Saturday, February 21, 2009

Table of contents:
1.Introduction
2.Getting the program
3.Running the Scan
4.Finding the vulnerabilities
5.Understanding the program
6.Exploitation
7.Getting the Tables
8.Leaving your message



Disclaimer:
We by no means encourage or take responsibility of the tutorial of this program. Blah blah blah...don't do anything stupid guys.


Introduction:
Welcome to my second article, in this article basically we will be looking at the program: MySQLi Dumper, which is a SQL vulnerability Scanner

, that deals with the dumping of data through SQL injection. Now it has only been recently that i have discovered the uses of having a SQL scanner, and i have still not yet mastered it or configured it to a wider range of exploits. However, i had to spread the word.
Basically the role of a scanner is to use search engine's results (Google/Yahoo) to find pages that have queries that may be vulnerable. In this article, my goal is to basically run you through how to use MySQLi and also run through a bit of the theory behind the exploit/attack.

Getting the Program:
Before we begin scanning any sites, we must first all have our own copies of the program. To get the program, all we have to do is download it from this site: Click Me
Once u have it downloaded, extract the files and save it to a safe and secure folder and open the program.


Running the Scan:
Okay, well now you should have to program open and on the page you should see essentially a blank page, which at the top has a set of tabs:

- Scanner
- Num.Blind
- Dump MySQL
- ETC


Logically, if we are to have any chance of finding an exploit, we must first have our archive of possible, vulnerable sites. Hence, we come to the scanner tab.
This tab basically allows us to put in which criteria we want to scan for, and from what search engine we are going to do it from.
So for this example we are going to be searching for pages with SQL based queries. This is going to be our first search type:
Click Me

Here we have the following criteria:

- URL has ".php?newsid="
- From Google
- Timeout of 5 seconds (increase this if your internet is slow and vice versa)
- Results of 100pages


Once, we have our settings dialed right, we have to click "Start Scann SQLi" and away we go.

/* on a side note, you can change these values for different sites *\

Finding the Vulnerabilities:
Now comes the beauty of this program, the ability to inject chosen SQL into the archive to find a vulnerability.
- To get there click on the Vuln.SQLi tab
- Configure your settings to that of your internet standards.
- Also there is now a SQL injection drop down box, you can configure that to determine which SQL injection you want to produce the errors.
Now all you do is click Start Scan.

Understanding the program:
Now with all programs like these, it is essentially very easy to know the process of running the application, without actually knowing the theory of how the program is working.
When scanning for vulnerable sites, the program injects code into the database that will output an error.
A very common (and default) way of returning an error is to input something that is essentially incorrect.
A MYSQL page for example uses SQL queries to search a given database for given results. Now if we were to input an error after this, the database would return an error, and if the page is vulnerable, will also return that error.
In the SQL injection part of the Vuln.SQLi tab, we will find the default SQL injection as being:

CODE :

+and+0=1+union+select+


What this does is input corrupt data into the database and hope for a result.

CODE :
An example: www.vulnsite.com/index.php?id=0


Now this site has a PHP query for the variable id.
If we were to inject arbitrary code after it, we could possibly output and error and we would know we may exploit it.

So for hypothetical sake, we input the following:

CODE :
www.vulnsite.come/index.php?id=0+AND+0=1+UNION+SELECT+


And the page outputs an error, we know we have a probable:

CODE :
mysql_num_rows() line 255


Exploitation:
Alright, now at this point, we should have a list of vulnerable sites, and we now need to see if they are exploitable.
So, once we have these pages we copy and paste our first page, and we go to the "Num.Blind Tab".
Now we should have pasted the page into the main form and click GET.
Page should look like this:
Click Me

Now part of this exploitation is searching through errors to see when they disappear or when the error no longer applies. So the program will guide us through this process with the GET PAGE button.

OK to get started I'll make easy I'll do it in steps:
- Put page into the top bar and click GET PAGE
- The page should come up with an error of some sort on the screen, make note of it and click GET PAGE again.
- Keep clicking GET PAGE until the error disappears....WE have our point of exploitation
- Now since the code is now true we must change:
CODE :
id=1 to id=-1

- Once it's edited click 'GET PAGE MANUALLY'
- If you have done everything right, the errors should disappear and we should get an output... An example is here...Click Me


Making the attack:
Now we have found an insecure site, we need to go to the DUMP MYSQL tab, and paste in the top form.
Once it is pasted, you must remember the output for which the database echoed...In my example it was '3', however this will change.
So now where we have our vulnerable code, we must change it to look like this:

CODE :
www.vulnsite.com/index.php?id=1/**/union/**/all/**/select/**/1,2,[t],4--


- Now click 'Get Info' and it should dump the relevant data of the system.
- Now all you have to do is dump the necessary data from the database (databases, tables, columns etc)


Conclusion:
The rest of the program, is quite useful, but it's uses are beyond this article..(maybe i'll right another)
But i hope by showing you this program, maybe some of us can begin to understand vulnerabilities on the internet and give us power to fix them.
Reactions:

0 comments: