After watching Troy Hunts Yow! Conference I was inspired to try the great SQL injection. This technique is known for getting mass password lists \ email addresses from forum sites. This is a two part guide with this being the first part. Part two covers what do with the data once you have it.
Disclaimer – Tests were conducted internally as far as you need to believe and by reading past this line you remove me from any liability regarding you and the use of the tools with the provided information below. See below for your very vintage reminder that 14 year olds go to jail every year for doing this kind of shit.
Question: Can I use SQL injection to get usernames and passwords?
How can I test for SQL Injection?
What is a good app for those who dont understand what SQL is or how injection works? What is SQL injection?
Answer: Yes you can get usernames and passwords in a plaintext (if provided and poorly stored manner), hashed , and salted variety.
There are many paid services for testing SQL injection that will be better than the one demoed here for free, but you cant beat free.
We are going to use Havij 1.15 for testing SQL injection.
In brief SQL Injection is when input is not sanitized on incoming request and thus allowing someone to insert a question (query) before the data is sent back to the user.
Here is your super basic break down of SQL injection. A user goes to site that they want to attempt to SQL inject. They look for some kind of SQL element on the page (Logins, php? forms ties to DBs, Forums, Comments, etc). Once they find that element they will attempt to pass erroneous data to to it and see how it responds. If it shows a error that looks like a SQL error or table of data you have likely scored as SQL is telling you the problem something it shouldn’t do. So lets get to this!
First locate your internal site you are allowed to test that I’m sure your all here to read and learn about. Here is mine straight from the 1990’s. I see there is a comments section that has my appropriate string.
Perfect now we need to test it, lets add a simple ‘ to the end of it and try again.
Perfect we just got a warning from SQL about the GET request. so lets take our new string
and throw it into Havij. this app will give us a logical view of the DB including a tree view of the tables and columns. In other words it will show what can be seen publicly. Havij comes in two flavors Free and Pro and can be readily found on google. I will not be linking it from this article as there is no official source repo.
Then click on Analyze and it will attempt to fingerprint the database and interface with it. The log console will show you any information you need. If you see it running iterations then it has probably failed or the query can not be injected. Check the status field, here we can see my successful injection.
Now you want to click Tables and Get DBs to list all the available DBs on the server.
Ok, so there are 3 types of data fields we can query, Databases the root folders you see here these are usually based off service or used to logically sort data think of it like a folder called \music\ . Tables the first sub folder these are used to sort the data within the database much like if you have \music\techno\ they usually contain sets of columns like privileges and group settings. Then we have Columns these are the actual values, these columns would be items like post dates / times, ids, GUIDs, usernames, and passwords, they would be similar to \music\techno\Gemini – Blue .
When using Havij you need to do it from a top down structure allow it to find all the Databases first, then pick one database and Get Tables until you see what table you want to Get Columns from.
Here is an example of a few phpBB database using Get Tables.
I am going to use phpbb_users as my example table to Get Columns from. Checkbox the single table and choose Get Columns.
new data will be populated and you will see it as another sub category. Select the data you want its best to just choose a few at first. These will be unique for the service but this example specifically is target to phpBB. For the example I chose:
user_id – a number tied to the user, gives us a idea of the size of the userbase
username – the login
user_email – the account registrant address
user_password – their hashed and salted password
user_form_salt – some kind of initial salt for logins or account creation not sure
There are various other items like user_ip that would have been interesting as well.
But wait I thought you said I could get some passwords from this! Well there grasshopper, we need to establish the fact that no one should be storing passwords in cleartext on the server this is bad practice and phpBB does not do this. Im going to explain how to reverse this in the next post. But for now lets go ahead and save this using the Save Data button and make sure its a easy to read HTML file.
Congratulations you are just as badass as those 14 year olds out there running a muck on the internet. But your one more step closer to understand how this attack works and what could happen in the event you have a leak of your DB.
I would just like to point out this is a very basic representation on how to do this. The software used is doing all the heavy lifting if you would look into programming and testing for such a thing I would recommend taking a course on SQL and reviewing the commands in the console output of Havij also known as ‘carrot’
Now that you have learned the basics its time to grab a copy of SQLmap and learn how to do it the proper way. Havij is really just a easy way to test out a site.