Myanmar H4x0r

Today i will show how top topup mobile cash with bitcoin in Thailand :)
First Register here :https://bitcoin.co.th/login
 Then Click TopUp
and the fill the information

and send the payment to bitcoin address that will be shown
After waiting 30 minutes Topup will receive

That I topup
Thanks For reading.
Sry if i wrong spelling :)

Just go to www.hola.org and download :P

---

SYSTEM VARIABLES
Again the query for getting VERSION, USER and DATABASE:

I already explained that VERSION(), USER() and DATABASE() are system variables. But of course these are not the only ones.
Note that the variables are not always the same on different SQL-server (MySQL,MSSQL,PostgreSQL,...)!
The next thing is: be smart and creativ! For all SQL-server you will find tons of information in the world wide web. 
For MySQL i strongly recommend https://dev.mysql.com/ again. You will find all infos about MySQL-servers in there. BOOKMARK THIS!

Some examples of other sytem variables for MySQL-servers are:
@@VERSION_COMPILE_OS // operating system of the target-server
@@HOSTNAME // hostname 
@@DATADIR // you see we also can get some info about folder structure
@@LOG_ERROR // location of the error logging file

Some synonyms for EQUAL output:
VERSION()
@@GLOBAL.VERSION
@@VERSION

USER()
CURRENT_USER()
SYSTEM_USER()

DATABASE()
SCHEMA()

ALTERNATIVE QUERIES FOR SAME RESULT
We can grab the same information from different locations in the INFORMATION_SCHEMA database. 
This helps when some keywords are filtered by a WAF or similar. Some examples listed below:

examples for alternative queries for finding all databases:

examples for tables:

for columns:

Keep that in mind and take the time to check all tables of the INFORMATION_SCHEMA database: https://dev.mysql.com/doc/refman/5.0/en/...chema.html
And remember: THIS SYSTEM DATABASE IS ONLY AVAILABLE IN MYSQL VERSIONS 5 AND ABOVE!

GRAB DATA FROM OTHER DATABASES
I will show you now how to pick data from other databases than the current. 
Let‘s say the other database (not the current) is called test and it has a table called member with columns named id and name.
The queries to receive the results would be look like this:

Tables:

Columns:

Data:

Explanation:
The first two queries are similar than the ones of the UNION tutorial part. Again with HEX the database name (test) and the table name (member). To receive the data(values) of the table member (situated in database test) we change the FROM part to:
FROM DATABASE.TABLE = FROM test.member (again no need for HEX when grab data directly)

FIND OTHER DOMAINS ON SAME SERVER
If you got a special target but it is not vulerable you can try to find other domains located on the same server and try to inject them to maybe grab data of your prefered target! 
This search technique is called "Reverse IP Lookup".
Check this page and enter your target domain adress in the input field: Reverse IP Domain Check

COMBINE STATEMENTS
Now you already now how injection queries work but you dont know how to combine these functions in one column. For that we use various functions. I will explain the most used one:CONCAT()

Explanation:
CONCAT() - „Returns the string that results from concatenating the arguments“.
So with that MySQL string function we can combine as much queries as we want and they will all fit in one vulnerable column. 
NOTE: We have to seperate each select query with a comma!

WAF BYPASS
Web Application Firewall means a software (a script, e.t.c.) which try to prevent SQL injections (for example). It works in different way‘s and each WAF is different in most cases. A WAF mostly filter keywords, for example SELECT, UNION, FROM, WHERE and so on...(it depends on the WAF what exactly is filtered). Some WAF‘s are easy to bypass, some unbreakable, you will see many times such WAF‘s in work. I now will list you some basic ways to bypass a WAF. We have some very detailed tutorials about that topic and i will link them after a short explanation:

C-style comments:
Many WAF‘s are coded in programming language C. So sometimes we can easily bypass such WAF‘s with putting the words in comments of this programming language:

UNION ALL /*!SELECT*/ 1,2,3,4,5,6,7,8
UNION ALL /*!500000SELECT*/ 1,2,3,4,5,6,7,8
/*UNION*/ ALL /*SELECT*/ 1,2,3,4,5,6,7,8

