0

I have a website which is vulnerable to SQL injection. It has a username and a password and when we write the username as admin and the password as 'or 1=1-- it logs in saying that you have been successfully logged in as admin. I want to find the password of admin using an SQL injection. What can I do ? Strictly for learning purposes. I need the password of admin while performing an SQL injection on the username and password fields.

Mahatma Gandhi
  • 41
  • 1
  • 1
  • 6
  • 3
    Possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) - Oh wait, you didn't specify your programming language? The key is prepared statements and "?" substitution (parameter binding). – Kenney Jan 30 '16 at 15:33
  • 2
    Not sure us telling you how to exploit this great for you, you should be trying to fix it. – DominicEU Jan 30 '16 at 15:35
  • 1
    You shouldn't be storing passwords in clear text in the first place –  Jan 30 '16 at 15:35
  • @DominicEU I'm training to be an ethical hacker, just beginning. – Mahatma Gandhi Jan 30 '16 at 15:36
  • I'm voting to close this question as off-topic because the poster is asking on how to hack for gaining passwords. He should instead be asking on how to prevent hacking. – TT. Jan 31 '16 at 22:43

1 Answers1

1

Your ability to retrieve the admin password depends on how the password is stored, and how the server-side script that accesses the database is written. If the password is properly salted and hashed, it is virtually impossible to retrieve it; you're simple overriding the system that checks the password. If not, it would still be very difficult and you would need to do a lot of experimentation (see this answer on Information Security Stack Exchange). Either way, you will need to know a lot about the system and how it works in order to attempt such an attack.

Community
  • 1
  • 1
Nick Mertin
  • 1,149
  • 12
  • 27
  • 2
    That the override is possible by injecting via the password value implies that the password validation also happens within the same SQL query. And the injected value `'or 1=1-- ` implies that it’s probably in plain text. So blind exfiltration of the plaintext password would probably be possible. – Gumbo Jan 30 '16 at 17:02
  • @Gumbo very good point, however even if a SELECT query can be run, how do you get it to send the results back to you? – Nick Mertin Jan 30 '16 at 21:14
  • 1
    There are certain exfiltration techniques that work with boolean behavior or even by sending DNS requests (blind out-of-band). Have a look at [my answer to *What is blind injection and how to simulate the issue?*](http://security.stackexchange.com/a/59097/539). – Gumbo Jan 30 '16 at 22:36
  • @Gumbo Interesting, I did not realize that. I will update my answer – Nick Mertin Jan 31 '16 at 20:12