Hello readers of Vercetti's blog,
Today I'll write an tutorial for you what
covers most problems while doing SQL
injection and solutions to them. Probably
every person who has looked at tutorials to
hack a website have noticed that there are too
much SQL tutorials. Almost every forum has
10 tutorials and blogs 5 tutorials about SQL
injection, but actually those tutorials are
stolen from somewhere else and the author
doesn't probably even know why does SQL
injection work. All of those tutorials are like
textbooks with their ABC's and the result is
just a mess. Everyone are writing tutorials
about SQL, but nobody covers the problems
what will come with that attack.
What is the cause of most problems
related to SQL injection?
Webdevelopers aren't always really dumb and
they have also heard of hackers and have
implemented some security measures like WAF
or manual protetion. WAF is an Web
application firewall and will block all malicous
requests, but WAF's are quite easy to bypass.
Nobody would like to have their site hacked
and they are also implementing some security,
but ofcourse it would be false to say that if
we fail then it's the servers fault. There's also
a huge possibility that we're injecting
otherwise than we should.
A web application firewall (WAF) is an
appliance, server plugin, or filter that applies
a set of rules to an HTTP conversation.
Generally, these rules cover common attacks
such as Cross-site Scripting (XSS) and SQL
Injection. By customizing the rules to your
application, many attacks can be identified
and blocked. The effort to perform this
customization can be significant and needs to
be maintained as the application is modified.
If you're interested about WAF's and how
they're working then I suggest to read it from
wikipedia http://en.wikipedia.org/wiki/
Application_firewall
Order by is being blocked?
It rarely happens, but sometimes you can't
use order by because the WAF has blocked it
or some other reasons. Unfortunally we can't
skip the order by and we have to find another
way. The way is simple, instead of using Order
by we have to use Group by because that's
very unlikely to be blacklisted by the WAF.
If that request will return 'forbidden' then it
means it's blocked.
http://site.com/gallery?id=1 order by
100--
Then you have to try to use Group by and it
will return correct :
http://site.com/gallery?id=1 group by
100-- / success
Still there's an possibility that WAF will block
the request, but there's on other way also and
that's not very widely known. It's about using
( the main query ) = (select 1)
http://example.org/news.php?id=8 and
(select * from admins)=(select 1)
Then you'll probably recive an error like this :
Operand should contain 5 column(s) .
That error means there are 5 columns and it
means we can proceed to our next step what's
union select. The command was different than
usual, but the further injection will be the
same.
http://site.com/news.php?id=-8 union
select 1,2,3,4,5--
'order by 10000' and still not error?
That's an small chapter where I'll tell you why
sometimes order by won't work and you don't
see an error. The difference between this
capther and the last one is that previously
your requests were blocked by the WAF, but
here's the injection method is just a littlebit
different. When I saw that on my first time
then I thought how does a Database have
100000 columns because I'm not getting the
error while the site is vulnerable?
The answer is quite logical. By trying order by
1000000 we're not getting the error because
there are so many columns in there, we're not
getting the error because our injecting isn't
working.
Example : site.com/news.php?id=9 order
by 10000000000-- [No Error]
to bypass this you just have to change the URL
littlebit.Add ' after the ID number and at the
end just enter +
Example :
site.com/news.php?id=9' order by
10000000--+[Error]
If the last example is working for you then it
means you have to use it in the next steps
also, there isn't anything complicated, but to
make everything clear I'll still make an
example.
http://site.com/news.php?id=-9' union
select 1,2,3,4,5,6,7,8--+
Extracting data from other database.
Sometimes we can inject succesfully and there
doesn't appear any error, it's just like a
hackers dream. That dream will end at the
moment when we'll see that there doesn't
exist anything useful to us. There are only few
tables and are called "News", "gallery" and
"articles". They aren't useful at all to us
because we'd like to see tables like "Admin"
or "Administrator". Still we know that the
server probably has several databases and
even if we have found the information we're
looking for, you should still take a look in the
other databases also.
This will give you Schema names.
site.com/news.php?id=9 union select
1,2,group_concat(schema_name),4 from
information_schema.schemata
And with this code you can get the tables
from the schema.
site.com/news.php?id=9 union select
1,2,group_concat(table_name),4 from
information_schema.tables where
table_schema=0x
This code will give you the column names.
site.com/news.php?id=9 union select
1,2,group_concat(column_name),4 from
information_schema.tables where
table_schema=0x and table_name=0x
I get error if I try to extract tables.
site.com/news.php?id=9 union select
1,2,group_concat(table_name),4 from
information_schema.tables
Le wild Error appears.
