:: vBspiders Professional Network ::

:: vBspiders Professional Network :: (http://www.vbspiders.com/vb/index.php)
-   Penteration Testing Training (http://www.vbspiders.com/vb/forumdisplay.php?f=278)
-   -   MYSQL TESTING (http://www.vbspiders.com/vb/showthread.php?t=42895)

anti-trust 02-10-2011 06:36 PM
MYSQL TESTING
 
MYSQL TESTING


SQL injection allows an attacker to access the SQL servers. It allows for the execution of SQL
 code under the privileges of the user used to connect to the database


How to Test !!!


When a SQL Injection is found with MySQL as DBMS backend

there are a number of attacks that could be accomplished

depending on MySQL version and user privileges on DBMS

MySQL quote escaping is the following:
'A string with \'quotes\''


* Every version has a set of features proportional to version number

* From Version 4.0: UNION
* From Version 4.1: Subqueries
* From Version 5.0: Stored procedures, Stored functions and the view named INFORMATION_SCHEMA
* From Version 5.0.2: Triggers
We will Talk More latter About Mysql Injection in Next Module


in this part ill use An Auto Tools


http://w3af.sourceforge.net/images/v1.png


in this video we will Discover How To use The w3af


based on MYSQL Error using SQLMAP


What The SQL INJECTION Script Do


1- plugin sends the string d'z"0 to every injection point

2- and searches for SQL errors in the response body


its look like Create the vuln

كود:
v.setDesc( 'SQL injection in a '+ v['db'] +' was found at: ' + mutant.foundAt() )
and Here Discover it
كود:
            # MYSQL
            errors.append( ('supplied argument is not a valid MySQL', dbms.MYSQL ) )
            errors.append( ('Column count doesn\'t match value count at row', dbms.MYSQL ) )
            errors.append( ('mysql_fetch_array\\(\\)', dbms.MYSQL ) )
            errors.append( ('mysql_', dbms.MYSQL ) )
            errors.append( ('on MySQL result index', dbms.MYSQL ) )
            errors.append( ('You have an error in your SQL syntax;', dbms.MYSQL ) )
            errors.append( ('You have an error in your SQL syntax near', dbms.MYSQL ) )
            errors.append( ('MySQL server version for the right syntax to use', dbms.MYSQL ) )
            errors.append( ('\\[MySQL\\]\\[ODBC', dbms.MYSQL ))
            errors.append( ("Column count doesn't match", dbms.MYSQL ))
            errors.append( ("the used select statements have different number of columns", dbms.MYSQL ))
            errors.append( ("Table '[^']+' doesn't exist", dbms.MYSQL ))
            errors.append( ("DBD::mysql::st execute failed", dbms.MYSQL ))
            errors.append( ("DBD::mysql::db do failed:", dbms.MYSQL ))



and now To watch this video on vbspiders broadcast


its always online
كود:

http://player.vimeo.com/video/19789056



password : vbspiders.com


Best Regards

Cyber Code 02-10-2011 06:50 PM
جاري المشاهده ..
وشكراً لك مقدماً , ( جاري التقييم)

في أمان الله

loulou 02-10-2011 07:03 PM
يعطيك العافية مشكوور

hack!n9 03-09-2011 05:05 PM
البسوورد غير شغال ممكن باسوورد صحيح


الساعة الآن 05:50 AM


[ vBspiders.Com Network ]


SEO by vBSEO 3.6.0