⚠️ Encyclopedia Dramatica is currently being restored by automated scripts ⚠️

There's been a lot of questions as to what's going on with the site and what comes next. So we have this (ordered) roadmap of what's being worked on and what's to come. This will be updated until the roadmap is complete as Æ has a lot of missing features and ideas that I'd like to fix in regards to its offerings before I implement big plans for the site's popularity and well-being in 2021.

Æ Roadmap

  • Content restoration (Mostly done, few things missing that will be restored sporadically)
  • Image restoration (Being run in background, nothing I can do cept wait)
  • Æ Imageboard (Currently being worked on)
  • Mediawiki upgrade and backend fixes
  • .onion domain for Tor-friendly editing and viewing
  • CSS overhaul (Fixing things like the videos on mobile, and overall a rehaul of the wiki's look to be more friendly to readers)
  • Paid bounty board for new articles (Won't be managed by me for legal reasons however I will ensure it runs smoothly)
  • Anonymous phone # service for those seeking ban evades from Twitter as well as a phone number not tied to their name (more details at launch)

  • Currently we are nearing our annual LLC renewal fee ($650) as well throwing the funds required for these other changes and aspects. If you would like to support Æ consider purchasing a copy of The Hustler's Bible or securing some Merch. Donating is also appreciated however I would rather give something back as per the two options above.

    If you have any questions you can join our public Telegram chat to DM me privately or @ me in chat.

    You can also email me via [email protected]

    Merch notes: Thank you to all who have purchased merch. We will ship late January or mid February depending on our provider's speed.

    Here's to setting the world on fire in 2021! - aediot



    SQL Injection

    From Encyclopedia Dramatica
    Jump to navigation Jump to search
    Police.gif FACT ALERT:
    This is serious shit and has been known to cause drama and IRL Ban Hammers. Actually doing this might get you v&. The information on page is provided for educational purposes only.
    File:Lethal injection attack droid.jpg
    Like this, but in a web browser.

    SQL Injection is a type of web-application attack that involves sending specially formatted strings along with a web request. Unlike many attacks which target a specific security hole, a SQL injection is made possible by bad coding practices and can be used against any application platform (PHP, CGI), regardless of web or database server.

    Examples

    File:Romanian Gymnastics.jpg
    Romanian hackers preparing for battle.

    February 2009: Kaspersky, F-Secure, Bit Defender

    Romanian hackers exploited weakness in the websites of these three major security firms to gain access to a wide array of information, including F-Secure's private statistics on infection rates, Kaspersky's internal database of users and activation codes and known product bugs and Bit Defender's list of users' e-mail and personal information and the list of administrator accounts and passwords. Makes you feel warm and fuzzy about their antivirus products, doesn't it?

    October 2009: Guardian Jobs

    The UK paper's popular job hunting website fell prey to a similar injection attack which gave hackers access to the entire user database, including detailed personal information and employment history, resumes and contact information.

    Every fucking thing LulzSec did

    Commonly referred to as "my first sqli".

    How-To

    Injection attacks can be passive - such as logging in to a password-protected website or listing private data, or active - such as inserting records into a database or deleting a database table. All of these examples assume that proper precautions, such as those listed under Solutions, have not been taken. All of the examples will be written in C# .NET because fuck you, it's my favorite language.

    Logging In

    Let's begin with a simple login page, with username (tbUsername) and password (tbPassword) text boxes and a submit button. The SQL command to log in might be something like:

    SqlCommand comm = new SqlCommand("SELECT UserID FROM Users WHERE Username = '" + tbUsername.Text + "' AND Password = '" + tbPassword.Text + "'");
    

    We're going to put the following in for username and the password can be anything:

    dongs' OR 1=1--
    

    When the application puts the strings together, the command becomes:

    SELECT UserID FROM Users WHERE Username = 'dongs' OR 1=1
    

    The double minus symbol tells SQL to ignore the rest of the command and since 1 is always equal to 1, this query will return some valid user ID and will permit the attacker to log in as if he had a valid username and password.

