Follow us on Twitter!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Wednesday, April 16, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 13
Guests Online: 13
Members Online: 0

Registered Members: 82800
Newest Member: santana1744
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

SQL Exploit Help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-08-08 16:05
I've got a site,and at the login page there is a login form with the user auto inputed as Administrator.

If i put Administrator 'or'a=a i get ERROR
If i put Administrator' /* i get YOU DON T HAVE PROPER CREDENTIALS.

I'm absolutely sure that the only user stored in the data base is Administrator and that the password is encrypted in md5 hash.

Now the question:Could someone explain me how to,manually,"put YES or NO questions" to get every digit from the md5 hash.
I mean like :

Is the first digit equal to 0?
Is the first digit equal to 1?
Is the first digit equal to 2?YES..now i go to the second digit.

Or could someone code me an simple exploit that does that think?

I m almost sure that this exploit http://seclists.org/bugtraq/2005/Apr/0273.html
with the proper modifications it will be ready to use where i need.

I think the table is users(user,password).

And i don't understan.If i put 'a' or 'a'='a' i get error and if i put Adminisrator' /* i get the other error.

what is the difference between these two : 'a' or 'a'='a' and 'Administrator' while the only record in the database is Administrator?

Basically i need to figure out how to ask the database a YES\NO QUESTION.

And i m sure that in that way i can easily extract MD5 hashs by going digit by digit and asking

"does this digit equals to '1'"
"does this digit equals to '2'".. yes? good move to the next


If you could help me i would be eternaly greatefull!
Author

RE: SQL Exploit Help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-08-08 16:27
prepare to be flamed.


Author

RE: SQL Exploit Help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-08-08 16:28
A.) Learn MySQL
B.) What exactly is the error message that you get when you use 'a' OR 'a'='a'. Can you use that to see what's wrong? Is it a syntax error? If it is, then look at the query it gives you (if it gives you one). What does that tell you? If it doesn't give you the query that has a syntax error, what would you put as a query to log someone in? How would you have the right syntax with that query?
C.) Report to administrator and help him fix it Grin Grin Grin.

Edited by on 16-08-08 16:32
Author

RE: SQL Exploit Help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-08-08 16:32
hacker2k wrote:
A.) Learn MySQL
B.) What exactly is the error message that you get when you use 'a' OR 'a'='a'. Can you use that to see what's wrong? Is it a syntax error? If it is, then look at the query it gives you (if it gives you one). What does that tell you? If it doesn't give you the query that has a syntax error, what would you put as a query to log someone in? How would you have the right syntax with that query?


What the hell are you talking about. From what I understand about SQL injection (which is not much) is that you generate error messages in order to figure out table names. Then you have a layout of the database, so you can just pull out whatever info you need.

Correct me if I'm wrong.




Edited by on 16-08-08 16:33
Author

RE: SQL Exploit Help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-08-08 16:45
Yeah, you can do that, but since it is an SQL injection on a login page and his goal is probably to login, you would just need a single error message. A lot of servers give the error message for a syntax error with the query in the message. Using that you can easily figure out where your syntax error is. I think I know what's wrong with the query, but I'd rather him figure it out. The query the script is using when it's looking for the login is something like:
Code
SELECT * FROM users WHERE username='a' OR 'a'='a'';



Simple to fix. Of course, I might have read his post wrong.

P.S. In order for you to actually pull out information, the script has to output whatever it gets and not just check if it's valid.

Edited by on 16-08-08 16:47
Author

RE: SQL Exploit Help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-08-08 16:48
well like I said I don't really to much about SQL injection (I need to do some research lol) But I get what you mean now.


Author

RE: SQL Exploit Help

fashizzlepop
Member



Posts: 482
Location: Old folks home.
Joined: 08.04.08
Rank:
Moderate
Posted on 16-08-08 17:25
Hertz wrote:

Now the question:Could someone explain me how to,manually,"put YES or NO questions" to get every digit from the md5 hash.
I mean like :

Is the first digit equal to 0?
Is the first digit equal to 1?
Is the first digit equal to 2?YES..now i go to the second digit.


