search

πŸ’£DDOS Using SQL injection

hashtag
The Concept :

To Successfully accomplish DDOSing a web site using SQL injection first let us understand the basics and understand the structure of our Attack. As we know when a Application is Vulnerable to SQL injection we can successfully inject SQL queries which gets executed into the database and gets us the output. So heres our idea rises to send complex SQL queries to the database that will consume the power of Web Server and the Database and Exhaust the Server resources, we can even make maximum live connections to the database which will make the database not to accept anymore connection at the same time. Now as the whole idea is very simple and clear to us, we can continue to make complex SQL queries which will make the database to reply late. SQL provides us with many fucntions as well as allow us to create very complex queries to get the output in a very flexible way. We have Joins, Like , compress, encode etc.

hashtag
-------------------------------------------------------------

hashtag
Following steps to achieve DDOS using SQL injection

hashtag
1. Finding the Vulnrability. 2. Preparing the Injectable Query. 3. Injecting DDOS Query into the Website.

hashtag
-------------------------------------------------------------

hashtag
Injecting DDOS Query into the Website.

hashtag
There are many ways to do this, what you will need is a testing lab with something called brain. And you an create your own deadly injections.

hashtag
For me i created a table of 500 rows with a text field having 500 bytes of data per column, which actually represent the Forum, blog post field of many websites running out there. If the database is even larger as we can find many database running lacks and millions f records with them. Such sites can be DDOSed more easily. Well we are going to use this payload to DDOS which took me a couple of hours to make.

hashtag
if website vulnerable and we found out the columns and the injection is like this.

hashtag
lets us assume 3rd column is vulnerable so lets injection our second payload into the site.

hashtag
or

countinuesly sending this injection to the website using a script will get the server down with a medium internet connection, so in this way we wont need a thousands of bots Ddosing with us. We can also use Sleep to make connections live for long that will also accomplish the task. Using Sleep we can also Pool out the connection in ASP.net where by default maximum 100 connections are allowed at a time in 30 seconds. so if we can make our connection live using Sleep command it wont allow the server to reply other users.

hashtag
Open your wings of imagination and fly over the sky.

Previoussqlmap tamper scriptsNextMy SQL injection Methodology

Last updated