SQL Injection

[Stackprotector]

Hello Factionwars =] very cool website i was learning hacking from that site tutorials =] but now i always have a problem... When i do SQL Injection and i get administrator password , nick i go to control panel of the website and type that nick and password i got and it always says : invalid login so where is problem? sorry is that kinda noobie question =] thanks

Feox i quoted you PM, but when you get a pass and nickname out of a database. It does not mean that it is the only user table on the database server. and the password may be hashed.  is it very long and to complicated to remember?

[FeOx]

Feox i quoted you PM, but when you get a pass and nickname out of a database. It does not mean that it is the only user table on the database server. and the password may be hashed.  is it very long and to complicated to remember?

Thanks for answer. Well it was the only user table on the database server (i pmed you link of that site) And password is not hashed. I Don't know where is problem... and that happens always when i get admin logins... i go to control panel and it says login invalid :\ i don't know what im doing wrong

[ande]

Thanks for answer. Well it was the only user table on the database server (i pmed you link of that site) And password is not hashed. I Don't know where is problem... and that happens always when i get admin logins... i go to control panel and it says login invalid :\ i don't know what im doing wrong

It might not be hashed, could be encrypted, or compressed for that matter. Nonetheless, there is no guarantee that its used for the script you are looking at anyway. The password can be used at a secret directory, user panel, admin panel, email. Who knows. So unless you can pull out some path setting or something like that, you just gotta accept that the password may not belong to the panel you are using it on.

[Simba]

Thanks for answer. Well it was the only user table on the database server (i pmed you link of that site) And password is not hashed. I Don't know where is problem... and that happens always when i get admin logins... i go to control panel and it says login invalid :\ i don't know what im doing wrong

What control panel you have in mind? Cpanel / directadmin ?
Those have completely different passwords.

Also are the passwords plain text? Are you sure?

Some programmers like to set up 2 environments, so you might be trying to breach the one that's only being used as a bait. But in your case, i doubt it.

[FeOx]

What control panel you have in mind? Cpanel / directadmin ?
Those have completely different passwords.

Also are the passwords plain text? Are you sure?

Some programmers like to set up 2 environments, so you might be trying to breach the one that's only being used as a bait. But in your case, i doubt it.

I was trying to log in to /cpanel
Well at the moment im searching for the page that would let me to log in but can't find :S well i keep searching

[Simba]

Doh! Almost nobody stores cpanel passwords on the database!
Those passwords are for CMS.

[FeOx]

Doh! Almost nobody stores cpanel passwords on the database!
Those passwords are for CMS.

Ok Thanks =] As we talked pm you said there is no CMS panels in that website i pmed you and said to check for XSS vuln. Well i didn't founded XSS vuln too :\

[uSploit]

I try this tutorial.. and have problem.
First: when you try write http://evilzone.org/index.php?id=17+ORDER+BY+5 or http://evilzone.org/index.php?id=17+UNION+ALL+SELECT+1,2,3 you get nothing.. I solved this problem with ...?id=17' UNION ALL SELECT 1,2,3# but if you write in url in my case # dont works so I change it to %23. like ?id=17' UNION ALL SELECT 1,2,3%23.
Second: when I try this ?id=17+UNION+ALL+SELECT+1,2,concat(table_name)+FROM+information_schema.tables+WHERE+table_schema=database() its dont work.. I try in MySQL and its gives this error: #1109 - Unknown table 'table_test' in information_schema
in my case Sql query is : SELECT * FROM `table_test` WHERE straipsnio_id = '1' UNION ALL SELECT 1,2,3,concat(table_name) FROM `information_schema.TABLES` WHERE table_schema=database(),5,6,7,8,9,10
any solution?

Well if you use parentheses at the end to close the query it would probably work. And in some cases you need to use string injection ill explain. I also show this in a tutorial i am still writing. example: php?id=1+union+select+1,2,3--
string injection: php?id=1'union+select+1,2,3--+-  Somethimes you id needs to be a negative and you need to replace it whit null or place a - infront of the id number (it happons often) i always use the - example: php?id=-1'union+select+1,2,3--+-

[kbt0000]

First, thank for detailed tutorial. I have a question that in
http://evilzone.org/index.php?id=17+UNION+ALL+SELECT+1,2,3
You mean the query union select and the sql server return all 3 columns. I may ask that why it output "2", "3" on the webpage rather than anything else, for example columns name. In some other tut, this query is said to find vunerable column, and u make difference. Sorry for my bad english

[ande]

First, thank for detailed tutorial. I have a question that in
http://evilzone.org/index.php?id=17+UNION+ALL+SELECT+1,2,3
You mean the query union select and the sql server return all 3 columns. I may ask that why it output "2", "3" on the webpage rather than anything else, for example columns name. In some other tut, this query is said to find vunerable column, and u make difference. Sorry for my bad english

There is no such thing as a 'vulnerable' column.

It outputs 1, 2 and/or 3 because that is the values you selected (SELECT 1,2,3). When you select a number instead of the column name, it takes the values as is, and prints them directly. You could also do SELECT 'a', 'b', 'c' and it would print 'a', 'b' and/or 'c'. You do this to see the changes in output, so that you know where to look and what is being printed in the next step: Actually retrieving data.

[kbt0000]

There is no such thing as a 'vulnerable' column.

It outputs 1, 2 and/or 3 because that is the values you selected (SELECT 1,2,3). When you select a number instead of the column name, it takes the values as is, and prints them directly. You could also do SELECT 'a', 'b', 'c' and it would print 'a', 'b' and/or 'c'. You do this to see the changes in output, so that you know where to look and what is being printed in the next step: Actually retrieving data.

I also hack with sql injection and somtime it show no column with union all select. I wonder it has not any text type column (a table always has text column, is that right?).Thank for answer

[blindfuzzy]

I also hack with sql injection and somtime it show no column with union all select. I wonder it has not any text type column (a table always has text column, is that right?).Thank for answer

You're doing it wrong. Could be a Blind SQLi

[DoctorT]

That's a lot of writing. I like writing, especially of computer science. But even for me, writing a topic about damned SQLis is difficult with the thread start explaining what PHP really is and containing a MySQL table right after it. That's some really cool stuff here in this forum.

Thank you, bookmarked (even though, thanks to your ebook section, I have 200 ebooks about hacking.) You deserve a cookie.

[ShadowCloud]

In addition to your suggestion for securing application against these types of attacks, might I suggest a couple of other things to consider?

1.  Centralize data access via one layer, so any changes made is made in this location of your project, rather than going back later and trying to fix something all over all of your files.
2.  Parameterize your SQL queries.  I know this might be a little tedious to do at first, but it's definitely the more secure way to do things and even when you switch languages or DBMS the concept will remain exactly the same, rather than being stuck on a specific programming convention?

[iikibT]

Great tutorial, I enjoyed reading it very much =)

I know PHP security is not the main topic of this tutorial and I also have no idea about this in 2011, but I just wanted to point out that today:

Instead of doing:

Code: [Select]

$variable = $_GET['Some_user_input_name'];

Do:

Code: [Select]

$variable =  mysql_real_escape_string($_GET['Some_user_input_name']);


is not considered best practice for handling user input sent to SQL. While escaping characters that have special meaning in whichever SQL engine and version you are using is good, it is an approach where one mistake means SQL injection is possible. Instead, prepared statements should be used. This way, SQL knows what the statement is and what kind of data to expect. So if there is something wrong with the data, SQL can reject it rather than execute arbitrary command.

If you read this and have the time, please add a note to the quoted code above that prepared statements are best practice in such contexts. If you don't agree, feel free to disregard this comment.