All the information on this page is for educational purposes only. The owner of the blog, nor Blogger, nor anyone associated with this blog can be held liable for illegal activities brought by this blog

Friday, October 21, 2011

SQL Attack

*Only sites which users have the rights to or have been given special permission may be hacked, I accept no responsibility and can not be accountable for any illegal acts that take place in conjunction with the information on this blog*


So as I said, today's blog will be about SQL Attacks - I will be using a site created by CrashOverron setup on my localhost, to download the files to use the site, visit:

http://securityoverride.com/infusions/pro_download_panel/download.php?did=33

Ok, so I will be giving a step-by-step guide with screen shots(video will be uploaded tomorrow)

Step 1: Discover a website that utilize an SQL database


Here is a site with an SQL database

Step 2: Test the site for vulnerabilities

You start by typing in a logical statement at the end of the URL:
http://localhost/fake/index.php?page=products&id=1%20and%201=1--

As you will see in the screenshot below, the page has not changed compared to the original screen





Next, we will type an illogical statement at the end of the URL:
http://localhost/fake/index.php?page=products&id=1%20and%201=0--

 As you will now see, there has been quite a drastic change to the page. This confirms that there is definitely a SQL vulnerability on this website.

Step 3: Find total number of columns

Next, we need to discover how many columns the SQL table has. To determine this, we use the ORDER BY command, by adding ORDER BY n (where n represents a number) we can determine how many columns there are

If there is no error then increase n by 1, continue to do so until you receive an error

Once you have received an error, take n - 1 = x

x = number of columns in the SQL table

(There is a possibility that there may be many many columns, if that is the case change your increment from 1 to 10, for example, until you can determine the exact number of columns)

Step 4: Display table names

You  will now need to display all the table names so you can choose which table to use, firstly change 'id=1' to 'id=-1', we do this because there is no data in the array position, then add this to the URL:
union select 1,2,3,4 from information_schema.tables--

Union is basically the command that alerts the SQL tables it is needed
Select is the command to select certain information
1,2,3,4 is the amount of columns we have (all numbers MUST be entered)
from is telling the SQL database where to collect information from
information_schema is the MySQL master tool
.tables tells the information_schema that we are going to be interacting with tables
-- all SQL commands will need to end with double dash

so, no that we have that, you should see something similar to:

Now the numbers on screen are the only numbers you may edit, chose one and stick with it, in our case we will chose 2.

Now, substitute the number you chose for 'table_name' (without the quotes)



union select 1,table_name,3,4 from information_schema.tables--

you should now see a list of table names, scroll down until you see the tables you are dealing with(you should be able to work out which are human created tables):



So now we have two table names:
  1. users
  2. products
We will now be using the users table as this will obviously have user information in and more than likely passwords

Step 5: Display column names

Now that we know what table_name we want, we can start working on column name, column names are just as easily retrieved, just add
union select 1,column_name,3,4 from information_schema.columns--
after the 'id=-1'

Here we have substituted our chosen number, in our case 2, with column_name and changed information_schema.tables to information_schema.columns.

Now you will see a list of column names, unfortunately, it is for the wrong table

Not to worry, just add in the WHERE clause, the WHERE clause tells the SQL database which source to take data from

union select 1,column_name,3,4 from information_schema.columns where table_name='users'--

we add 'where table_name='users'--' to the URL, this tell the query to pull data from the table with the table_name users

 and we should get something similar to :


Some sites have magic quotes set up, in that case adding "table_name='users'--" will not work because the site will not allow the addition of quotes, in those cases we use the char() command, in the char() command just put the ASCII value of the table name as CSV(Comma Separated Values) between the brackets - this will be discussed more in the video -

Step 6: Reaping your rewards

Now it is finally time for you to be rewarded for all your hard work, there are two ways to do this next step, the quick way and the long way, first I will show you the long way as to ensure you understand what we are actually doing...


Substitute a column name with column_name, for example,

union select 1,user,3,4 from users--

you no longer need the information_schema command as the query is already running from the users table, we will now see a list of users


Now do the same for passwords, but substitute column_name with 'pass'

union select 1,pass,3,4 from users--

You will now see a list of passwords,
Use the user name from the first request, along with the password from the second request to log in.

The short method is to use the concat() command, in the concat() command, you request more than one column at a time - more details in video -

union select 1,concat(user,0x3A,pass),3,4 from users--

You can keep adding as much information as you need either by concatenating or by asking for each individually

(0x3A is the hex value for a colon :)

this will display as:
user: password


Remember the user name and passwords and proceed to login screen.

Step 8: Logging in

Ok, so I have shown you how to collect usernames and password and other information, now you need to log in,

Take note of a username and password and proceed to login screen


You will now be logged in as that user having full access to this account as if you were the account owner

Hope my tutorial was well understood, if you have any question or other input please comment.

A video of the SQL attackhas been created and will be uploaded as soon as the editing has been completed.

Thanks for checking out my blog and thanks again to CrashOverron for the website

See ya

Techno Master

4 comments:

  1. Merci beaucoup:P
    C'est utile pour moi~

    ReplyDelete
  2. Hi technomaster,

    I liked your video and indeed you explained the procedure very efficiently. I want to know that does these set of commands work only on php webpages? I tried them on aspx and php but neither worked.

    regards,
    Tantuj

    ReplyDelete
  3. hi techno master!

    im newbie for hacking. i cannot access to your local host it says that problem loading page. what should i do?

    ReplyDelete
    Replies
    1. Have you installed the other additional servers required on your machine?

      Delete

 
Back To Top