    Changing Information

    That was neat, but let's take it a step further. Instead of logging in as a random user, let's say we want to log in as an administrator and the username of that administrator is known. Assuming we're at the same login page with the same SQL command, we'll send the following as the username:

    dongs'; UPDATE Users SET Password = 'dongcopter' WHERE Username = 'admin'--
    

    Now, we've changed the admin's password to dongcopter and not only can he not log in, but you've got admin access to the site. Want to be a dick and just delete the entire users table instead? Try this:

    dongs'; DELETE FROM Users--
    

    More

    For a longer and more involved How To, visit SQL Injection/How To.

    Solutions

    File:Gatesfloppy.jpg
    Looks fabulous while protecting you from hackers.

    Some application platforms, such as .NET, include built-in tools to prevent injection attacks whereas other platforms may require you to do the work manually. You can also make things harder on an attack by not using obvious database table and column names and not having forms elements share names with their respective database columns. For instance, if your users table is actually named Users and it has the columns Username and Password and your login elements are called tbUsername and tbPassword, you are an idiot.

    Parameterized Commands

    Parameterized commands are an alternative to the traditional string-based approach to submitting SQL queries that prevent injection attacks before the command is sent to the server. Microsoft recommends using parameterized commands exclusively. Roughly speaking, one declares a SqlCommand object, sets the command string, and then adds to the parameter collection. .NET processes each parameter, performs error checking on the data, and either strips harmful code or prevents the request from being sent to the database server.

    Here is a simple example which does nothing useful:

    SqlCommand comm = new SqlCommand("SELECT FirstName, LastName WHERE Username = @Username");
    
    comm.Parameters.Add("@Username", SqlDbType.NVarChar, 25);
    comm.Parameters["@Username"].Value = tbUsername.Text;
    

    If an attacker tried to include any sort of injection attack in the text box named tbUsername, the page would return with a validation error once the server reaches that third line and refuse to process.

    Sanitizing Input

    File:XKCD-SQL-Injection.png
    Always sanitize your data inputs.

    Sanitizing input involves processing a user's input and either modifying or outright rejecting the input based on certain heuristics. For platforms that don't support parameterizing commands, you can often find libraries that will sanitize input for you. Some common techniques:

    • Look for SQL Keywords - If the string contains keywords such as SELECT or DELETE or DROP, reject the input.
    • Escape/Encode Input - If your platform doesn't have a built in function, find and replace all instances of single quotes, double quotes, semicolons and other punctuation or operators with the escaped form. For instance, OR 1=1 -- would be encoded to OR 1\=1 \-\- and becomes plain text.
    • Convert Values - Most platforms contain functions to convert from text to numerical values. If a field is known to be numerical, wrap the conversion in a try/catch block and reject the input if it doesn't convert.

    Other Countermeasures

    • Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.
    • Delete stored procedures that you are not using like: master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask


    See Also

    External Links



    SQL Injection is part of a series on Security Faggots

    1337 h4x0rz

    Captain CrunchCult of the Dead CowDavid L. SmithGary McKinnonGOBBLESHD MooreJeff MossKevin MitnickLance M. HavokRobert MorrisTheo de RaadtweevWoz


    Try-Hards

    2cashAnonOpsBrian SalcedoFearnorFry GuyGadi Evrong00nsHack This SiteHacking TeamhannJoanna RutkowskaJohn FieldJoseph CampLizard SquadLulzSecMark ZuckerbergMarshviperXMasters of DeceptionMichael LynnKrashedRavenr000tRyanSteve Gibsonth3j35t3rThe RegimeSabuZeekill


    Related Shit

    AviraCiscogateCloudflareConfickerCyberDefenderDefconThe GibsonThe Great Em/b/assy Security Leak of 2007HeartbleedI GOT NORTON!Is Your Son a Computer Hacker?Operation SundevilPIFTS.exeSocial engineeringStylometrySubSevenZone-H