Hmmm, I've never heard of being able to do that before... I dont think it's possible but I can't say for sure seeing I dont know very much MySQL let alone SQL injections....


"The definition of insanity is doing the same thing over and over again and expecting different results.
~Albert Einstein~


csullivan.codeinspire.net/images/boomsig2.png
fashizzlepop@gmail.com http://csullivan.codeinspire.net/
Author

RE: SQL Exploit Help

Infam0us
Member



Posts: 153
Location: 0x080484c6
Joined: 06.09.07
Rank:
Apprentice
Posted on 16-08-08 17:43
Hertz wrote:
I've got a site,and at the login page there is a login form with the user auto inputed as Administrator.

If i put Administrator 'or'a=a i get ERROR
If i put Administrator' /* i get YOU DON T HAVE PROPER CREDENTIALS.

I'm absolutely sure that the only user stored in the data base is Administrator and that the password is encrypted in md5 hash.

Now the question:Could someone explain me how to,manually,"put YES or NO questions" to get every digit from the md5 hash.
I mean like :

Is the first digit equal to 0?
Is the first digit equal to 1?
Is the first digit equal to 2?YES..now i go to the second digit.

Or could someone code me an simple exploit that does that think?

I m almost sure that this exploit http://seclists.org/bugtraq/2005/Apr/0273.html
with the proper modifications it will be ready to use where i need.

I think the table is users(user,password).

And i don't understan.If i put 'a' or 'a'='a' i get error and if i put Adminisrator' /* i get the other error.

what is the difference between these two : 'a' or 'a'='a' and 'Administrator' while the only record in the database is Administrator?

Basically i need to figure out how to ask the database a YES\NO QUESTION.

And i m sure that in that way i can easily extract MD5 hashs by going digit by digit and asking

"does this digit equals to '1'"
"does this digit equals to '2'".. yes? good move to the next


If you could help me i would be eternaly greatefull!


You are looking for a way to ask Boolean questions (yes or no, true or false, on or off etc.). You want to look at info on blind sql injection.
check these out
http://www.unixwi. . .ction.html
http://ferruh.mav. . .sheet-oku/

http://www.google. . .tnG=Search
http://www.google. . .gle+Search

The first thing you need to do is see the difference between a true and false question. enter ' or 1=1-- and view the response carefully, and then enter something like ' AND 1=2-- and see the difference in the response between the two scenarios.

After you find the table name and the column name you want to extract data from you can use the below method to get data out with true / false questions.
Dont quote me on the syntax because im sure its wrong but just to give you an idea of how its done.,
The way I completed the blind sql inj webgoat challenge was something like this, ' OR 1=1 AND SELECT * FROM Users WHERE ascii(SUBSTR(User_names, 1)) < 65--
Which submits this sql query
Code
SELECT * FROM Users WHERE Username = ' OR 1=1 AND SELECT * FROM Users WHERE ascii(SUBSTR(User_names, 1)) < 65-- AND Password = ''



If it returns true you should get a invalid username/password type of screen (normal expected response). If its false you will get an error or weird message (or no message) of some kind.


This isnt perfect by any means its just to give you a rough idea of how its done. I forget how to select the first row in the column etc.. This works because 1=1 is always true, and when you add the AND in there and say if the first user name in the table Users and column User_names contains an a (ascii 65) or greater then return true, and if not then return false. You can do this untill you find the ascii value of the first letter in the user name, and then change it to ascii(SUBSTR(User_names, 2)) < 65 to find the second letter, so on and so forth. Kinda confusing but i hope this helped.



EDIT: The most important functions to know when asking boolean questions and extracting string data in sql like this are ASCII()
http://www.asciit. . .
http://www.brettb. . .ctions.asp

and SUBSTR (sub string) :
http://wall.risco. . .I2962.html
http://www.1keyda. . .tring.html
Those sites will help alot in trying to get the password out of the DB.




