Tag: injection

Hacking, Penetration Testing

Automatic SQL database injection

jSQL Injection is a java tool for automatic sql database injection. jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris). jSQL is part of Kali Linux, the official new BackTrack penetration distribution. jSQL is also included in Black Hat Sec, ArchAssault Project, BlackArch Linux and Cyborg Hawk Linux. Download from GitHub. …

Injection, PHP, Vulnerabilities

PHP Command Injection Vulnerability in Web applications

Create a new PHP file, name it test_command_injection.php, and save it inside Apache’s htdocs directory: <?php if(isset($_GET[’filename’])) { $filename = $_GET[’filename’]; if(file_exists($filename)) { unlink($filename); } }<?php if(isset($_GET[‘filename’])) { $filename = $_GET[‘filename’]; if(file_exists($filename)) { unlink($filename); } } Open your favorite browser and open url: http://localhost/test_command_injection.php?filename=path_to_file_4_deletion As you can see you could delete any file in the …


Preventing MySQL Injection in PHP

Security issues like MySQL injection can only be corrected by using two functions mysql_real_escape_string (php manual) and stripslashes (php manual).   Example: $safe_string = mysql_real_escape_string(stripslashes($tainted_string));$safe_string = mysql_real_escape_string(stripslashes($tainted_string));   To make your life a little easier just create a suitable function for this line of code: function checkString($value) {       return mysql_real_escape_string(stripslashes($value));   }function checkString($value) …