6

This is not a programming question but I have no idea why I did it. Yesterday, I was going through a tutorial about ethical hacking and found a tutorial about SQL injection. It says, find an admin login.asp site and enter as follows: Admin: Admin Password: ' or '1'='1

I really don't know what is that and how it works. But, when I tried the same for a website, I was shocked by the result. It gave me a warning like "... your IP address ip xxx.xxx.xxx.xxx and you may be prosecuted for this action ... etc" I was really scared by the warning. I had no intention to do anything, I was just following the tutorial.

Can anyone tell me what will happen to me? I am really worried about this.

jeewan
  • 1,597
  • 5
  • 23
  • 40
  • 11
    Don't worry about it – SLaks Aug 13 '12 at 14:45
  • 3
    Agreed, it's a scare tactic that apparently worked. – Luke Wyatt Aug 13 '12 at 14:45
  • 1
    Nothing. This is the computing equivalent to walking up to a window and pushing it to see if it will open. – verdesmarald Aug 13 '12 at 14:46
  • Hi guys thanks for the quick response. Can you please tell me, is it a crime? I really don't have any idea about this. I am not that smart for hacking. I am normal web developer. – jeewan Aug 13 '12 at 14:46
  • 1
    @veredesmarald Yup, exactly: It's rude, you shouldn't do it, but you won't get in trouble for it. – Andrew Barber Aug 13 '12 at 14:46
  • 1
    If it's not your server, really don't do it. It's probably illegal in your country. This message you saw is probably just there to scare you, though. – Bridge Aug 13 '12 at 14:47
  • That's not my server. I search "Admin login.asp" on google and found a random site and tried the tutorial. It showed me my IP address has been tracked and I will be prosecuted for that. Seriously, I am worried about it. – jeewan Aug 13 '12 at 14:52
  • 2
    I would recommend to read more on the subject and find out possible consequences on both, application and legislation levels in advance next time, rather then following tutorials blindly. There're plenty of resources explaining the nature of SQLI attacks out there, starting from [Wikipedia](http://en.wikipedia.org/wiki/SQL_injection). – vyegorov Aug 13 '12 at 14:52
  • 7
    It begs the question... Is the site in question _actually_ protected from SQL injection attacks or are they just filtering for specific keywords and showing that error in response? Talk about creating an "attractive nuisance." Someone less deterred by their response could pose a problem for them. – David Aug 13 '12 at 14:53
  • Hi David, I even do not remember what site was that because I just searched on google as "Admin login.asp" and whatever I found on the first search page, I opened the admin login and tried that. But I guess I can find the URL by looking at the history (I remember I used google chrome for that). It had just two input fields, Admin and Password. – jeewan Aug 13 '12 at 15:47
  • 2
    Happened to me once. Good thing I have internet access in my cell... – Luchian Grigore Aug 13 '12 at 20:34

2 Answers2

5

To sum up what happened:

  1. You attempted to inject SQL through whatever method you tried.

  2. Their website was smart enough to recognize your input.

  3. They generated an automated threat and sent it back to your browser.

I doubt you have to be worried. Their website most likely gets these kinds of attacks quite often and the amount of money they need to spend to prosecute is pretty great and that is only IF it is considered illegal in your region.

Luke Wyatt
  • 1,126
  • 2
  • 12
  • 23
  • Hi Luke, thanks for the reply. I am from New Jersey and I hope I won't be in trouble for this. I am not that smart to hack. I was just curious to read/watch the tutorial on youtube and blindly followed what it said. I should not have to do that. Anyway, I hope everything will be fine and I have learnt the lesson about what to do and what not to. – jeewan Aug 13 '12 at 15:04
  • 1
    Unfortunately, your self study did back fire. However I would encourage you to continue your studies on your own sever. As a web developer, you should know how to protect the sites you make. – Luke Wyatt Aug 13 '12 at 15:17
  • ya exactly, I will continue studying it. Thanks. – jeewan Aug 13 '12 at 15:32
3

You should send them an email where you describe that you wanted to study techniques to avoid SQL injection attacks on your side. You should apologize and I'm sure there will be no problems.

Lajos Arpad
  • 64,414
  • 37
  • 100
  • 175
  • Definitely, its a good idea. But the problem is I do not remember which Admin site I tried yesterday. Probably I can find that looking on the History on google chrome (I used chrome for that). – jeewan Aug 13 '12 at 15:52
  • Yes, the history of your browsing probably holds the site. I think they will understand you. – Lajos Arpad Aug 13 '12 at 17:22