"you have an error in your sql syntax
near '' at line 1"
Change the URL for this
site.com/news.php?id=9 union select
1,2,concat(unhex(hex(table_name),4
from information_schema.tables limit
0,1--
How to bypass WAF/Web application
firewall
The biggest reason why most of reasons are
appearing are because of security measures
added to the server and WAF is the biggest
reason, but mostly they're made really badly
and can be bypassed really easily. Mostly you
will get error 404 like it's in the code below,
this is WAF. Most likely persons who're into
SQL injection and bypassing WAF's are
thinking at the moment "Dude, only one
bypassing method?", but in this case we both
know that bypassing WAF's is different kind of
science and I could write a ebook on
bypassing these. I'll keep all those bypassing
queries to another time and won't cover that
this time.
"404 forbidden you do not have
permission to access to this webpage"
The code will look like this if you get the error
http://www.site.com/index.php?
id=-1+union+select+1,2,3,4,5--
[Error]
Change the url Like it's below.
http://www.site.com/index.php?id=-1+/
*!UnIoN*/+/*!sELeCt*/1,2,3,4,5--
[No error]
Is it possible to modify the information in
the database by SQL injection?
Most of people aren't aware of it, but it's
possible. You're able to Update, Drop, insert
and select information. Most of people who're
dealing with SQL injection has never looked
deeper in the attack than shown in the
average SQL injection tutorial, but an average
SQL injection tutorial doesn't have those
statements added. Most likely because most of
people are copy&pasting tutorials or just
overwriting them. You might ask that why
should one update, drop or insert information
into the database if I can just look into the
information to use the current ones, why
should we make another Administrator
account if there already exists one?
Reading the information is just one part of
the injection and sometimes those other
commands what are quite infamous are more
powerful than we thought. If you have read
all those avalible SQL injection tutorials then
you're probably aware that you can read the
information, but you didn't knew you're able
to modify it. If you have tried SQL injecting
then you have probably faced some problems
that there aren't administrator account, why
not to use the Insert command to add one?
There aren't admin page to login, why not to
drop the table and all information so nobody
could access it? I want to get rid of the
current Administrator and can't change his
password, why not to use the update
commands to change the password of the
Administrator?
You have probably noticed that I have talked
alot about unneccesary information what you
probably don't need to know, but that's an
information you need to learn and understand
to become a real hacker because you have to
learn how SQL databases are working to
fiqure it out how those commands are
working because you can't find tutorials about
it from the network. It's just like math you
learn in school, if you won't learn it then
you'll be in trouble when you grow up.
Theory is almost over and now let's get to the
practice.
Let's say that we're visiting that page and it's
vulnerable to SQL injection.
http://site.com/news.php?id=1
You have to start injecting to look at the
tables and columns in them, but let's assume
that the current table is named as "News".
With SQL injection you can SELECT, DROP,
UPDATE and INSERT information to the
database. The SELECT is probably already
covered at all the tutorials so let's focus on
the other three. Let's start with the DROP
command.
I'd like to get rid of a table, how to do it?
http://site.com/news.php?id=1; DROP
TABLE news
That seems easy, we have just dropped the
table. I'd explain what we did in the above
statement, but it's quite hard to explain it
because you all can understand the above
command. Unfortunally most of 'hackers'
who're making tutorials on SQL injection
aren't aware of it and sometimes that three
words are more important than all the
information we can read on some tutorials.
Let's head to the next statement what's
UPDATE.
http://site.com/news.php?id=1; UPDATE
'Table name' SET 'data you want to edit' =
'new data' WHERE
column_name='information'--
Above explanation might be quite confusing
so I'll add an query what you're most likely
going to use in real life :
http://site.com/news.php?id=1; UPDATE
'admin_login' SET 'password' =
'Crackhackforum' WHERE
login_name='Rynaldo'--
We have just updated Administrator account's
password.In the above example we updated
the column called 'admin_login" and added a
password what is "Crackhackforum" and that
credentials belongs to account which's
username is Rynaldo. Kinda heavy to explain,
but I hope you'll understand.
How does INSERT work?
Luckily "INSERT" isn't that easy as the "DROP"
statement is, but still quite understandable.
