web exploit

Web_Security/SQLi/README.md

@@ -27,13 +27,38 @@ These types of flaws facilitate the occurrence of other attacks, such as XSS or
 
 ## Blind SQL Injection
 
-It's estimated that over 20% of the websites have this flow.
+* INFERENCE: useful technique when data not returned and/or detailed error messages disabled. We can differentiate between two states based on some attribute of the page response.
 
-In traditional SQLi it is possible to reveal the information by the attacker writing a payload. In the blind SQLi, the attacker needs to ask the server if something is TRUE or FALSE. For example, you can ask for a user. If the user exists, it will load the website, so it's true.
+* It's estimated that over 20% of the websites have this flow.
 
-Every time you see an URL, the **question mark** followed by some type of letter or word means that a value is being sent from a page to another.
+* In traditional SQLi it is possible to reveal the information by the attacker writing a payload. In the blind SQLi, the attacker needs to ask the server if something is TRUE or FALSE. For example, you can ask for a user. If the user exists, it will load the website, so it's true.
 
-In the example
+* Timing-based techniques: infer based on delaying database queries (sleep(), waitfor delay, etc).
+
+```
+IF SYSTEM_USER="john" WAIFOR DELAY '0:0:15'
+```
+
+* Response-based techniques (True or False): infer based on text in response. Examples:
+
+```
+SELECT count (*) FROM reviews WHERE author='bob' (true)
+SELECT count (*) FROM reviews WHERE author='bob' and '1'='1' (true)
+SELECT count (*) FROM reviews WHERE author='bob' and '1'='2' (false)
+SELECT count (*) FROM reviews WHERE author='bob' and SYSTEM_USER='john' (false)
+SELECT count (*) FROM reviews WHERE author='bob' and SUBSTRING(SYSTEM_USER,1,1)='a' (false)
+SELECT count (*) FROM reviews WHERE author='bob' and SUBSTRING(SYSTEM_USER,1,1)='c' (true)
+```
+(and continue to iterate until finding the value of SYSTEM_USER).
+
+* Utilize transport outside of HTTP response.
+
+```
+
+### Common ways of Exploitation
+* Every time you see an URL, the **question mark** followed by some type of letter or word means that a value is being sent from a page to another.
+
+* In the example
 ```
 http://www.website.com/info.php?id=10
 ```
@@ -45,7 +70,8 @@ and an associated SQL query:
 ```
 QueryHere = "select * from information where code='$id'"
 ```
-### Common ways of Exploitation
+
+
 
 #### Checking for vulnerability
 We can start to verifying whether the target is vulnerable by attaching a simple quote symbol ```'``` in the end of the URL:
@@ -120,6 +146,29 @@ This will return information about the columns in the given table.
 
 If the password are clear text (not hashed in md5, etc), we have access to the website.
 
+## Basic SQL Injection Exploit Steps
+
+1. Fingerprint database server.
+2. Get an initial working exploit. Examples of payloads:
+	- '
+	- '--
+	- ')--
+	- '))--
+	- or '1'='1'
+	- or '1'='1
+	- 1--
+3. Extract data through UNION statements:
+	- NULL: use as a column place holder helps with data type conversion errors
+	- GROUP BY - help determine number of columns
+4. Enumerate database schema.
+5. Dump application data.
+6. Escalate privilege and pwn the OS.
+
+
+
+
+
+
 ## Some Protection Tips
 
 * Never connect to a database as a super user or as a root.
@@ -143,7 +192,7 @@ $SQL = "SELECT * FROM users WHERE username='$name'";
 	- The chars to be checked:```", ', whitespace, ;, =, <, >, !, --, #, //```.
 	- The reserved words: SELECT, INSERT, UPDATE, DELETE, JOIN, WHERE, LEFT, INNER, NOT, IN, LIKE, TRUNCATE, DROP, CREATE, ALTER, DELIMITER.
 
-* Do not display explicit error messages that show the request or a part of the SQL request.
+* Do not display explicit error messages that show the request or a part of the SQL request. They can helpfingerprint the RDBMS(MSSQL, MySQL).
 
 * Erase user accounts that are not used (and default accounts).