on the subject, do you know if MariaDB is exploitable in the same manner as MySQL, and are they resistant to injection in similar ways?

Or would learning to exploit MariaDB require a different style of injection and knowlege base?
Reply
#16
havij and sqli dumper are good tools for noobs on sql hacking.
Reply
#17
(04-29-2017, 12:06 PM)Anonysteve Wrote:  ....do you know if MariaDB is exploitable in the same manner as MySQL, and are they resistant to injection in similar ways?

Or would learning to exploit MariaDB require a different style of injection and knowlege base?

They are no exception:
https://www.cvedetails.com/vulnerability...riadb.html
Reply
#18
(04-29-2017, 12:23 PM)1tspeter Wrote:  havij and sqli dumper are good tools for noobs on sql hacking.

No, tools aren't good. It's for lazy people and i wouldn't recommend it to anyone as you won't know what exactly happens on the background. Tools simply can't compare to the human mind, they can't bypass hard WAFs.

Tools are time-consuming, nothing more. I would understand it if exploiting time-based blind injections or something like that, but only then.
Reply
#19
good thread ty for information Heart
Reply
#20
can anyone write a tutorial on this one http://thehackernews.com/2017/06/wordpre...ction.html
Reply
#21
no one ever taught me how to do this and so many guide just go over the top. this is perfect
Reply
#22
High quality shit here. finally. thanks
Reply
#23
This content was removed.
Reply
#24
thanks for the info man every little bit helps I wanna be a pro haxer
Reply
 


Possibly Related Threads...
Thread Author Replies Views Last Post
User CVE-2018-10676 Hacking 50k DVR! (Tutorial) teamkelvinsecteam 10 674 06-04-2018, 08:13 PM
Last Post: AXIOM
  Traffic Laundering Tutorial (Coinhive Alternative) CashBuddy 0 127 05-23-2018, 01:22 AM
Last Post: CashBuddy
  0day WP Plugin Post Start Rating SQli Injection By KelvinSecTeam securityteam 4 488 05-22-2018, 04:27 PM
Last Post: TantaNata
  Server Rooting Tutorial ThePancake 11 1,257 05-07-2018, 06:13 AM
Last Post: VastGsm
Star Easy Zimbra TxT Injection 1.650 WebSite At KelvinSecTeam teamkelvinsecteam 1 127 04-29-2018, 01:13 AM
Last Post: TantaNata



Users browsing this thread: 1 Guest(s)