by   June 16 2016   
It is better to be polite when you are attempting to take someone else's SQL Server over than to be the subject of a bad SQL Injection attempt article. Not a bad article, but pointing out how you can be bad at something so simple as SQL Injection, it's only be since 2005 we have been working with this stuff. First rule, ASK BEFORE YOU RESEARCH. I don't mind my White Hats that aren't part of the UofM group. But damn, at least buy me a drink before you attempt to trash my SQL servers. :)

155.133.82.87 is from Poland (PL) in region Eastern Europe.

sqlmap® Automatic SQL injection and database takeover tool

Here's the web address for the software: http://sqlmap.org/

Please be polite when running SQL Injection on my sites. Do I really have to remind people. 

If you are going to scan a network, research a network or even hack a network it is Net Polite to send a note to the website owner that you plan on hacking, researching and even breaking the site. 

I should have placed that in my policy pages. 

Why is it so difficult to remember to be nice and play all you want. 

In fact, if my Polish visitor (Głupek) which was not using a proxy and coming from his actual work computer really wanted to test the SQL Injection scripts I would have setup a space in the site to discover a few good SQL Injection hacks.

Heck, I have posted some of my favorite scripts here for testing. 

Ok, with that said, here's what was attempted. 

Very basic stuff if you ask me, could I help setup better overall hacks? Yes, HEX baby HEX are the best overall and if you can exploit that damn codex and launch the HEX JS file you own that sucker. 

But I'm just saying what has been seen, you are the experts, you know what's not discovered (Zero-Day). 

All I ask is that you play politely. 

First attempt: Login Page. 6/16/2016 3:05:20 PM
Set my Select Case to 2)'"'.".,..
Showed a Referral of: wGKw
Username used: IzOm
Selected my second check box of a public computer.
Responded to my security question with kKcj
Asked to remain logged in.

Error created was a Error 13, Type Mismatch which caused the page to do nothing.
You have to actually see the page and not just scan the page.
Read the damn Source Code to see what is required.
Did I ask you for letters as the secret word? No, it was a math question, numeric please.
If you're going to test SQL injection you first have to pass the basic tests.
If I toss you only by detecting Alpha when the system expected Numeric you're really not going to reach any SQL servers in your lifetime.
So learn how to use the programs before you start your tests on my sites. You impolite little turd. (Głupek) 

Second attempt: Login Page 6/16/2016 3:05:37 PM
Set my Select Case to 2'oFGf<'">ljsI
everything else remained the same.
Not very creative, if the action case didn't toss anything usable in the first attempt why bother with it a second time?

Third Attempt: Login page password reset form. 6/16/2016 3:06:19 PM
Select Action was not touched, good.
Referral: NhoI
Email: 20'"".((.,",
Email2: XlvL
Captcha: blank
Password Reset: MBfF

The above wasn't even close, you need again to read the form, I have a numeric captcha that requires something and your 4 letter password?
Who the hell uses 4 letters in passwords? You should have at least started with 8 characters. And why didn't you inject on the password?
Could it be that you don't know 60% of the SQL stored passwords are not encrypted?
Just look for those sites that do not allow special characters and that's the sites with plain text passwords.

Next, the final attempt:
Same as other data on same page with password reset:
This time, email is : 20'dKwU<'">Stdl

Not very well planned, did you even know what SQL I'm running? 2016 give a hint or is it 2014 and I forgot to upgrade.
In any case, I think I'll try the application myself and setup some guidelines on researching SQL Injection.
The first guideline is....
1. Ask the site owner before you start your research.

That way your IP address that leads directly to your workstation wouldn't be published as the title to an article of bad SQL Injection techniques.
Please learn to be polite. (Głupek) 

Thank you,
Murray W.

 

 

It is better to be polite when you are attempting to take someone else's SQL Server over than to be the subject of a bad SQL Injection attempt article. Not a bad article, but pointing out how you can be bad at something so simple as SQL Injection, it's only be since 2005 we have been working with this stuff. First rule, ASK BEFORE YOU RESEARCH. I don't mind my White Hats that aren't part of the UofM group. But damn, at least buy me a drink before you attempt to trash my SQL servers. :)