corsasport.co.uk
 

Corsa Sport » Message Board » Off Day » Geek Day » forum hacking - SQL's


New Topic

New Poll
  Subscribe | Add to Favourites

You are not logged in and may not post or reply to messages. Please log in or create a new account or mail us about fixing an existing one - register@corsasport.co.uk

There are also many more features available when you are logged in such as private messages, buddy list, location services, post search and more.


Author forum hacking - SQL's
Drew
Banned

Registered: 24th Nov 01
Location: County Durham
User status: Offline
9th Sep 04 at 22:53   View User's Profile U2U Member Reply With Quote

could anyone tell me how to do this, as i know nothing about SQL's - or should i leave it to someone who does?


--------------------------------------------
#-----[ ADD SQL ]------------------------------------------
#
DROP TABLE IF EXISTS `phpbb_ip`;
CREATE TABLE `phpbb_ip` (
`id` tinyint(4) NOT NULL auto_increment,
`ip` varchar(200) NOT NULL default '0',
`host` varchar(200) NOT NULL default '0',
`date` varchar(200) NOT NULL default '0',
`username` varchar(200) NOT NULL default '0',
`referrer` varchar(200) NOT NULL default '0',
`forum` varchar(200) NOT NULL default '0',
`browser` varchar(200) NOT NULL default '0',
KEY `id` (`id`)
) TYPE=MyISAM;
------------------------------------------------

Ian
Site Administrator

Avatar

Registered: 28th Aug 99
Location: Liverpool
User status: Online
9th Sep 04 at 23:27   View Garage View User's Profile U2U Member Reply With Quote

How to run those statements?

Depends whats installed, either at the command line, or any web interface you have already.

For the record that just deletes the table called phpbb_ip and makes it again. I've no idea why you'd want to do that.
blundey
Member

Registered: 25th May 04
Location: Flitwick, Bedfordshire
User status: Offline
9th Sep 04 at 23:29   View User's Profile U2U Member Reply With Quote

err its not called SQL hacking...there are two things you can do.

One is SQL injection...you can read up on this here: http://www.governmentsecurity.org/articles/SQLinjectionBasicTutorial.php

The other method is similar to cross site scripting.

Or actually use an exploit thats already made...this will involve the use of linux/unix variant. For exploits check out www.packetstormsecurity.org or www.secuiteam.net

The adbove wont work as this site is not running phpbb and youve put it in a thread
Ian
Site Administrator

Avatar

Registered: 28th Aug 99
Location: Liverpool
User status: Online
9th Sep 04 at 23:32   View Garage View User's Profile U2U Member Reply With Quote

I think he means hacking as in hacking the software about and adding stuff, not breaking it.

Don't know why you'd want them all identical 200 length varchars either. Thats not a particularly efficient way of doing it.
Drew
Banned

Registered: 24th Nov 01
Location: County Durham
User status: Offline
9th Sep 04 at 23:32   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by blundey
err its not called SQL hacking...


i have not mentioned sql hacking anywhere
Ian
Site Administrator

Avatar

Registered: 28th Aug 99
Location: Liverpool
User status: Online
9th Sep 04 at 23:34   View Garage View User's Profile U2U Member Reply With Quote

Only the subject, nearly
Drew
Banned

Registered: 24th Nov 01
Location: County Durham
User status: Offline
9th Sep 04 at 23:34   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by Ian
I think he means hacking as in hacking the software about and adding stuff, not breaking it.

Don't know why you'd want them all identical 200 length varchars either. Thats not a particularly efficient way of doing it.


this is the description..........

Features:
- Log Data
- Username
- IP
- Host
- Referrer
- Forumid
- Time
- See how often a user has been logged
- See users that have the same ip, host, referrer


like i said, i know nothing about sql's, it just says to add it
Drew
Banned

Registered: 24th Nov 01
Location: County Durham
User status: Offline
9th Sep 04 at 23:35   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by Ian
Only the subject, nearly


no subject is 'forum hacking - SQL's' ie, hacking a forum and an sql question
Ian
Site Administrator

Avatar

Registered: 28th Aug 99
Location: Liverpool
User status: Online
9th Sep 04 at 23:37   View Garage View User's Profile U2U Member Reply With Quote

You're adding a hack to your install of phpBB?

I assume you're able to alter the code but need access to the database to make that table?