Let's go further with Administrator privileges
because that's what most of people are
heading to. Adding an administrator account
would be like this :
http://site.com/news.php?id=1; INSERT
INTO 'admin_login' ('login_id',
'login_name', 'password', 'details')
VALUES
(2,'Rynaldo','Crackhackforum','NA')--
INSERT INTO 'admin_login' means that we're
inserting something to 'admin_login'. Now we
have to give instructions to the database what
exact information we want to add, ('login_id',
'login_name', 'password', 'details') means that
the specifications we're adding to the DB are
Login_id, Login_name, password and details
and those are the information the database
needs to create a new account. So far we have
told the database what information we want
to add, we want to add new account,
password to it, account ID and details. Now
we have to tell the database what will be the
new account's username, it's password and
account ID, VALUES
(2,'Rynaldo','Crackhackforum','NA')-- . That
means account ID is 2, username will be
Rynaldo, password of the account will be
Crackhackforum. Your new account has been
added to the database and all you have to do
is opening up the Administrator page and
login.
Passwords aren't working
Sometimes the site is vulnerable to SQL and
you can get the passwords.Then you can find
the sites username and password, but when
you enter it into adminpanel then it shows
"Wrong password".This can be because those
usernames and passwords are there, but
aren't working. This is made by site's admin to
confuse you and actually the Cpanel doesn't
contain any username/password. Sometimes
are accounts removed, but the accounts are
still in the database. Sometimes it isn't made
by the admin and those credentials has been
left in the database after removing the login
page, sometimes the real credentials has been
transfered to another database and old entries
hasn't been deleted.
Sometimes i get some weird password
This weird password is called Hash and most
likely it's MD5 hash.That means the sites
admin has added more security to the website
and has encrypted the passwords.Most
popular crypting way is using MD5 hash.The
best way to crack MD5 hashes is using
PasswordsPro or Hashcat because they're the
best and can crack the password even if it's
really hard or isn't MD5. Also you can use
http://md5decrypter.com .I don't like to be a
person who's pitching around with small
details what aren't correct, but here's an tip
what you should keep in mind. The domain is
saying it's "md5decryptor" what reffers to
decrypting MD5 hashes. Actually it's not
possible to decrypt a hash because they're
having 'one-way' encryption. One way
encryption means it can only be encrypted,
but not decrypted. Still it doesn't mean that
we can't know what does the hash mean, we
have to crack it. Hashes can't be decrypted,
only cracked. Those online sites aren't
cracking hashes every time, they're saving
already cracked hashes & results to their
database and if you'll ask an hash what's
already in their database, you will get the
result. :)
Md5 hash looks like this :
827ccb0eea8a706c4c34a16891f84e7b =
12345
You can read about all Hashes what exist and
their description http://pastebin.com/
aiyxhQsf
Md5 hashes can't be decrypted, only cracked
How to find admin page of site?
Some sites doesn't contain admin control
panel and that means you can use any method
for finding the admin page, but that doesn't
even exist. You might ask "I got the username
and password from the database, why isn't
there any admin login page then?", but
sometimes they are just left in the database
after removing the Cpanel.
Mostly people are using tools called "Admin
page finders".They have some specific list of
pages and will try them.If the page will give
HTTP response 200 then it means the page
exists, but if the server responds with HTTP
response 404 then it means the page doesn't
exist in there.If the page exist what is in the
list then tool will say "Page found".I don't
have any tool to share at the moment, but if
you're downloading it yourself then be beware
because there are most of those tools infected
with virus's.
Mostly the tools I mentioned above, Admin
Page Finders doesn't usually find the
administrator page if it's costumly made or
renamed. That means quite oftenly those tools
doesn't help us out and we have to use an
alternative and I think the best one is by using
site crawlers. Most of you are probably having
Acunetix Web Vulnerability scanner 8 and it
has one wonderful feature called site crawler.
It'll show you all the pages on the site and
will %100 find the login page if there exists
one in the page.
Automated SQL injection tools.
