EC Council CEH 312-50 V11 – Website Hacking – SQL Injection Vulnerabilities part 2
- Discovering SQL injections in GET
Okay, now I’d like to show you an SQL injection and then a different file and a different page. And I’ll show you a few different things that you can do to exploit that vulnerability. So the first thing I’m going to go to the login page which is in here, user info. So the first time we went to the login page from there, this time we went to the user user info page. So this page will show you the information about the user provided you give the username and password. So I’m going to do Zade and I’m going to put my password 123456 and it’ll show my details, username and password, and my signature is AAA. So the statement that’s being executed here is similar to what was being executed when you log in.
So select and star from accounts where username is what you put in the user field and password is what you put in the password field. So what we’re going to do now is we’re going to see a different way of exploiting this kind of vulnerability. In the previous video we were doing it using a post text box, so whatever you put in the text box was being posted using a post method to the web application. Now these vulnerabilities can exist into get. And what I mean by get is when you do a get, when something is sent as get, you will see it here in the URL. So if you look at URL here, you see it’s being sent as the username zed and password 123456.
So let me just copy this URL here and we’ll start playing with it from the URL instead of doing it on the web page. I just want to show you a different example because in many places there might not even be text boxes. For example, it could be something like news and news PHP. So we can see here, for example, in this example it’s index PHP, and in your pen testing you might see something like news PHP and for example ID is equal to two and then you can try to inject stuff in there. So we’re having an example here where we’re going to be injecting things into the username field, which is this field, and we’re going to be injecting stuff in here. So anytime when you’re doing your pen test, anytime you see parameters like this, you should try to inject them.
Anytime you see something PHP and then you have a parameter equals something, then always try to inject stuff in there and see if it works for you. So we also seen a way of discovering the injection and that was using the quotation mark and using the and so we do a false and a true, and one is equal to one and then and one is equal to two. And if the server is executing what we want, then we’re going to know that there is an SQL injection. I’m going to show you another way of discovering these exploits and it’s using the order by, as the name suggests, the order by statement is used to order the results that we get on the screen based on a specific column.
So our injection is going to be like this. So I’m going to do R there by one. So if the injection exists, this should work because in each select statement there should be at least one column is being selected. Therefore when we say order by one, we’re saying I want to order the results based on the first column.Therefore this should always be acceptable by the database and return a true or something that we expect. We also need to add the commented here and execute this code so it’s exactly like before.
So when we’re doing this, basically this is our URL and what’s going to happen on the database. So this is the code that’s been executed on the database. It’s going to look like this. So it’s going to be select star from accounts where username is equal to Zade and note how this is closing the quote. And we’re going to do an order by one and there should be this quote here for the end and this comment will tell the SQL interpreter that to ignore anything that comes in after it. So all of this is going to be ignored. So I’m copying this. So you can actually paste this injection for Zade order by one into the name right here and that’s going to work.
But again, I just want to show you a different way of doing it by injecting it through the browser. Another thing that I want you to note is when you’re injecting stuff into the browser, the code should be encoded. So for example, this sign, usually when you put it on the URL, it should be written as percentage 23. Spaces for example, get converted to percentage 20 and percentage 23 is the comment that we’re using. So I’m going to copy that and replace my comment sign with it. Now you can Google http encoder and you’ll see online, there’s online tools that will just convert this for you, for me.
Now, I know that the hashtag can be converted to percentage 23, so that’s why I’m using it there. And I’m going to hit enter. And as you can see now we’re seeing something that’s acceptable, nothing wrong. And then it’s showing me the information about Zade 123456 and showing me the signature. So it is ignoring the password. So the injection worked and it’s ordered by one, so it’s not showing me anything wrong. Let’s try to make this number one, a very large number. So I’m putting 10,000 or 10,0000 now. So what we’re saying right now is I want you to order the results that will be returned by the current select statement based on column 100,000.
Now, chances are there aren’t 100,000 columns used in this select statement and therefore this should return an error. So when I execute this, you’ll see that there is an error and the error is in the order close and telling us that there is an unknown column for 1000. And this is great, because now we know that the database is executing what we want. So when we told it to order the results based on the first column, it showed us results. So it followed what we told it. And then when we told it to order the results based on a column that does not exist, it gave us an error. So it’s obviously vulnerable to SQL injections.
- Reading Database Information
Okay, so now let’s try and determine how many columns are being selected into this page. So how much information are being selected and displayed on this page. So to do that we’re going to use the order by command. So we did order by one and that returned something that was acceptable and ordered by 1000 gave us an error. So let’s try and do order by ten and we still get an error. So I’m going to do an order by five and that works. So let’s try to do an order by six and that gives an error. So by doing this we know that there is five columns are being selected from a certain table and it’s the Accounts table and displayed on this page.
So let’s try and build our OnSelect statement and get it to be executed on the target computer. So let’s come here and try to build it there. So at the moment the statement is select star from accounts where your username is equal to Zade and we’re doing an order by one. So let’s see if we can fix that and get it to select something that we like. So the normal way to select stuff is using this format, but because we’re trying to do multiple selects and we’re trying to do it from the URL, we’re going to have to use a union first and then we’re going to say select. Then we need to imagine what’s happening on this application. So in this web application we know that there are five records being selected, so there are five columns that are being selected.
So we’re doing 12345 and we got that from the order by command. So let’s run this and see what happens. And I spelled union wrong and as you can see now, the selection was right and we got the first selection. So the first selection that this line does has been done and then it did the union. So it combined that selection with another selection and it showed us something else. And as you can see here, we’re only seeing two, three and four. And what that means is whatever value you put in number two or three or four, whatever you want to select, if you put it in there, it’s going to be displayed in this page in this particular location and you can see that here you have results for two.