URL encoding:
This you may seen when URL‘s where transmitted. Basically it means convert char‘s to HEX and put a % in front:
%75nion all %73elect 1,2,3,4,5

Example of a SELECT query with some keyword chars URL encoded:

COMMENT OUT THE ORIGINAL QUERY
Sometimes we need to comment out the original query. I used the two -- (at the end of the injecting query) for that in our example. 
That is mostly used for INT based queries. For string based mostly used is --+- or %23. Below some other you can try:

TOOLS
Dont use any automated tools (like Havji or sqlmap)!!! Do it the manually way with the URL bar of your browser. 
For a lil help you can try the mozilla Hackbar: 
https://addons.mozilla.org/de/firefox/addon/hackbar/. 
I did a lil modification of that extension. If you want you can check it out here:
[TOOL] t.PRO Hackbar mod 1.4.2 [/TOOL]
credit:T-pro

First of all most of the credit schould go out to the original coders of hackbar: Johan Adriaans & Pedro Laguna!

1) Get the Hackbar files

If you havent installed hackbar yet you can download it trough mozilla addon-manager or use my one below.
If you have installed hackbar you can use clean install file for your mods. Just copy the instal file called:

{F5DDF39C-9293-4d5e-9AA8-E04E6DD5E9B4}.xpi
mostly located in:

For Windows User:
C:\user\user_profile\appdata\roaming\mozilla\firefox\profiles\profile.default\ex​tensions

For Linux User:
/home/user/.mozilla/firefox/k65bvcin.default/extensions

Just unpack these files in a Folder (use winrar or similar). Thats what we want to edit.

2) About the files

chrome/content/hackbar.xul
This is the face of Hackbar. If you want to add Buttons, Inputs or whatever - do it here

chrome/local/en-US/hackbar.dtd
Here are all label-descriptions. If you add Buttons in hackbar.xul the buttons where labeled in the hackbar.dtd 
(but you can label all tags in the .xul too - but the dtd is better for changing languages e.t.c....)

chrome/content/main.js
The Basic-JS-functions saved in here.

chrome/content/SQL.js
All SQL-Statements saved in here (they are just .js functions)

...and...so...on....

3) Customizing / modifying hackbar

First off all i want to say that i only show a few things. I dont know about the response to this topic.
More functions are added in the hackbar you can download below.

First example:
My first intension was to change the hackbar generated string UNION SELECT to UNION+ALL+SELECT
To do this we have to change the VARIABLE in SQL.js at line 38:

2nd example:
Add a Bypass function(for demonstration install my hackbar from download-package below)

to do this you have to do the following changes:
First add the new button and popupmenu in cchrome/content/hackbar.xul

then add the labeltextes in chrome/locale/en-US/hackbar.dtd

and finally add in chrome/content/SQL.js the primary function:

4) Install modified hackbar

If you ready with your changes just replace the files in the original archive via drag and drop.

You also can pack the files in a new archive. I tested with 7-zip and winrar and works fine. 
NOTICE: just choose ZIP as format if you use winrar and rename the extension to xpi.

After you have packed your archive just right-click on it and "open with firefox" --> install shield will appear --> normal install (you dont have to uninstall earlier versions cos the files overwrite themselves)

For those of u guys who want to make the changes LIVE without uninstall / install the hackbar with every change, do this:

THAT'S IT WITH TUTORIAL. FOR DOWNLOAD MY READY TO USE HACKBAR READ THIS:


Ok guys here we go with the next and last public version* of my hackbar modify (1.4.2).
*sure i will fix bugs of the 1.4.2 if they where reported to me

Features:

• added more select-queries
• URL-Encode-function
• Base64 t.PRO function
• more Error-Based and Double-Query-Based (Big THX to _USERNAME_ for that part)
• added group+by function
• simple WAF bypass (comment and CutOff)

CHANGELOG:

DOWNLOAD t.PRO HACKBAR VERSION 1.4.2
password for WINRAR-archive: /!"§++u6943$%&~+#~/()~TPRO~=io?