Automated SQL injection tools are programs
what will do the whole work for you,
sometimes they will even crack the hashes and
will find the Administrator page for you. Most
of people are using automated SQL injection
tools and most popular of them are Havij and
SQLmap. Havij is being used much more than
SQLmap nomatter the other tool is much
better for that injection. The sad truth why
that's so is that many people aren't even able
to run SQLmap and those persons are called
script-kiddies. Being a script-kiddie is the
worstest thing you can be in the hacking
world and if you won't learn how to perform
the attack manually and are only using tools
then you're one of them. If you're using those
tools to perform the attack then most of
people will think that you're a script-kiddie
because most likely you are. Proffesionals
won't take you seriusly if you're injecting with
them and you won't become a real hacker
neither. My above text might give you an
question, "But I've seen that even Proffesional
hackers are using SQLmap?" and I'd like to say
that everything isn't always black & white. If
there are 10 databases, 50 tables in them and
100 columns in the table then it would just
take days to proccess all that information.I'm
also sometimes using automated tools because
it makes my life easier, but to use those tools
you first have to learn how to use those tools
manually and that's what the tutorial above is
teaching you.
Use automated tools only to make your life
easier, but don't even look at them if you
don't know how to perform the attack
manually.
What else can I do with SQL injection
besides extracting information?
There are many things besides extracting
information from the database and sometimes
they are much more powerful. We have talked
above that sometimes the database doesn't
contain Administrator's credentials or you
can't crack the hashes. Then all the injection
seems pointless because we can't use the
information we have got from the database.
Still we can use few another methods. Just like
we can conduct CSRF attack with persistent
XSS, we can also move to another attacks
through SQL injection. One of the solution
would be performing DOS attack on the
website which is vulnerable to SQL injection.
DOS is shortened from Denial of service and
it's tottaly different from DDOS what's
Distributed Denial of Service. I think that you
all probably know what these are, but if I'm
taking that attack up with a sentence then
DOS will allow us to take down the website
temporarely so users wouldn't have access to
the site. The other way would be uploading
our shell through SQL injection. If you're
having a question about what's shell then by
saying it shortly, it's a script what we'll
upload to the server and it will create an
backdoor for us and will give us all the
privileges to do what we'd like in the server
and sometimes by uploading a shell you're
having more rights to modify things than the
real Administrator has. After you have
uploaded a shell you can move forward to
symlink what means we can deface all the
sites what are sharing the same server.
Shelling the website is probably most
powerful thing you can use on the website. I
have not covered how to upload a shell
through SQL injection and haven't covered
how to cause DOS neither, but probably will
do in my next tutorials because uploading a
shell through SQL is another kind of science,
just like bypassing WAF's. Those are the most
common methods what attackers will put in
use after they can't get anything useful out of
the database. Ofcourse every website doesn't
have the same vulnerabilities and they aren't
responding always like we want and by that I
mean we can't perform those attacks on all
websites.We have all heard that immagination
is unlimited and you can do whatever you'd
like. That's kinda true and hacking isn't an
exception, there are more ways than I can
count.
What to do if all the information doesn't
display on the page?
I actually have really rarely seen that there
are so much information on the webpage that
it all just don't fit in there, but one person
recently asked that question from me and I
decided to add it here. Also if you're having
questions then surely ask and I'll update the
article. If we're getting back to the question
then the answer is simple, if all the
information can't fit in the screen then you
have to look at the source code because
everything displayed on the webpage will be in
there. Also sometimes information will appear
in the tab where usually is the site's name. If
you can't see the information then sometimes
it's hiddened, but with taking a deeper look
you might find it from the source. That's why
you always have to look all the solutions out
before quiting because sometimes you might
think "I can't inject into that..", but actually
the answer is hiddened in the source.
What is the purpose of '--' in the union
+select+1,2,3,4,5-- ?
I suggest to read about null-byte's and here's
a good explanation about it : http://
en.wikipedia.org/wiki/Null_character because
it might give you some hint why -- is being
used . Purpose of adding -- in the end of the
URL isn't always neccesary and it depends on
the target. It doesn't have any influence to
the injection because it doesn't mean
anything, but it's still being used because it's
used as end of query. It means if I'm injecting
as : http://site.com/news.php?id=-1 union
select 1,2,3,4,5-- asasdasd then the server
will skip everything after -- and asasdasd
won't be readed. It's just like adding to
masking a shell. Sometimes injection isn't
working if -- is missing because -- tells the DB
that "I'm the end of query, don't read
anything what comes after me and execute
everything infront of me". It's just like writing
a sentence without a dot, people might think
it's not the end of your sentence and will wait
until you write the other part of the sentence
and the end will come if you add the dot to
your sentence.
