SecurityTubeBeta Watch ... Learn ... Contribute |
 |
 |
  |
|
SecurityTube
Questions - a Q&A section for Infosec and Hacking launched!!!
|
SQL Injection (Infinity Exists)
SQL injection is a technique in which an attacker exploits a security vulnerability occurring in the database layer of an application. This vulnerability is present when the user input is not filtered properly. In this video Nox and Patchy from Infinity Exists use an SQL (Structured Query Language) injection vulnerability to extract password hashes from the websites database.The vulnerability is present in WP-Forums. They first check for the vulnerability using universal truths like 1=1 etc . Using False statements like 1=0 with the AND operator produces sql errors which give away the SQL statement used in the website. They then find the no of columns in the database using the ORDER BY statement . Any ORDER BY X statement (where x is an integer ) where x is greater than the no of columns will produce an error message.We can then find the column to which the data is output to using select by statement using different integers for different columns . Since wp forums is open source we can find the name of the table and the corresponding column that contains the passwords hashes.. We can modify the sql query to output the password hashes to the column to which the data is output to from the table that contains the password hashes.The administrator password is generally the first password so we can get the password which has the first id ( or id=1) then use a . we can then use a dictionary attack on the MD5 hash thus obtained to crack the administrator password using Cain and Abel.
A high resolution version of this video is available for download here.
SecurityTube
Questions - a Q&A section for Infosec and Hacking launched!!!
|
Related Videos from: Exploit Demos
.jpg) |  | .jpg) |  |  | |
You are Viewing this Video Now! | |||||
3811 views | 5035 views | 2267 views | 3920 views | 4406 views |
Author
Prateek Gianchandani , 20 is a student dedicated to the field of network security . He has organized a number of workshops and hacking events in his college. Learning more and more about network security always keeps him busy . His favourite passtimes include listening to music,reading novels, playing snooker etc. He is currently doing B-tech in electrical engineering from the prestigious Indian Institute of technology ,Roorkee. u can contact him at prateek_gian [-at*] yahoo.co..in
©2007 Freak Labs |