"Never memorize what you can look up in books." -Albert Einstein
www.rohitab.com/discuss/style_emoticons/default/suicide_anim.gif
[img]http://www.hellboundhackers.org/fusion_infusions/buddy_panel/buddy_delete.php?id=2783[/img]


[img]javasc ript:alert(document.cookie);[/img]

Edited by Infam0us on 16-08-08 17:55
Author

RE: SQL Exploit Help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-08-08 18:53
Thank you a lot.I m sure i'll manage right now.

But infam0us when you said

SUBSTR(User_Names,1)) i will get the first letter from the hash right?
the i use
SUBSTR(User_Names,2))



the table is users(user,password) so i use

SUBSTR(users,1)) right?

AH never mind.I ve read all again and i understood

I KNOW THE USER-- is Administrator for sure
IF I WANT THE PASSWORD I USE

SUBSTR(password,1))

then SUBSTR(password,2))

and so on.

Thank you a lot infam0us.If i can return the favour i will do it with no problem.

-Hertz aka HertzRST (HTS)

Edited by on 16-08-08 19:07
Author

RE: SQL Exploit Help

Infam0us
Member



Posts: 153
Location: 0x080484c6
Joined: 06.09.07
Rank:
Apprentice
Posted on 16-08-08 20:55
Hertz wrote:
Thank you a lot.I m sure i'll manage right now.

But infam0us when you said

SUBSTR(User_Names,1)) i will get the first letter from the hash right?
the i use
SUBSTR(User_Names,2))



the table is users(user,password) so i use

SUBSTR(users,1)) right?

AH never mind.I ve read all again and i understood

I KNOW THE USER-- is Administrator for sure
IF I WANT THE PASSWORD I USE

SUBSTR(password,1))

then SUBSTR(password,2))

and so on.

Thank you a lot infam0us.If i can return the favour i will do it with no problem.

-Hertz aka HertzRST (HTS)


lol no problem.


ya If you want to get the password you use

Code
select * from tableName WHERE userid = Administrator AND ascii(SUBSTR(passwd, 1)) < 65




then

Code
select * from tableName WHERE userid = Administrator AND ascii(SUBSTR(passwd, 2)) < 65




then

Code
select * from tableName WHERE userid = Administrator AND ascii(SUBSTR(passwd, 3)) < 65




And eventually you will get an error no matter what you try and then you know youve reached the last letter of the password.

That syntax should be pretty close to right,.

You may also want to check out webgoat http://sourceforg. . ._id=613045

and i think you wanna get the standard_5.2.zip. When you can complete all those challenges youll be doing pretty good with general knowledge.

EDIT: I take it you know how to use that ascii chart (and change the < ) to find the letters of the password right?


"Never memorize what you can look up in books." -Albert Einstein
www.rohitab.com/discuss/style_emoticons/default/suicide_anim.gif
[img]http://www.hellboundhackers.org/fusion_infusions/buddy_panel/buddy_delete.php?id=2783[/img]


[img]javasc ript:alert(document.cookie);[/img]

Edited by Infam0us on 16-08-08 20:57
Author

RE: SQL Exploit Help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 17-08-08 19:51
I think i need more help.

I know if,at the next query,it will return false(it will apear a Wrong user/pass error) and if it will return true,which means he found a result for what i m looking,it will give me a ERROR:YOU DON'T HAVE THE PROPER CREDENTIALS error.

Ok,so i have the next query..

SELECT usernames FROM users WHERE Username='Administrator' AND Password=' +md5+ ';

I know that s the right way to do,and that i need to put boolean questions with YES/OR no answers.The answers are those that i have written at the beggining of the post.

So what should i use instead of Administrator,what injection so i ask the database

Is the first digit = 0
the 1,2,3,4,5,6,7,8,9 ?

It is a mySQL database.

if i use ... WHERE Username='SUBSTR(password, 1)<65/*' do you think i will get any result?

Or how should the query look?

Thank!