harry tuttle's Journal: SQL Injection - Can you Hack It?

Come and have a go if you think you're hard enough!

You can try your hand at the SQL Injection attack at SQLZoo.
The site includes a vulnerable web form and you are invited to try to hack it.

If you do manage to find a user name and password you can log on to the bragging board and leave a message.
The Hack site includes some hints and tips for this famous exploit - but the best techniques are saved for the book, SQL Hacks published by O'Reilly, reviewed on Slashdot by Scott Walters.

Magic String

Hackers use SQL injection to have unexpected SQL statements executed on the victim's machine. For example if you supply a string such as ' OR ''=' as both user name and password you turn the SQL query SELECT name FROM passwd WHERE user='$user' AND password='$password' into SELECT name FROM passwd WHERE user='' OR ''='' AND password='' OR ''='' The WHERE condition always returns true and so with a little luck the magic string 'OR''=' will get you access to a vulnerable site without knowing any insider details.

Having got access to the system you can then use SQL queries to find out account names and possibly passwords.