So whatever you put in two would also be shown in here. So let’s try to see our database. So instead of number two I’m going to say database and instead of number three I’m going to say username or user and instead of number four I’m going to do version and this will select the current database, the current user privileges that we have and the version of the database. So let’s see if this gets executed and then we’ll talk about it. OK, cool. So the username is showing up as OAS ten and that’s that was number two. So that is the database that we’re looking for.
So the database is OAS ten. The current user that we’re logged in as is root at localhost. So we’re the root user and in the signature. So these stuff actually don’t mean anything. We’re only concerned about this and what we injected. And we injected the version and we can see this is the version of my SQL, so it’s 5. 0. 51. So at the moment we know that our database that we’re connected to is a Wasp Ten. Usually in most real life scenarios, each database is assigned to a certain user. So usually you’re only able to select stuff, tables, columns, data that is located in this current database. At the moment we’re logged in as root. So this web application has been connected to the database as root.
So therefore we can actually access other databases. But this doesn’t really happen in real life scenarios. Usually each user has their own database, so when they connect a web application to a database, they connect it to one database and therefore you won’t be able to access other databases. So we’re going to consider that, we’re going to assume that we only have access to OS Ten, which is our current database for this current website, and then the username is root at local host in the next video we’ll see how we can further explore this and do more powerful select statements.
- Discovering Database Tables
Okay, so now we know our target database is called OAS Ten. Let’s try and discover the tables that exist in the database. So this is our select statement. It’s a union select one and we have these things. So I’m going to leave this or change this to Null because I only want to select one thing now, and I’m going to say this to Null as well. And in number two, we’re going to select Table name from now we’re going to select this from a database called Information Schema. Now I said this in the first video of SQL, that Information Schema is a default database created by my SQL and it contains information about all other databases. So what we’re doing now, we’re selecting the Table name from Information Schema, and after the dot, you put the table.
So basically we’re selecting a table called Tables from a database called Information Schema. And the column that we’re selecting is called Table Name. So we’re selecting Table name from the database that’s called Information Schema from the Table tables. Let’s execute this and see if we can get all the tables that exist in OAS Ten database. So we can see, we got 237 records and you can see all the tables that we have. So these are all the tables that we have access to. So again, I said we are logged in as root, therefore we can actually see tables from other web applications such as the Tikiwiki. But in real life scenarios, you’ll only see tables related to your current database, which is matilde. So what I’m going to do is I’m going to use a where clause and I’m going to say where the Table schema is equal to our ten.
So our span was what we got when we executed, when we selected the database. So we got OS Ten, which is our current database that Mitel Day is working on. So we are using the same statement. We’re selecting the table name from information schema. Tables. Where the table? Schema is OSP Ten. So I’m going to copy that and execute it here. And as you can see now we have so many so much less tables and we only have the ones that we’re interested in. So we have the accounts, the blogs capture data, credit cards, hitlog, and the Pen test tools. Now, if you remember in the first or the second video in the SQL injection videos, we I showed you what the content of the OSP table was and it was these tables of the OSP database.
- Extracting Sensitive Data From The Database (Such As Passwords, User info…etc)
Now let’s see if we can select and get and have a look on all the accounts that exist within this table. So let’s see if we can query the database and read the information stored in the Accounts table. To do that, we’re going to first need to know the column names of the columns that exist within this table because if you look at the way we’re using our statement, we’re doing union select column name from a table. So we still don’t know what columns exist in Accounts. Now we can try and guess that there is a username and a password, but sometimes they could be different names. So I’m going to show you how you can select the columns for a certain table.
The command is going to be very similar to the Tables command and the only difference is instead of table name, we’re going to say column name. And instead of selecting it from the Information schema tables, we’re going to select it from Information schema columns and we’re going to say where the table name is equal to Accounts because we’re interested into the Accounts table. If you wanted to get columns for another table, then you just substitute this with the table or with the column with the table that you want. So our command is going to be union select one column name from the Information schema columns where the table name is the table that we’re interested in, which is the Accounts.
And this should show us all the columns that exist within the Accounts table. So let’s run this command and perfect same columns that we’ve seen before and it’s CID username, password, my signature and is admin. Now let’s take this one step further and select the usernames and passwords from the Account table. So again, the command is going to be very similar to what we’re running at the moment we’re going to be selecting and we’re going to select username and I’m going to select the password for number two and for number three. You were going to select the isadmin.
Now remember, I can’t select anything instead of number one and number five because they’re never displayed for me on screen. The only thing that I see was number two, three and four, which were displayed here, two, three and four. So therefore I’m only substituting values for two, three and four. And we’re going to select that from Accounts and we’re not going to need theWhere. So I’m going to delete the where. So very simple statement. We’re selecting username and password is admin from the Accounts and this should return all the usernames and passwords that exist within the current table that exists in the Accounts table. And I have an extra quote here that I’m going to delete. And as you can see, we got all the usernames and passwords.
We have the admin and their password is admin pass. We have other users and we have their passwords and it’s also telling us whether they are admins or not. This is very useful because in most websites, when you log in as admin, you have so much more privileges than a normal person and then you’d be able to upload PHP shells or backdoors viruses, whatever you want to do, really, and then further exploit the system. So at the moment, I can actually log in with a username admin and a password admin pass, and it’s going to accept that because it’s correct. So no matter how complicated the password was, we’re just going to be able to read it, because we’re reading it straight from the database.