Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

SQL Exploit Help

  1. Home
  2. Forum
  3. Web hacking
  4. SQL Exploit Help

ghost's Avatar

ghost

0 0

I've got a site,and at the login page there is a login form with the user auto inputed as Administrator.

If i put Administrator 'or'a=a i get ERROR If i put Administrator' /* i get YOU DON T HAVE PROPER CREDENTIALS.

I'm absolutely sure that the only user stored in the data base is Administrator and that the password is encrypted in md5 hash.

Now the question:Could someone explain me how to,manually,"put YES or NO questions" to get every digit from the md5 hash. I mean like :

Is the first digit equal to 0? Is the first digit equal to 1? Is the first digit equal to 2?YES..now i go to the second digit.

Or could someone code me an simple exploit that does that think?

I m almost sure that this exploit http://seclists.org/bugtraq/2005/Apr/0273.html with the proper modifications it will be ready to use where i need.

I think the table is users(user,password).

And i don't understan.If i put 'a' or 'a'='a' i get error and if i put Adminisrator' /* i get the other error.

what is the difference between these two : 'a' or 'a'='a' and 'Administrator' while the only record in the database is Administrator?

Basically i need to figure out how to ask the database a YES\NO QUESTION.

And i m sure that in that way i can easily extract MD5 hashs by going digit by digit and asking

"does this digit equals to '1'" "does this digit equals to '2'".. yes? good move to the next

If you could help me i would be eternaly greatefull!


ghost's Avatar

ghost

0 0

prepare to be flamed.


ghost's Avatar

ghost

0 0

A.) Learn MySQL B.) What exactly is the error message that you get when you use 'a' OR 'a'='a'. Can you use that to see what's wrong? Is it a syntax error? If it is, then look at the query it gives you (if it gives you one). What does that tell you? If it doesn't give you the query that has a syntax error, what would you put as a query to log someone in? How would you have the right syntax with that query? C.) Report to administrator and help him fix it :D :D :D.


ghost's Avatar

ghost

0 0

hacker2k wrote: A.) Learn MySQL B.) What exactly is the error message that you get when you use 'a' OR 'a'='a'. Can you use that to see what's wrong? Is it a syntax error? If it is, then look at the query it gives you (if it gives you one). What does that tell you? If it doesn't give you the query that has a syntax error, what would you put as a query to log someone in? How would you have the right syntax with that query?

What the hell are you talking about. From what I understand about SQL injection (which is not much) is that you generate error messages in order to figure out table names. Then you have a layout of the database, so you can just pull out whatever info you need.

Correct me if I'm wrong.


ghost's Avatar

ghost

0 0

Yeah, you can do that, but since it is an SQL injection on a login page and his goal is probably to login, you would just need a single error message. A lot of servers give the error message for a syntax error with the query in the message. Using that you can easily figure out where your syntax error is. I think I know what's wrong with the query, but I'd rather him figure it out. The query the script is using when it's looking for the login is something like: markupSELECT * FROM users WHERE username='a' OR 'a'='a''; Simple to fix. Of course, I might have read his post wrong.

P.S. In order for you to actually pull out information, the script has to output whatever it gets and not just check if it's valid.


ghost's Avatar

ghost

0 0

well like I said I don't really to much about SQL injection (I need to do some research lol) But I get what you mean now.


fashizzlepop's Avatar

fashizzlepop

Member
0 0

Hertz wrote:

Now the question:Could someone explain me how to,manually,"put YES or NO questions" to get every digit from the md5 hash. I mean like :

Is the first digit equal to 0? Is the first digit equal to 1? Is the first digit equal to 2?YES..now i go to the second digit.

Hmmm, I've never heard of being able to do that before… I dont think it's possible but I can't say for sure seeing I dont know very much MySQL let alone SQL injections….


Infam0us's Avatar

Infam0us

Member
0 0

Hertz wrote: I've got a site,and at the login page there is a login form with the user auto inputed as Administrator.

If i put Administrator 'or'a=a i get ERROR If i put Administrator' /* i get YOU DON T HAVE PROPER CREDENTIALS.

I'm absolutely sure that the only user stored in the data base is Administrator and that the password is encrypted in md5 hash.

Now the question:Could someone explain me how to,manually,"put YES or NO questions" to get every digit from the md5 hash. I mean like :

Is the first digit equal to 0? Is the first digit equal to 1? Is the first digit equal to 2?YES..now i go to the second digit.

Or could someone code me an simple exploit that does that think?

I m almost sure that this exploit http://seclists.org/bugtraq/2005/Apr/0273.html with the proper modifications it will be ready to use where i need.

I think the table is users(user,password).

And i don't understan.If i put 'a' or 'a'='a' i get error and if i put Adminisrator' /* i get the other error.

what is the difference between these two : 'a' or 'a'='a' and 'Administrator' while the only record in the database is Administrator?

Basically i need to figure out how to ask the database a YES\NO QUESTION.

And i m sure that in that way i can easily extract MD5 hashs by going digit by digit and asking

"does this digit equals to '1'" "does this digit equals to '2'".. yes? good move to the next

If you could help me i would be eternaly greatefull!

