Back to Blog
Burp suite sql injection5/8/2023 Hit "Load," and navigate to /usr/share/wordlists/wfuzz/injection/SQL.txt. Kali comes with a variety of wordlists including one specifically for testing SQL injection vulnerabilities. Here we can enter our payloads into a simple list by either adding them one by one or loading an existing list. Don't Miss: The Essential Newbie's Guide to SQL Injections & Manipulating Data in a MySQL DatabaseĬlick on the "Payloads" tab, and go to "Payload Options" - we can leave all the default settings for now. Since "blank" or "true" is always true, and the password field is ignored, the database will return account data. The single quote effectively turns the first part into a blank string, and 1=1 always evaluates to true, so the username query will now run as "blank" or "true." The double dashes comment out the rest of the query so the password field is ignored. Here is what the SQL statement looks like when entered into the login field: SELECT username, password FROM users WHERE username='' or 1=1- AND password='' Let's look at the classic SQL injection command ' or 1=1. The SELECT statement is used to retrieve data, so a login query would look like: SELECT username, password FROM users WHERE username='myname' AND password='mypassword' SQL queries work by interacting with data in the database through the use of statements. Now our position is set, and we're ready to configure the payload. Step 2: Configure Mutillidae in Your Attack BrowserĪfter finding Metasploitable 2's IP address, navigate to it to connect to the web server. What you're looking for in the eth0 is the "inet" address, which will be your IP address for testing purposes. Once everything is set up, log into Metasploitable 2 - both the username and password should be msfadmin - and find its IP address using ifconfig. This means that unless you are completely unplugged from the internet, you should be using network address translation (NAT) or host-only mode. One thing to be careful with when using an intentionally vulnerable machine is exposing it to hostile networks.
0 Comments
Read More
Leave a Reply. |