Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

SQLi testbed

  • 23-05-2011 10:04pm
    #1
    Closed Accounts Posts: 20,759 ✭✭✭✭


    Hey guys,

    I've coded a testbed for SQL Injection, specifically orientated to tackling filter evasion. The web-app has 4 varying levels of filters - so the user can start at level 1, and work their way up.

    I'm looking for a few people to beta test it, and give me feedback before I release it. So if anyone wants a copy - let me know, and I'll zip it up and send it on. You'll require Apache/PHP/MySQL to run it - if you're on windows, just download XAMPP, or LAMPP for Linux.

    It doesn't come with an install script yet - so I'll attach a SQL file, which you can just run in phpmyadmin to generate the tables and site-content.

    Post here if you want to give it a trial.


Comments

  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    I will give it a try.

    Sounds fun.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Sent it on there in a PM.


  • Closed Accounts Posts: 2,486 ✭✭✭Redshift


    I'd also have a go at this


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Sent.


  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    would this be suitable for a user learning SQLi ? I'm pretty much a newbie at SQLi (I have no idea how much I know... a lot of theory and no practise) so if you'd like a beginners opinion feel free to send it my way (but I wont be able to do anything for the next week or so).


  • Advertisement
  • Closed Accounts Posts: 14 Sigtran


    send it on to me as well please.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Sent on.

    LoLth - It's primarily for practising filter evasion, which is a huge part of SQL Injection. Level 1 of the game has no filtering, so you can learn and practice the fundementals of SQLi with that, and then move onto filter evasion. (Vast range of topics on it online).

    There is no real object of the game, other than read data from the DB that one should not have access to. I'll let you guys figure out what that is.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Anybody else have a try of this yet?


  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    I've tested it and it's really good for anyone who wants to learn sqli filter evasion.

    The injection point and column count stays the same making a good reference point, then more diffucult filters get added on each level.

    Sqli tools like Havij won't pass most filters, So if your using tools you should learn this. Otherwise your missing loads of injections.


  • Closed Accounts Posts: 2,486 ✭✭✭Redshift


    It works good for me, i've yet to go through all the levels though but it's great for testing stuff and to practice on. :)
    I have fun yesteday pulling data from another database on the same server which highlights the problem of having the same user for multiple databases or granting unnessesary or global permissions it was an unexpected and interesting lesson for me.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 495 ✭✭jakedixon2004


    I would really like to test this out. Sent me a PM if you get a chance dude.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    I would like to take a look at this.

    Thanks.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Here ye go guys: http://www.sendspace.com/file/irmid3

    It's not a finished product yet, so keep that in mind. I included the SQL file, so if you just paste it into phpmyadmin, it will create the data for you. Any questions, just drop me a message.


Advertisement