Infolink

Monday, February 28, 2011

Dear Reader,

 According to all the surveys the most common technique of Hacking a Website is SQL Injection. SQL Injection is a Technique in which Hacker insert SQL codes into Web Forum to get Sensitive information like ( User Name , Passwords ) to access the site and Deface it.But now many tools are available which can do this work easily and let Script-Kiddies do this work. Because of it's ease these tools are now available to masses and the Danger also increase with it.
So I am writing this article for those Webmaster who should use these tools to know that what HACKERS can see. They can use it in Positive way before some one do it in Negative way.

The tool that i am using is Havij 1.14 which is free and can be
Downloaded from Here (http://www.itsecteam.com/files/havij/Havij1.14Free.rar).

The Screen Shot of it is Below:

Some of it's features:


Supported Databases with injection methods:

  • MsSQL 2000/2005 with error.
  • MsSQL 2000/2005 no error union based
  • MySQL union based
  • MySQL Blind
  • MySQL error based
  • MySQL time based
  • Oracle union based
  • MsAccess union based
  • Sybase (ASE)


SQL Injection Demonstration:


Now i will Show you step by step the process of SQL injection.


Step1: Find SQL injection Vulnerability in tour site and insert the string (like http://www.target.com/index.asp?id=123)  of it in Havij as show below.




Step3: Now click on the Analyse button as shown below.






Now if the your Server is Vulnerable the Information will appear and the columns will appear like shown in picture below:






Step4: Now click on the Tables button and then click Get Tables button from below column as shown below:








Step5: Now select the Tables with sensitive information and click Get Columns button.After that select the Username and Password Column to get the Username and Password and Click on the Get Table button.








Countermeasures:
The Following are Some of the Countermeasures which the Webmasters can adopt to lessen the chance of there Website being Hacked. They are:

1: Renaming the Login page. e.g ( Renaming the http://www.xyz.com/login.php to http://www.xyz.com/zyx.php). This can reduce the chance of getting hacked dramatically because now most of the Admin finders will not be able to get it. 


2: Use stronger Passwords. e.g ( instead of Haseeb use H@$33b ) because it will make the MD5 Hash more complicated and even if the hacker get the Username , Password and Admin Page , s(he) would not be able to crack Hash and so your site will be more secure.

3: Use user accounts with limited access to the Database. This can decrease the Damage that a Hacker can do with your site even if that user is compromised.

4: Use type-safe SQL parameters these parameters will not treat the input as executable code and so it will secure your whole of site.

5: Always review your SQL code and test it with penitration tool like Havij. That would secure your site.

So my dear Webmasters please secure your Websites from these Vulnerabilities before someone hack you. As I have shown you how easy it is to Hack a site with this technique. So please be careful!!!


About Author:  This article was written by Muhammad Haseeb Javed. He is a Hacker from Pakistan and owner of http://www.hackthepc.blogspot.com , check it out for more stuff like this.

No comments:

Post a Comment