Do you have anywhere at all you can enter SQL statements? Nothing provided by the host?

You'll either have the ability to do that or you'll need to embed them in a php script and just run it once, then delete it. Bit of a messy way of doing it but it'd run the statements.

I personally would install something like phpMyAdmin.
Drew
Banned

Registered: 24th Nov 01
Location: County Durham
User status: Offline
9th Sep 04 at 23:39   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by Ian
You're adding a hack to your install of phpBB?

I assume you're able to alter the code but need access to the database to make that table?

Do you have anywhere at all you can enter SQL statements? Nothing provided by the host?

You'll either have the ability to do that or you'll need to embed them in a php script and just run it once, then delete it. Bit of a messy way of doing it but it'd run the statements.

I personally would install something like phpMyAdmin.


yes thats correct - the control panel has phpmyadmin already installed - i just dont know how to use it
Dan B
Member

Registered: 25th Feb 01
User status: Offline
9th Sep 04 at 23:40   View User's Profile U2U Member Reply With Quote

It's pretty simple......it lets you access any table, change any value, and then save it.

Means you don't need to run any complex SQL queries/commands.
Ian
Site Administrator

Avatar

Registered: 28th Aug 99
Location: Liverpool
User status: Online
9th Sep 04 at 23:45   View Garage View User's Profile U2U Member Reply With Quote

Give me the web address, username and password...

Just go there, go inside the database using the drop down box or list on the left and there will be tab style links across the top of the main area of the screen. One of those is 'SQL' where you can put raw SQL statements in.

Just put this in though, not the whole thing with lines, comments etc. there's no need.

DROP TABLE IF EXISTS `phpbb_ip`;
CREATE TABLE `phpbb_ip` (
`id` tinyint(4) NOT NULL auto_increment,
`ip` varchar(200) NOT NULL default '0',
`host` varchar(200) NOT NULL default '0',
`date` varchar(200) NOT NULL default '0',
`username` varchar(200) NOT NULL default '0',
`referrer` varchar(200) NOT NULL default '0',
`forum` varchar(200) NOT NULL default '0',
`browser` varchar(200) NOT NULL default '0',
KEY `id` (`id`)
) TYPE=MyISAM;
Drew
Banned

Registered: 24th Nov 01
Location: County Durham
User status: Offline
9th Sep 04 at 23:46   View User's Profile U2U Member Reply With Quote

cheers for your help i'll give it a try.

look out for my post tomorrow called 'how do i bring my dead site back alive'

thanks again
blundey
Member

Registered: 25th May 04
Location: Flitwick, Bedfordshire
User status: Offline
9th Sep 04 at 23:47   View User's Profile U2U Member Reply With Quote

ohh ok....then just run mysql from command line...like:

mysql -p <username>

Then when you get this:

mysql>

Just input the above following.

You could alternativley connect to port 3306 from another machine and do the above if the sql database allowed external connections.

blundey
Member

Registered: 25th May 04
Location: Flitwick, Bedfordshire
User status: Offline
9th Sep 04 at 23:48   View User's Profile U2U Member Reply With Quote

damn ur fast fingers ian
Ian
Site Administrator

Avatar

Registered: 28th Aug 99
Location: Liverpool
User status: Online
9th Sep 04 at 23:50   View Garage View User's Profile U2U Member Reply With Quote

quote:
Originally posted by blundey
if the database allowed external connections.

Unlikely!

You need to have a shell prompt to start mysql like that, and it might not be that simple if there's a user/pass combo. Maybe:

mysql -u k4rma -p
(enter pass on the next line)

No point if there's a web panel though, the panel confirms everything slightly dangerous

 
New Topic

New Poll

  Related Threads Author Forum Replies Views Last Post
any 1 from the yorkshire region and....... mentalcorsa General Chat 1 895
15th May 03 at 21:57
by VenomTurbo
 
Mondeo Speaker Wiring Stoneyginger Help Zone, Modification and ICE Advice 5 800
11th Jul 03 at 17:14
by lordbonzai
 
Split this forum? Ian Classifieds 52 3489
15th Oct 03 at 19:33
by mav
 
Lol Happy_2008 General Chat 0 739
9th Feb 04 at 11:49
by Happy_2008
 

Corsa Sport » Message Board » Off Day » Geek Day » forum hacking - SQL's 28 database queries in 0.0177701 seconds