Sql Injection help

[Cl0se]

Hey, Im sitting and playing around on a website, and i tryed to do a sql injection attack (just for fun), and I found a vulnerability on the site.
I enter

Code:

http://website.com/45' ORDER BY 1--

And it returns a MySql error (I know, It's a really smart server thats outputs the query.. ):

Code:

Unknown column '20ORDER' in 'where clause'
                SELECT some1 FROM rand1 WHERE type=0 AND t=45' ORDER BY 1--

are I doing it wrong?

the query should be:

Code:

SELECT some1 FROM rand1 WHERE type=0 AND t=45 ORDER BY 1--

[metasplotto]

I'm not sure, but have you tried to remove the " ' "?
/index.php?id=1 order by 1--

If it's a simple sql injection this should work.

[aceldama]

seems that for some reason the query might be double escaped and the percent sign be stripped ( being an url escaped space). you might attempt to bypass this using the + sign instead of spaces in the uri, or failing that you may wish to use the old parenthesis trick, though that would no doubt be parsed (and escaped, and stripped) as well.

parenthesis obfuscation example:

Code:

SELECT*FROM(test)WHERE(name)=(0x4163656c646141);

url + example:

Code:

http://website.com/45+ORDER+BY+1

ALSO!
may i point you to the forum rules too. (specifically 18a & b) if you don't own the website you're playing on it's a criminal offense to play around like that and we at intern0t do not condone illegal activities.

[MaXe]

As aceldama pointed out, and from what I can read, it seems like you're illegally trying to hack a website. We (InterN0T) does not support nor condone illegal activities, but as it is unclear whether what you're doing is illegal or not, it's acceptable that you asked for help.

The problem is that when you add an apostrophe where an integer (number) is expected, you are causing an error to occur, as you can't force the expected input to become a string in this case. Something = 1 is equal to an integer, while Something = '1' is often a string, even though an integer is represented.

It doesn't seem like there is any user input filtering at all, but I could be wrong of course. First you should know, that using -- , # or /* , is not really necessary in all cases of SQL Injection and in some they will only break the query and thereby also the attempted injection.

Something as simple as:

Code:

http://website.com/45 ORDER BY 1--

May work, but instead of going straight to dumping data or injecting something, you should try the blind side first in this case.

Code:

http://website.com/45 AND 1=1

Which is a Blind SQL Injection, where you may have to substitute spaces with + signs instead. It may seem hard in case you're not used to exploiting BSQLi, but the following queries below demonstrates that it's not as hard as it seems to pull out data from the database in various ways with BSQLi.

Demo Queries:
1, (SELECT (CASE WHEN (@@version=5) THEN 1 ELSE 1*(SELECT table_name FROM information_schema.tables) END))
1, (SELECT (CASE WHEN (@@version=4) THEN 1 ELSE 1*(SELECT table_name FROM information_schema.tables) END))
1, (SELECT (CASE WHEN (@@version=5.0) THEN 1 ELSE 1*(SELECT table_name FROM information_schema.tables) END))

I don't guarantee they will work in this case, but I used them to determine in a 100% Blind SQL Injection, to determine that the version was 5.0
As you may be able to guess, I couldn't use ' (apos) or " (quote) , hence the reason they're not used.

The first query will return true (e.g., load the page) if the version is 5, and if it isn't, issue the sub-select query which in my case, resulted in a permission error. Meaning I had a way of forcing a controllable error when my queries didn't work. Normal Blind SQL Injection didn't work in this case, and various tools didn't offer any help. (Some said the website wasn't vulnerable, some said it was but that it couldn't be attacked, and so forth. I refused to believe that.)

If in this case the second query returns false (i.e., issues the sub-select query from information_schema.tables), the website is not running MySQL 4. The problem I had was that usual injection vectors would result in no errors, as in the website would load and I wouldn't know if it worked or not. Keep in mind that you can't inject data using "into outfile" with sub-select queries, but you can create them.)

The best way to learn these techniques is to test locally, as you will know what filters are in place, and if it should be vulnerable or not.

There's several premade apps, some of them are:
- Damn Vulnerable Web App
- Owasp WebGoat
- HacMe Bank
- http://www.irongeek.com/i.php?page=m...p-owasp-top-10
And more: Vulnerable Web Applications for learning « Security Thoughts

That you can install locally and play as much as you want with, without worrying about getting caught which can be quite bad or fatal for your perhaps, future career in penetration testing. So get testing locally, and try to fix the vulnerabilities yourself by fixing the code. Learning PHP is not hard, start out with the basics at e.g., w3schools, and then play with htmlentities(), htmlspecialchars() and mysql_real_escape_string(). (Do NOT use addslashes().)

ALSO!
may i point you to the forum rules too. (specifically 18a & b) if you don't own the website you're playing on it's a criminal offense to play around like that and we at intern0t do not condone illegal activities.

Thanks

[Cl0se]

I want to point out that I'm not trying to illegal hack the website, i want to se if sql injection works then leave, I have no intentions to hack and get data from the website. I want to learn more about internet security and It's hard to learn if you don't try things ;) and as I said, I have no intentions to hack the website for personal gain or information.Thanks for the help :)

[MaXe]

Good, but even trying to hack most websites is considered an offense in most countries too. The charges won't be as serious as when you've gained access to e.g., a database and "confidential information", but it is none the less illegal if you don't have explicit permission. This is why there's multiple projects such as Owasp Mutillidae (https://www.owasp.org/index.php/Cate...ASP_Mutillidae), Owasp WebGoat, various CTFs (Capture the Flag competitions), and so forth.

You can even, set up known vulnerable scripts on a lampp server such as xampp on Windows, and then install a web application which you can test as much as you want.

So make sure you know the law before you mention whether it is illegal or not. I'm of course glad to hear your intentions are good, but as we've mentioned countless amounts of times, we InterN0T the community, can't condone with illegal activities and you should therefore keep the discussions entirely technical, as this is what our community is about. (Technical discussions of hacking which we of course want to be legal and ethical, but if we can't tell whether what a person is doing, is legal or illegal we will often just try to help as we will expect the case to be legal.)

If we didn't do it this way, we wouldn't be able to exist without having to fear various legal issues, and yes, a lot of us do work in IT daily, some of us even in companies where we hack professionally

So no hard feelings, we're just trying to stay on the Internet for as long as possible and become an even greater technical community of great hackers :-)

[Cl0se]

Im going to look in to some projects that I can host localy to train on, wich one do you think is best? for sql-injection training :)

[MaXe]

Owasp Mutillidae seems to cover everything, but downloading a vulnerable application from e.g., Exploits Database by Offensive Security may work too (Find a SQL Injection exploit and see if there's an application link with it. (It looks like this: )

Note: When you've exploited it using the proof of concept, try to inject a file with PHP code onto the system, and try to patch the vulnerable code as well, it's good practice :-) The function you should generally use is mysql_real_escape_string($input_variable_here); When you've made the changes, try to exploit the app again and see if you fixed it or not. (Don't forget to try various bypasses too for fun.)

[Cl0se]

Great, thanks :)