One of the popular tools is Havij, Havij is an advanced SQL injection tool which makes SQL Injection very easy for you, Along with SQL injection it has a built in admin page finder which makes it very effective.
Supported Databases With Havij
- MsSQL
2000/2005 with error.
- MsSQL
2000/2005 no error union based
- MySQL
union based
- MySQL
Blind
- MySQL
error based
- MySQL
time based
- Oracle
union based
- MsAccess
union based
- Sybase
(ASE)
Demonstration
Now i will Show you step by step the process of SQL injection.
Step1: Find SQL injection Vulnerability in tour site and insert the string (like http://www.target.com/index.asp?id=123) of it in Havij as show below.
Step3: Now click on the Analyse button as shown below.
Now if the your Server is Vulnerable the information about the target
will appear and the columns will appear like shown in picture below:
Step4: Now click on the Tables button and then click Get Tables button
from below column as shown below:
Step5: Now select the Tables with sensitive
information and click Get Columns button.After that select the
Username and Password Column to get the Username and Password and click on
the Get Table button.
Countermeasures:
Here are some of the countermeasures you can take to reduce the risk of SQL Injection
Countermeasures:
Here are some of the countermeasures you can take to reduce the risk of SQL Injection
1. Renaming the admin page will make it difficult
for a hacker to locate it
2. Use a Intrusion detection system and compose
the signatures for popular SQL injection strings
3. One of the best method to protect your website
against SQL Injection attacks is to disallow special characters in the admin
form, though this will make your passwords more vulnerable to bruteforce
attacks but you can implement a capcha to prevent these types of attack.