You are looking for a way to ask Boolean questions (yes or no, true or false, on or off etc.). You want to look at info on blind sql injection. check these out http://www.unixwiz.net/techtips/sql-injection.html http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

http://www.google.com/search?hl=en&q=sql+injection+cheat+sheet&btnG=Search http://www.google.com/search?hl=en&q=blind+sql+injection&btnG=Google+Search

The first thing you need to do is see the difference between a true and false question. enter ' or 1=1– and view the response carefully, and then enter something like ' AND 1=2– and see the difference in the response between the two scenarios.

After you find the table name and the column name you want to extract data from you can use the below method to get data out with true / false questions. Dont quote me on the syntax because im sure its wrong but just to give you an idea of how its done., The way I completed the blind sql inj webgoat challenge was something like this, ' OR 1=1 AND SELECT * FROM Users WHERE ascii(SUBSTR(User_names, 1)) < 65– Which submits this sql query markupSELECT * FROM Users WHERE Username = &#39; OR 1=1 AND SELECT * FROM Users WHERE ascii(SUBSTR(User_names, 1)) &lt; 65-- AND Password = &#39;&#39; If it returns true you should get a invalid username/password type of screen (normal expected response). If its false you will get an error or weird message (or no message) of some kind.

This isnt perfect by any means its just to give you a rough idea of how its done. I forget how to select the first row in the column etc.. This works because 1=1 is always true, and when you add the AND in there and say if the first user name in the table Users and column User_names contains an a (ascii 65) or greater then return true, and if not then return false. You can do this untill you find the ascii value of the first letter in the user name, and then change it to ascii(SUBSTR(User_names, 2)) < 65 to find the second letter, so on and so forth. Kinda confusing but i hope this helped.

EDIT: The most important functions to know when asking boolean questions and extracting string data in sql like this are ASCII() http://www.asciitable.com/ http://www.brettb.com/SQL_Help_ASCII_Char_Functions.asp

and SUBSTR (sub string) : http://wall.riscom.net/books/delphi/del_tis/TI2962.html http://www.1keydata.com/sql/sql-substring.html Those sites will help alot in trying to get the password out of the DB.


ghost's Avatar

ghost

0 0

Thank you a lot.I m sure i'll manage right now.

But infam0us when you said

SUBSTR(User_Names,1)) i will get the first letter from the hash right? the i use SUBSTR(User_Names,2))

the table is users(user,password) so i use

SUBSTR(users,1)) right?

AH never mind.I ve read all again and i understood

I KNOW THE USER– is Administrator for sure IF I WANT THE PASSWORD I USE

SUBSTR(password,1))

then SUBSTR(password,2))

and so on.

Thank you a lot infam0us.If i can return the favour i will do it with no problem.

-Hertz aka HertzRST (HTS)


Infam0us's Avatar

Infam0us

Member
0 0

Hertz wrote: Thank you a lot.I m sure i'll manage right now.

But infam0us when you said

SUBSTR(User_Names,1)) i will get the first letter from the hash right? the i use SUBSTR(User_Names,2))

the table is users(user,password) so i use

SUBSTR(users,1)) right?

AH never mind.I ve read all again and i understood

I KNOW THE USER– is Administrator for sure IF I WANT THE PASSWORD I USE

SUBSTR(password,1))

then SUBSTR(password,2))

and so on.

Thank you a lot infam0us.If i can return the favour i will do it with no problem.

-Hertz aka HertzRST (HTS)

lol no problem.

ya If you want to get the password you use

markupselect * from tableName WHERE userid = Administrator AND ascii(SUBSTR(passwd, 1)) &lt; 65

then

markupselect * from tableName WHERE userid = Administrator AND ascii(SUBSTR(passwd, 2)) &lt; 65

then

markupselect * from tableName WHERE userid = Administrator AND ascii(SUBSTR(passwd, 3)) &lt; 65

And eventually you will get an error no matter what you try and then you know youve reached the last letter of the password.

That syntax should be pretty close to right,.

You may also want to check out webgoat http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824&release_id=613045

and i think you wanna get the standard_5.2.zip. When you can complete all those challenges youll be doing pretty good with general knowledge.

EDIT: I take it you know how to use that ascii chart (and change the < ) to find the letters of the password right?


ghost's Avatar

ghost

0 0

I think i need more help.

I know if,at the next query,it will return false(it will apear a Wrong user/pass error) and if it will return true,which means he found a result for what i m looking,it will give me a ERROR:YOU DON'T HAVE THE PROPER CREDENTIALS error.

Ok,so i have the next query..

SELECT usernames FROM users WHERE Username='Administrator' AND Password=' +md5+ ';

I know that s the right way to do,and that i need to put boolean questions with YES/OR no answers.The answers are those that i have written at the beggining of the post.

So what should i use instead of Administrator,what injection so i ask the database

Is the first digit = 0 the 1,2,3,4,5,6,7,8,9 ?

It is a mySQL database.

if i use … WHERE Username='SUBSTR(password, 1)<65/*' do you think i will get any result?

Or how should the query look?

Thank!