(screens not sorted...)



1) use [BASE64] as spacer in Hackbar-URL-field
2) when you execute - hackbar will automaticly convert [BASE64] to a Base64 encoded string! (with replacing the + to whitespace)



0xHEX
This is a function that already exists in original Hackbar but without adding the 0x at first.
This function will only be loved by my challenge-friends for better/faster converting between Hex and Strings (normal injectors really dont need that function)

%URL
This is the new URL-ENCODING function.
Another WAF-BYPASS-TECHNIQUE.



Now Hackbar automatically encodes the database-/table-/column names to 0xHEX from a given query.
For example if u use the hackbar query:

hackbar ask u with a prompt wich database you want to concat.
--> If u choose database() then hackbar dont hex
--> if u use another DB-Name: Hackbar 0xHEX the DB-name automatically.

I think its an nice feature!

Ok guys thats it. i hope u like it!
__

once again:
DOWNLOAD t.PRO HACKBAR VERSION 1.4.2
password for WINRAR-archive: /!"§++u6943$%&~+#~/()~TPRO~=io?

(to install just right click --> open with firefox)

If you find any bugs - please report it via PM!
please test and feel free to leave any comments!

Greetz TechProspect
Credit:T-pro

---

The first and easiest function is receiving data through system variables. These variables are predefined on the SQL-server and will give us some nice BASIC INFO about the server. Lets try to get the SQL-server version, the current user and the database name of the given original query. You know from above how to display the vulnerable colums on screen (UNION STATEMENT). Now we inject our system variables directly into these vulnerable columns in our URL. Remember: vulnerable columns are COLUMN 3, COLUMN 4 and COLUMN 5...

Result:


VERSION() = 5.1.70-cll // The MySQL-server version the server is running
USER() = devartch_apropos@localhost // The current database user (Scriptuser)
DATABASE() = devartch_apropos // The current database (The current script uses)

congrats to your first injection with UNION  ....ok i admit its not a huge DUMP but this is important cos:

UNION BASED SQLI splits into two main ways: Injection in MySQL-server version 5+ above and MySQL-server version 4- lower.
Thats why the first thing to check is the SQL-server version with system variables!

---

---

VERSION 5:
The main difference between version 5 and version 4 of SQL-server is that version 5 and above has a INDEX-DATABASE for all user databases, tables and columns. Its basically a system database (beside all other user databases) that stores information and structured data about all databases,tables and columns of the user. This INDEX DATABASE is calledINFORMATION_SCHEMA. It is installed with all MySQL-server versions 5 and above. If the admin going to create some database, the SQL-server will automatically store information about this created database in the INFORMATION_SCHEMA database.

In the INFORMATION_SCHEMA database the MySQL-server automatically save things like:

• The name of each database the user created
• All table information of that databases (names, columns, rows,...)
• All column information for each table of all databases

BUT it do not store the data(values) of the tables itself. The data of each tables (values) of course are stored in the tables itselfs.
Maybe a lil confusing but you soon will see clear....

So yes you are right - that sounds like heaven:
a huge index where we can trace, locate & identify the complete structure of the user databases! And it is like that! :cool:

VERSION 4:
Guy‘s here comes the hard part:
Unfortunately such a INDEX DATABASE like in version 5 does not exist in version 4  
The table and column names are not easy to get, cos there is no index where we are able to reach them. WE HAVE TO GUESS THOSE NAMES.
That can be time intensiv and its not funny BUT possible! I think the version 4 and lower will getting less and less but sometimes you will see such a target in the wild.

Basically that‘s it about the main difference (sure there are more, but for injecting thats it)
We now go forward with our example target cos it is version 5+

---

---

After we are getting the vulnerable columns on screen and we get the basic info via system variables, the next step is to get the table names.
We know our target is version 5+ and there is a database where we are able to get those information called INFORMATION_SCHEMA.

So lets try to get the tables of our target...

The injection query for getting the table_names is:

So let's fit this into a vulnerable column, i pick number 4 for that:

--> SUCCESS! Now you see all table_names listed on the page separated with commas:


SQL-Query explanation:

That means the SQL-server SELECT all table names FROM the index (INFORMATION_SCHEMA).
Because we only want the table names of the current DATABASE() we use a WHERE-CLAUSE for this.
table_schema = the column name of the INFORMATION_SCHEMA.TABLES table where all Database names are stored.
So basically the SQL-server matches all stored values in the table_schema column with our database name (devartch_apropos) and will give us only the table_names of the current DATABASE().

Injection-Query explanation:

You noticed in the URL above that we have to do some changes before we are able to inject the SQL SELECT query.
We have to put the query in brackets ( WHOLE SELECT QUERY ABOVE ) to inject in in one vulnerable column.
We also have to use the MySQL function GROUP_CONCAT() otherwise we would get a error that our SUBQUERY return more than 1 row.
If we GROUP the results we are able to receive all data through one SELECT query!

For any further information about this SQL function you can check:
http://dev.mysql.com/doc/refman/5.6/en/g...oup-concat

Next step is to pick a table you are interested in and get the column names of it - i would say let's pick table „user" :oui:

The injection query for getting the column_names is:

The URL look like this:
--> VOILA! These are the column names of table „user“:


SQL-Query explanation:

That means the SQL-server SELECT all column names FROM the index (INFORMATION_SCHEMA).
Because we only want the column names of the table name "user" we use again a WHERE-CLAUSE for this.
MySQL now give us all column names of the table „user".

Injection-Query explanation:

As you see again the GROUP_CONCAT() function that i have already explained above (Group the results).
NEW IN HERE: we put the table name we choosed in HEX-FORMAT: 75736572 = user (u=75 s=73 e=65 r=72). 
We have to tell MySQL that we will use HEX and we will do this with put a 0x in front of the HEX VALUE. 
So finally the table name „user“ in hex is built: 0x75736572

NOTICE: this function is CASE SENSITIVE so "user" is not "USER".
In HEX you will get two different results (user = 75736572 / USER = 55534552)
How to convert Strings to HEX?: Online converter

Now let's dump the data of this columns!

NOTE: You will get some admin/login data in next step. I dont know if they are working to login for any panel. I havent tried and i will not try!
Do me a favour and to the same. Leave it as it is. This is a tutorial for educational purposes only and other user will also learn from this in future! You get enough vulnerable pages in SQLI-section, with dorking, with pastebin lists and so on....you dont have to "hack" this tutorial-example. I thought it would be nice to grab some user/password data for the first injection, if you think the same than you now how to act ;) ...stay HQ friends!

Ok guy‘s query for dumping the data:

Injection URL:
--->VOILA! You get a user name and a password (no more user stored in there):


SQL-Query explanation:

The SQL-server now SELECT all VALUES of the columns "name" and "password".
We dont need the INFORMATION_SCHEMA database cos we now know table name AND column names, in this case we can driectly reach the values without using the INFORMATION_SCHEMA.

Injection-Query explanation:

We need no WHERE-CLAUSE and no need for HEX any string (we directly grab the data and we are now knowing each column name and the table name).
Only the GROUP_CONCAT() we need again to group the results.

The password is a MD5-Hash. I will not cover cracking of hashes. 

That was your first successful UNION BASED SQL INJECTION with a MySQL-server version 5.xx and the PHP framework! CONGRATS :thumbsup:

---

---

So guys now it‘s time for another injection technique called ERROR BASED SQLI.
In some cases that work faster for us or some guy‘s just simply like that more. With this injection technique we stuck with our results directly in the error-message of the server! I will use the same target for this.

Get the version:

Get tables:

Get columns for our above union based example table user:

Values of columns name and password of table user:

NOTE:
In error based SQLi we are limited in output (because of we stuck in MySQL error message). 
To get more results than one table name you have to change the LIMIT PART in each query above: from LIMIT 0,1 to LIMIT 1,1 and than LIMIT 2,1 and so on 

credit:T-pro